Governance, Risk and Compliance

United Kingdom Boosts Online Privacy Requirements

The Age Appropriate Design Code (the “code”), created by the UK Information Commissioner’s Office (the “ICO”), came into force on September 2, 2020, with a 12-month transition period for online services to conform to the code.

The code sets out the standards that online services must meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

The final draft of the code was published by the ICO in January 2020 and lists 15 standards that organizations must meet, including requirements to (1) take into consideration the best interests of children, (2) refrain from using children’s personal data in ways that are detrimental to their wellbeing, and (3) ensure that settings default to “high privacy.”

The UK Information Commissioner, Elizabeth Denham CBE, commented in the code’s foreword:

“I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child. Those companies that do not make the required changes risk regulatory action. What’s more, they risk being left behind by those organisations that are keen to conform. A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.”


Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.