UK Age Appropriate Design Code
The UK Children’s Code (officially known as the ‘Age Appropriate Design Code’) is the first-ever statutory code of practice for protecting children’s data. It has the potential to transform how companies collect, share, and use children’s data, requiring them to offer high levels of privacy protection by default.
Data drives much of the digital world, and how children’s data is handled impacts every aspect of their online experiences and their broader lives. The UK Children’s Code introduces significant changes to how children are protected and supported in the digital age. This is particularly timely as the COVID-19 pandemic has led to more children spending more time online, deepening their dependence on digital technology in many areas of their lives.
The Code is legally binding on all online services that are likely to be accessed by children and is enforced by the UK Information Commissioner’s Office. The requirements of the Code are proportionate to the risks associated with a service’s data processing. Services that pose lower risks will have fewer obligations, while those presenting higher risks will face stricter expectations. The Code came into force on 2 September 2020, with a 12-month transition period for companies to comply.
The Data Protection Act (DPA) 2018 updated UK data protection law and implemented the GDPR in the UK. An amendment to the DPA required specific protections for children, which became Section 123 of the Act. This section tasked the Information Commissioner with creating the Age Appropriate Design Code to ensure that online services’ use of children’s data is ‘age appropriate’. The Code draws on principles from both the DPA and GDPR, such as data minimisation, purpose limitation, and data protection by design and default. As a result, it places no additional burdens on services already fully compliant with GDPR, making it adaptable for other countries.
While the UK pioneered this work and first implemented the Code in 2021, governments worldwide are aligning with these principles. Countries such as California, Maryland, Ireland, the Netherlands, and Indonesia are actively adopting similar standards to safeguard children’s data and privacy.
5Rights, working closely with young people, published Demystifying the Age Appropriate Design Code, which explains in a child-friendly format how the Code gives children more protection and control over their data. For more on the 5Rights Foundation’s role in shaping the Code, read this article from the New York Times.