Back to Blog
LegalTech & IA

Kids' Data Under the UK-GDPR: The Age Appropriate Design Code Is No Joke

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 1, 2026
10 min read
Kids' Data Under the UK-GDPR: The Age Appropriate Design Code Is No Joke

Remember when you were a kid and your parents told you not to talk to strangers? Well, the UK's Information Commissioner's Office (ICO) just gave that advice a digital upgrade. The Age Appropriate Design Code (AADC), also known as the Children's Code, came into force under the UK-GDPR in 2021, and it's shaking up how online services handle children's data. If you think this is just another boring regulation, think again – it's more like a digital playground safety inspector with teeth.

What Is the Age Appropriate Design Code?

The AADC is a set of 15 standards that online services likely to be accessed by children under 18 must follow. It's not just about blocking porn or gambling; it covers everything from social media to gaming apps, smart toys, and even educational platforms. The code applies to any service that processes children's data, including those that don't specifically target kids but are still likely to attract them – think YouTube or TikTok.

Featured Snippet Bait: The Age Appropriate Design Code (AADC) requires online services to prioritize children's best interests by default, including high privacy settings, no nudge techniques, and transparent data use. Non-compliance can lead to fines up to £17.5 million or 4% of global turnover.

Why Should You Care?

If you run a website, app, or any digital service that might be used by kids in the UK, you need to comply. The ICO has already taken enforcement action against major platforms like TikTok and Instagram for failing to meet the code's standards. And it's not just about fines – reputational damage can be far worse. Imagine explaining to parents why your app collected their child's location data without clear consent.

The 15 Standards at a Glance

  • Best interests of the child: Your service should prioritize children's wellbeing over commercial interests.
  • Data protection impact assessments: You must assess risks to children's data before launching.
  • Age-appropriate application: Apply the code if your service is likely to be accessed by children.
  • Transparency: Use clear, age-appropriate language in privacy notices.
  • Detrimental use of data: Don't use children's data in ways that harm them.
  • Policies and community standards: Enforce rules that protect children.
  • Default settings: Set privacy to high by default (e.g., private accounts).
  • Data minimization: Collect only the minimum data needed.
  • Data sharing: Limit sharing of children's data with third parties.
  • Geolocation: Switch off geolocation by default.
  • Parental controls: Provide tools for parents to manage their child's data.
  • Profiling: Don't use children's data for profiling unless necessary.
  • Nudge techniques: Avoid using dark patterns to encourage kids to share more data.
  • Connected toys and devices: Ensure IoT devices comply.
  • Online tools: Provide accessible ways for children to exercise their rights.

Practical Steps for Compliance

First, conduct a Data Protection Impact Assessment (DPIA) specifically for children. Then, review your default settings – are they privacy-friendly? If you're using nudge techniques like 'Share your location to unlock this game', stop. Also, ensure your privacy policy is readable by a 12-year-old. Yes, that means no legalese. Finally, consider age verification – but be careful not to collect excessive data just to verify age.

For more details, check the official ICO guidance on the Children's Code.

FAQ

Does the AADC apply to my small business?

Yes, if your online service is likely to be accessed by children under 18 in the UK, regardless of your business size. Even a small blog with a comments section could be caught if it attracts kids.

What are the penalties for non-compliance?

The ICO can issue fines up to £17.5 million or 4% of your annual global turnover, whichever is higher. They can also order you to stop processing data.

How do I know if my service is 'likely to be accessed' by children?

Consider factors like the nature of your content (e.g., games, cartoons), design (bright colors, simple language), and marketing. If in doubt, assume children might access it and comply.

📋 AADC Compliance Checklist

  • Conduct a DPIA for children
  • Set high privacy defaults
  • Remove nudge techniques
  • Write a kid-friendly privacy policy
  • Limit geolocation tracking
  • Provide parental controls
  • Minimize data collection
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.