The Age Appropriate Design Code – what it is, who it applies to, and how to make sure you’re compliant.

Today, Thursday the 2nd of September sees the end of the 12-month grace period for adoption of the Age Appropriate Design Code.  

For online retailers, this means a hard line on standards they must follow to improve the protection of children’s privacy.

For parents, it means a welcomed shift of responsibility to websites and retailers themselves to change their practices in the best interest of protecting minors.

The code sets out 15 standards that online services should follow to protect children’s privacy and applies to any organisation offering services that are likely to be used by children. Consequently, businesses must take steps to meet these standards.

As the Code comes into force, we’ve put together a quick overview of what this might mean for your business.

What exactly is the Age Appropriate Design Code?

Made up of 15 standards, the Age Appropriate Design Code was designed to safeguard children’s personal data online. Whilst the focus is mainly on data, the Code does cover children’s best interest in general.

Whilst the Code itself is not a new law, it shapes and informs general data protection law.

Businesses must follow the Code’s standards so that they are not breaching data protection obligations. Penalties for failing to do so can be severe, in the most serious of cases reaching £17.5mn fines or 4% of global annual turnover (whichever is higher).

The 15 standards that make up the Code are designed to help businesses provide built-in protection for children when using their website or app.

The code puts children’s best interest at the heart of all considerations when designing and developing online services.

Does the code apply to me?

Officially, the Code applies to any ‘information society services which are likely to be accessed by children’.

This means any online product or service likely to be accessed by people under the age of 18.

Whether your online service is specifically aimed at children, for example a game for 10–14-year-olds, or whether it is aimed at other age groups but might still appeal to children, the Code applies to you.

Of course, if you actively restrict children from accessing your service there is relevance in the code too.

A common sense and risk-based approach is necessary to decide whether your business is impacted by the code, and if you decide it’s not, be sure to document the decision and reasoning with regular reviews.

How do I make sure I’m compliant?

There are a few things you can do to make sure you are meeting the standards of the Code.

For all the information and a full rundown of the code, visit the official Information Commissioner’s Office (ICO), but for now we’ve pulled together a few things you can do to get started.


A DPIA is a process that helps you identify and minimise the data protection risks of a project. To meet the standards of the Code, you must complete this process.

  • Deliver age-appropriate content

When designing or developing, the age range of the audience must be determined and accommodated to.

For example, if you are a video game company you must know the age range of your users and tailor your game to this age range.

This could be by providing clearer, child-friendly information or introducing age checks for restricted areas like shop purchases.

  • Protect children’s data

If data processing is essential to your service, for example if you must know the age of a user, you should be collecting the absolute minimum data needed from children and this data should be protected.

The Code highlights rules set out under the General Data Protection Regulation (GDPR) and the Committee of Advertising Practice.

To comply, you can make changes like adopting new age verification techniques that only use the data required, such as Age Verification with OneID.

Instead of sending photos or scans of passports that contain far more information that is needed, data APIs from a user’s bank can transfer only the information needed to the website, to make sure minimum data is shared.

  • Get to know the guidance on each age range

The Code expects services to be designed appropriately for different age ranges, and the first step in doing so is making sure you understand the needs of each of these ranges. The ICO have produced guidance on considerations for all ages.

  • Always make the best interests of children your primary consideration

The Code is a very comprehensive set of standards to guide businesses. But at the heart of all 15 standards included lies this message – always make the best interests of children your primary consideration. To avoid penalisation in accordance with the code, make sure your business is doing as much as it can to achieve this.

How OneID age verification can help

One of the best ways you can do this is to make sure that if you’re a business selling age-restricted goods or services (e.g.  tobacco, alcohol or kitchenware), your service is simply not accessible to children.

You can do this by utilising new Age Verification methods that are fully compliant with UK laws, such as OneID.

Simple, secure, and trusted, OneID Age Verification will let the right people access your services in seconds, whilst making sure children are protected from accessing age-restricted items.

So for businesses who are selling age-restricted goods and services that may appeal to those under 18, make sure you are meeting legal requirements by making sure only age-appropriate users can access your service.

For further information, you can view the Code on the ICO’s website.

To speak to one of our experts about how your company can improve the age verification of its customers, grab a slot for a free, no-obligation chat and demo grab a slot for a free, no-obligation chat and demo.

Recent posts

Identity Verification

How Sizzl balanced user safety and user experience with OneID®

By partnering with OneID® — the UK’s only bank-based identity and age verification service—Sizzl rolled ...

Press Release

OneID® & Equifax create new solution to streamline customer onboarding

New award-winning solution leverages Equifax and Open Banking to reduce onboarding times and increase ap...

Age Verification

The UK’s Online Safety Act: the what, the who and the how.

Discover how the Online Safety Act will reshape digital regulation in the UK, who it impacts, and how yo...

Webinars

Webinar Insights: How Can Digital ID Tackle Deepfakes and Fraud?

As fraud becomes more sophisticated with the rise of synthetic IDs, deepfakes, and AI-generated scams, b...