Complying with the Children’s Code: here’s what you need to know

From age verification to writing easy-to-understand privacy notices – the code has strict guidelines to follow

By Nigel Jones

Co Founder of The Privacy Compliance Hub

October 2022

Regulators across Europe are dishing out fines to companies that are breaching the GDPR when it comes to their misuse of children’s personal information. Meta has received a rap on the knuckles to the tune of an eye-watering €405 million and it looks like large fines from both the UK’s ICO and the Irish data protection authority are on their way to TikTok. More are expected – the UK’s Information Commissioner John Edwards says he is investigating another 50 businesses he believes aren’t taking their responsibilities around child privacy seriously enough. 

This heightened activity is worrying those who could do without a fine of up to 4% of their annual global turnover. If you’re wondering how you can make sure your organisation stays on the right side of the Children’s Code, read on. 

Does my business need to comply? 

The UK GDPR states: “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”. The Children’s Code translates the UK GDPR into 15 design guidelines that require online services to take the “best interests” of the child into account. 

If you work in technology, it’s very likely that the code applies. Most online services used by children including apps, online games, streaming services, social media platforms, search engines, news websites, smart toys and other connected devices have to comply with the code. Counselling services are excluded, as are websites which do not allow people to buy products online or access an online service. 

Online services do not even have to be designed for or targeted at children to fall within the code’s purview. If the service is deemed “likely to be accessed by children” within the UK, then the code still applies. That’s the case even if the company itself is based abroad. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

What should I do next? 

A good first step is for organisations to review any existing services and conduct a data mapping exercise to determine whether and how they process children’s personal information. 

In practical terms, the code’s requirements fall into five categories:

1. Data protection impact assessments (DPIAs)

It is compulsory to conduct a DPIA at the start of the design process for any new online product or service that falls under the code. Our Hub contains an automated DPIA which ensures businesses have considered all the relevant aspects of the code. 

2. Age verification

Organisations must establish the age range their users fall into with a level of certainty that is appropriate to the risk posed by the processing of personal information. Measures can range from self declaration to requiring users to provide ID. Alternatively, organisations can remove the need to establish the ages of their users by protecting the personal information of everyone to the standards required by the code.

3. High privacy settings

Businesses should not collect more information than is necessary to provide their core service, allow children’s personal information to be visible to other users, or use ‘nudge’ techniques to encourage children to lower their privacy settings. They should also not share children’s personal information unless they have a compelling reason for doing so. 

Companies should switch all non-essential location tracking in relation to children off by default (including any features that display a child’s location to others), and switch options which use profiling off by default. Although the code does not regulate online content itself, it does make organisations responsible for content served to children based on their personal information.

4. Privacy notices

These must contain all of the usual information required by the UK GDPR, be prominent and in language that’s easy for a child user to understand.

5. Tools to help children exercise their data rights

These must be prominent, easily accessible, and easy to use, as should tools to help children report concerns while they’re using the service. 

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Championing a culture of continuous privacy compliance

The Children’s Code does require organisations to add an extra level of care to how they operate. But those organisations that put privacy first will be far better placed to defend the measures they’re taking if and when the ICO comes knocking. 

More to watch and read