Safeguarding Blog Curriculum Blog

Age-appropriate design code

We are thrilled that the Information Commissioner’s Office (ICO) has published its final Age Appropriate Design Code. What does this mean for you and the safety of children online? This ground-breaking piece of regulation is the result of lengthy consultation between the ICO and key stakeholders including our DigiSafe team at LGfL, and heralds a momentous step towards safeguarding young people’s experience in the digital world.

Aimed at online services that are likely to be accessed by children – e.g. social media platforms, content streaming services, online games, apps, devices, search engines and other websites – it places the responsibility on industry to prevent children’s data being exploited in ways that undermine their safety and wellbeing. The term ‘likely’ in bold above is very significant because this means the code isn’t just aimed at providers which would admit that their services are ‘designed for’ or ‘aimed at’ children, so the scope is much wider!

What does the code say?

The Age Appropriate Design Code outlines a set of 15 robust standards that these online service providers should meet. You can read the standards here, but in summary:

  • the child’s best interests should be of primary consideration when planning or designing online services
  • settings must be “high privacy” by default
  • geolocation settings that allow a child’s location to be shared should be switched off by default
  • ‘nudge’ behaviour encouraging children to reduce or switch off their privacy settings should not be deployed
  • services should provide an obvious sign to the child when they are being monitored by parental controls
  • options which use profiling should be switched ‘off’ by default 
  • personal data collection from children should be kept to a minimum and only where there is a compelling reason
  • there is detailed guidance on the approach to be taken for users of different ages.

Regulation and enforcement:

It is encouraging that the Code defines children as under the age of 18 – this is higher than existing UK data protection law where there is only a 13-year-age limit for children to legally give consent to being tracked online. Additionally, the regulator has powers to take action for any breach of the Code – Baroness Kidron, who introduced the Code into UK legislation said:

“An online service must say what they do, do what they say or be held accountable – in this case they face fines of up to 4 percent of their turnover, which could mean billions for the largest tech companies. If you say you don’t host violent, harmful or suicide promoting material, then you must not, or face enforcement action.”

What next?

Share these developments with your staff and parents, but remind them that whilst the Code provides greater confidence that their children can safely learn, explore and play online, it can never replace parental supervision, communication, education and guidance.

Why not attend our Online Safety Training featuring CEOP ThinkUKnow to promote online safety as part of your whole school approach – free for LGfL schools – and take a look at our age-appropriate resources, suitable for teachers, senior leaders, parents and carers at


Subscribe to our blog

Enter your email address to receive notifications of new posts.