The UK ICO's Age Appropriate Design Code (a.k.a the Children's Code) applies to all Information Society Service (ISS) providers that are “likely to be accessed by children in the UK”. This means an ISS cannot assume that the Code does not apply to them just because they don’t specifically direct or target the service at children, since they will still be caught where it is likely to be used by a significant number of children under the age of 18.

Given this concept has caused some confusion and runs in contrast to US COPPA legislation, the ICO has published draft guidance on what “likely to be accessed by children” means in practice. It includes a non-exhaustive list of factors, answers to frequently asked questions, and case study examples.

It is clear from the guidance that many services, including those often considered to be adult only, have the potential to be covered by the Code (online dating, pornography, and gaming sites to name just a few). Compliance will mean either: (i) following the 15 standards of the Code (and you can see our previous guidance on what you need to do here); or (ii) applying robust and effective age assurance measures to prevent access to children under the age of 18.

Keeping on top of data protection law developments can be hard at the best of times and children’s personal data is undoubtedly an area of high priority for regulators right now, so it is important to make sure you have carried out an assessment and review it against the new guidance. You can also have your say on the draft supporting guidance - the consultation remains open until 19 May 2023.