Data protection and the Age-Appropriate Design Code

Adindu Nwichi Headshot
Written by Adindu Nwichi  Data Protection Officer

20/08/2021

What is the Age-Appropriate Design Code?

A 2019 report by Ofcom shows that 50% of ten-year olds own mobile phones. While viewing of video-on-demand (with YouTube as firm favourite), has doubled in the last five years among children. Platforms like TikTok are rapidly growing in popularity. Sadly, more and more children are being exposed to hateful, violent and disturbing contents on these platforms.

The Age-Appropriate Design Code is a code of practice drafted by the ICO (the regulatory authority for data protection in the UK) as a solution to this modern problem. According to the Data Protection Act 2018, age-appropriate design means, “the design of services so they are appropriate for use by, and meet the development needs of children”. If the Data Protection Act 2018 sounds familiar to you, it’s because it’s also the legislation that implemented GDPR in the UK.

The Code was designed to ensure that organisations who provide services likely to be accessed by children take into consideration children’s best interests. The remit is as wide as possible, and includes developing apps, programs, social media platforms, streaming services, search engines, online games, news and educational websites.

Clipboard with checklist icon

Want to find out more about the GDPR?

Bulletproof has helpful free resources for organisations looking to find out more about the GDPR. Why not download our educational white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics.

What does my business need to do?

The Code is not a new law. However, it sets out 15 standards of age-appropriate design which complement data protection laws in the UK. Embedding these standards in the design process would help organisations demonstrate compliance with the UK GDPR, PECR and DPA 2018. Don’t forget that the GDPR mandates extra protection measures for child personal data.

When your organisation develops a new product or a service, it is important to bear in mind the age ranges and developmental stages provided by the Code. If, for instance, a software being developed is likely to be used by children between the ages of 6 – 9 years, a data protection impact assessment (DPIA) of the potential risks to the individuals should be conducted. Although DPIAs for any new product and service is strongly recommended.

In-keeping with Article 25 of the GDPR, appropriate privacy controls should be used in designing the default privacy settings. That way, if a child does not make any changes to the settings, personal data collected cannot be accessed by other users of the service or other organisations. Furthermore, the default privacy settings should be such that profiling, and the geolocation of the child-user are switched off, unless there is a very, very compelling reason not to.

Young person watching an iPad

How is the Age-Appropriate Design Code enforced?

Though the code officially came into force in September of 2020, organisations were given a 12-month transition period to prepare. This means that from 2 September 2021, organisations whom the code applies to are expected to conform to the standards set by the code. The Information Commissioner’s Office (ICO) has the responsibility of enforcing data protection legislation. Children’s data is given special attention. In the event of an abuse of their data, the ICO is under a legal duty to take the provisions of the code into account when enforcing applicable laws. Some of the disciplinary tools available to the ICO include enforcement notices and penalty notices. The penalty notices can go as high as £17.5 million or 4% annual worldwide turnover of an organisation.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.