A long time ago in a galaxy far away …….. (22 January 2020) the Information Commissioner’s Office [‘ICO’] introduced the Children’s Code.

If you are a provider of ‘Information Society Services’ likely to be accessed by children -defined as under 18 and you are not aware of it then you need to get up to speed.

The Code applies to apps, social media platforms, online messaging, online marketplaces, content streaming services and any websites offering goods or services to children over the internet.

The Code recognises that the digital economy can provide benefits to children but is often not a “safe space” for them. The Code looks to change that – not by seeking to protect children from the digital world, but by protecting them within it.

The Code is already in force but, like the GDPR, it has a 12-month transition period for providers to make the necessary changes.

Affected providers need to be ‘Code Ready’ by 2 September 2021.

Before there was a Code there was a law…

Providers are already obliged to comply with the GDPR and Data Protection Act 2018 and PECR 2003 when processing [collecting, storing, using, sharing, erasing etc.] the personal data of children -any information that relates to them.

It is not enough to comply with the GDPR – an organisation has to be able to demonstrate that it is compliant.   It’s called ‘accountability’. The Information Commissioner’s Office [‘ICO’] has made it clear that if a provider does not follow the code then they may find it difficult to prove that they comply (are ‘accountable’) with the GDPR.

Failure to comply may lead to complaints from children or their parents, potential ICO investigations, claims for compensation, bad publicity, time dealing with issues and, worst-case scenario, fines.

Providers can avoid all of that by being proactive and taking steps to be Code Ready now.

The starting point for any Provider processing personal data is that they must comply with the data protection principles. Simplified these are:

(a)   they must process children’s personal data lawfully, fairly and in a transparent manner.

(b)   a child’s data should only be collected for specified, explicit and legitimate purposes…

(c)    any processing of personal data should be adequate, relevant, and limited to what is necessary

(d)   personal data should be accurate and, where necessary, kept up to date

(e)   it should be kept in a form that identifies the child for no longer than is necessary and,

(f)     it should be processed in a manner that ensures appropriate security of the child’s data….

As stated above a Provider must be able to demonstrate that they comply with the 6 principles above.

Not sure about the principles or how to prove you comply? Contact us -but following the Code will help.


Don’t forget children may have the following rights:

1)     to be informed about how their data is used

2)     to access a copy of it

3)     to rectify inaccurate information

4)     to erase it

5)     to restrict what is done with it

6)     to have others who have received their data notified about any rectification, erasure, or restriction of it

7)     to have it ported to another provider

8)     to object to how it is used and to direct marketing

9)     to object to automated decision making and,

10)  to be notified of certain types of personal data breaches.

What does a Provider need to do?

The code puts forward 15 standards.

Not all will apply to every provider.  They are summarised below:

  1. What is best for the child should be a primary consideration when providers design and develop online services.
  2. Providers should do a Data Protection Impact Assessment (‘DPIA’) to inform them as to what they should do to do away/ reduce risks of harm to children who are likely to access the services.

If you do not know how to do one of these contact us.

  1. Providers should take a risk-based approach to recognising the age of child users and ensure they effectively apply the standards in the code to those users.
  2. Privacy information and other published terms, policies, and community standards, must be concise, prominent, and in clear language suited to the age of the child. Providers should provide additional specific ‘bite-sized’ explanations about how they use personal data at the point data is collected.

For help with this contact us.

  1. Provider’s must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
  2. Providers must uphold their own published terms, policies, and community standards.

Need terms, policies, notices? Contact us.

  1. Settings must be ‘high privacy’ by default.
  2. Providers must collect and retain only the minimum amount of personal data needed to provide the parts of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which parts they wish to activate.
  3. Providers must not disclose children’s data unless they can demonstrate a compelling reason to do so.
  4. Providers must switch geolocation options off by default (unless they can demonstrate a compelling reason it to be on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
  5.  If a provider provides parental controls then they should give the child age-appropriate information about this. If a parent or carer can monitor their child’s online activity or track their location, then there should be an obvious sign to the child that they are being monitored.
  6. Providers should switch options which use profiling ‘off’ by default (unless they can demonstrate a compelling reason for it to be on by default, taking account of the best interests of the child). Providers should only allow profiling if they have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  7. Providers should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
  8. Where providers supply a connected toy or device, they should ensure they include effective tools to enable conformance to the code.
  9. Providers should provide prominent and accessible tools to help children exercise their data protection rights [see above] and report concerns.


Providers need to review their offerings now to ensure they do the right thing and are ‘Code Ready’ by 2 September 2021.  Failure to do will make it more difficult to prove that a provider is compliant with the GDPR. DPA/OK can advise Providers on what their legal obligations are.