UK Children's Code
Age Appropriate Design Code (Children's Code) — UK DPA 2018 / UK GDPR
UK's enforceable "privacy-by-design for kids" regime. Applies to online services likely to be accessed by children under 18. Forces high-privacy defaults, limits on profiling/nudges, DPIA-style risk work, safety-by-design.
Jurisdiction
United Kingdom
UK
Enacted
Sep 2, 2020
Effective
Sep 2, 2021
Enforcement
Information Commissioner's Office (ICO)
Statutory code with binding effect under DPA 2018
What It Requires
Harms Addressed
Who Must Comply
This law applies to:
- • Information society services likely to be accessed by children under 18
- • Apps, sites, platforms, connected services
Who bears obligations:
Safety Provisions
- • Best interests of child must be primary consideration
- • High privacy settings by default
- • Data minimization + purpose limitation for children
- • DPIAs for child-accessible processing
- • Profiling restrictions: avoid unless justified; mitigate harms
- • Nudge techniques: cannot encourage unnecessary data sharing or weaken privacy
- • Geolocation and high-risk features off by default
- • Transparency in child-appropriate language
- • Parental controls with age-appropriate information
Compliance Timeline
Sep 2, 2020
Code comes into force, transition period begins
Sep 2, 2021
Full compliance required, enforcement begins
Enforcement
Enforced by
Information Commissioner's Office (ICO)
Penalties
£17.5M or 4% revenue (whichever higher)
Up to £17.5M or 4% global turnover (UK GDPR/DPA 2018 framework).
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- Yes
- Algorithmic Scope
- Yes
Why It Matters
One of most enforceable "design code" models globally—hits recommender systems + engagement design. Template for US state AADCs.
Recent Developments
ICO "tech sector sweep" 2024-2025 examining compliance. Active enforcement on profiling and nudge design.
What You Need to Comply
You need: "kids mode" design—high-privacy defaults, limited profiling/nudges, child-appropriate disclosures, DPIA evidence. Recommender systems must be configured for child safety.
NOPE can helpCite This
APA
United Kingdom. (2020). Age Appropriate Design Code (Children's Code) — UK DPA 2018 / UK GDPR. Retrieved from https://nope.net/regs/uk-childrens-code
BibTeX
@misc{uk_childrens_code,
title = {Age Appropriate Design Code (Children's Code) — UK DPA 2018 / UK GDPR},
author = {United Kingdom},
year = {2020},
url = {https://nope.net/regs/uk-childrens-code}
} Related Regulations
UK OSA
One of the most comprehensive platform content moderation regimes globally. Creates specific duties around suicide, self-harm, and eating disorder content for children with 'highly effective' age assurance requirements.
Ofcom Children's Codes
Ofcom codes requiring user-to-user services and search services to protect children from harmful content including suicide, self-harm, and eating disorder content. Explicitly covers AI chatbots that enable content sharing between users. Requires detection technology, content moderation, and recommender system controls.
UK AI Approach
Sector-specific, principles-based approach using existing regulators. Five cross-sector principles guide regulatory application rather than horizontal AI legislation.
VT AADC
Vermont design code structured to be more litigation-resistant: focuses on data processing harms rather than content-based restrictions. AG rulemaking authority begins July 2025.
CA AB 489
Prohibits AI systems from using terms, letters, or phrases that falsely indicate or imply possession of a healthcare professional license.
FR SREN
France's 2024 "digital space" law strengthening national digital regulation and enforcement levers via ARCOM across platform safety and integrity issues.