The ICO Children’s Code is a statutory code of practice under UK data protection law that online services which are likely to be accessed by children, should follow to protect them, their data and their privacy online. It gives practical guidance to companies on how to design their apps, games and websites in a way that is safe, open and easy for children to understand.
The code also emphasises transparency. This means services must clearly explain in child-friendly way what data they are collecting and how they are using it. It sets out 15 design standards covering areas such as privacy settings, data sharing, profiling and the ways children are encouraged to use services. The code applies to a wide range of online platforms, including apps, games, connected toys and devices and news or media services and sometimes children are not even the target audience for this service.
Organisations based inside or outside the UK must comply if they process the personal data of UK children. To do this services may need to map what children’s data they collect, check users’ ages, provide high privacy settings by default and avoid techniques that encourage children to give more data than necessary. This aims to not exclude children from the digital world but by requiring services to build protections, it ensures children are safe and protected when using it.
<aside>
Their Best Interests
Always put the child’s wellbeing first when designing online services for them.
Data Protection Impact Assessment
Assess how your service might affect children’s privacy and safety, considering different ages and abilities, and make sure your service meets this code.
Age Appropriate Application
Know the age of your users and apply the code’s standards to protect children. If you can’t be sure, treat all users as if they could be children.
Transparency
Explain how you use personal data in simple, clear language suitable for children
Avoid Harm
Don’t use children’s data in ways that could hurt them or break rules, laws or government guidance.
Policies & Community Standards
Stick to your published policies, rules and community standards, including privacy and behaviour rules.
Default Settings
Settings should be private and safe by default, unless there’s a very good reason to do otherwise.
Data Minimisation
Only gather the personal data necessary for the parts of your service the child is using and let them choose what to share
Data Sharing
Don’t share children’s data unless there’s a strong reason that benefits the child
Geolocation
Location tracking should be off by default. If it’s on, show clearly that it’s active, and reset to off at the end of each session.
Parental Controls
Explain parental controls in a way children can understand. If parents can monitor a child, show the child clearly when this is happening.
Profiling
Turn profiling off by default
Nudge Techniques
Don’t pressure or trick children into sharing more data or lowering their privacy settings.
Connected Toys & Devices
Make sure toys and smart devices have tools to follow these rules. If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
Online Tools
Give children obvious and accessible ways to manage their data, exercise privacy rights, and report concerns.
Age appropriate design: a code of practice for online services
</aside>
The ICO rules are important because they protect children’s privacy and safety online. Children are vulnerable and may not understand how their data is used so these rules make sure services are designed with their best interests in mind. Following the rules isn’t just a legal requirement, it is also ethical. It shows respect for children, builds trust and helps create a safer online world where they can explore and learn without being exploited.