Kids' Data Under the UK-GDPR: The Age Appropriate Design Code Is No Joke

Table of Contents
Remember when you were a kid and your parents told you not to talk to strangers? Well, the UK's Information Commissioner's Office (ICO) just gave that advice a digital upgrade. The Age Appropriate Design Code (AADC), also known as the Children's Code, came into force under the UK-GDPR in 2021, and it's shaking up how online services handle children's data. If you think this is just another boring regulation, think again – it's more like a digital playground safety inspector with teeth.
What Is the Age Appropriate Design Code?
The AADC is a set of 15 standards that online services likely to be accessed by children under 18 must follow. It's not just about blocking porn or gambling; it covers everything from social media to gaming apps, smart toys, and even educational platforms. The code applies to any service that processes children's data, including those that don't specifically target kids but are still likely to attract them – think YouTube or TikTok.
Featured Snippet Bait: The Age Appropriate Design Code (AADC) requires online services to prioritize children's best interests by default, including high privacy settings, no nudge techniques, and transparent data use. Non-compliance can lead to fines up to £17.5 million or 4% of global turnover.
Why Should You Care?
If you run a website, app, or any digital service that might be used by kids in the UK, you need to comply. The ICO has already taken enforcement action against major platforms like TikTok and Instagram for failing to meet the code's standards. And it's not just about fines – reputational damage can be far worse. Imagine explaining to parents why your app collected their child's location data without clear consent.
The 15 Standards at a Glance
- Best interests of the child: Your service should prioritize children's wellbeing over commercial interests.
- Data protection impact assessments: You must assess risks to children's data before launching.
- Age-appropriate application: Apply the code if your service is likely to be accessed by children.
- Transparency: Use clear, age-appropriate language in privacy notices.
- Detrimental use of data: Don't use children's data in ways that harm them.
- Policies and community standards: Enforce rules that protect children.
- Default settings: Set privacy to high by default (e.g., private accounts).
- Data minimization: Collect only the minimum data needed.
- Data sharing: Limit sharing of children's data with third parties.
- Geolocation: Switch off geolocation by default.
- Parental controls: Provide tools for parents to manage their child's data.
- Profiling: Don't use children's data for profiling unless necessary.
- Nudge techniques: Avoid using dark patterns to encourage kids to share more data.
- Connected toys and devices: Ensure IoT devices comply.
- Online tools: Provide accessible ways for children to exercise their rights.
Practical Steps for Compliance
First, conduct a Data Protection Impact Assessment (DPIA) specifically for children. Then, review your default settings – are they privacy-friendly? If you're using nudge techniques like 'Share your location to unlock this game', stop. Also, ensure your privacy policy is readable by a 12-year-old. Yes, that means no legalese. Finally, consider age verification – but be careful not to collect excessive data just to verify age.
For more details, check the official ICO guidance on the Children's Code.
FAQ
Does the AADC apply to my small business?
Yes, if your online service is likely to be accessed by children under 18 in the UK, regardless of your business size. Even a small blog with a comments section could be caught if it attracts kids.
What are the penalties for non-compliance?
The ICO can issue fines up to £17.5 million or 4% of your annual global turnover, whichever is higher. They can also order you to stop processing data.
How do I know if my service is 'likely to be accessed' by children?
Consider factors like the nature of your content (e.g., games, cartoons), design (bright colors, simple language), and marketing. If in doubt, assume children might access it and comply.
📋 AADC Compliance Checklist
- Conduct a DPIA for children
- Set high privacy defaults
- Remove nudge techniques
- Write a kid-friendly privacy policy
- Limit geolocation tracking
- Provide parental controls
- Minimize data collection

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings

Smart Contracts and Blockchain: Can They Replace a Traditional Contract?

New Jersey's Independence Day Surprise: A Costly New Data Broker Law That's No Firework
Brazil’s ANPD Starts Monitoring App Stores and OS Compliance with Digital ECA: What You Need to Know
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now