New child protection legislation comes into force in the UK

Breaching the code could see companies face similar fines to a GDPR breach

The Information Commissioner's Office (ICO) has launched a new data protection code in the UK, which aims to create 'a better internet for children'.

The Age Appropriate Design Code (aka the 'Children Code') is a sweeping set of regulations written into law as part of the 2018 Data Protection Act.

The code originally came into force on 2nd September last year, but the ICO delayed its implementation to allow a 12-month grace period for organisations to prepare for compliance.

From today, the ICO expects organisations to meet all standards of the code to protect children's data and privacy online.

"Children's rights must be respected and we expect organisations to prove that children's best interests are a primary concern," said Stephen Bonner, the ICO's executive director of regulatory futures and innovation.

"The code gives clarity on how organisations can use children's data in line with the law, and we want to see organisations committed to protecting children through the development of designs and services in accordance with the code."

The Children Code contains 15 standards that companies are expected to build into any digital services used by children - stretching from social media sites and apps to online games, connected toys, and even educational and news websites.

The code mandates companies must take the best interests of their child users into account, and design services that are age appropriate.

'If children are likely to access your service, even if they are not your target audience or user, then you need to consider the Children's Code,' the ICO says.

User profiling, location tracking and use of nudge techniques that encourage users to provide more data are among the features that companies must stop or limit.

Firms targeting children must also consider whether using their data keeps young people safe from commercial and sexual exploitation. Companies must provide a high level of privacy by default, and map the personal data they collect from children.

The code applies to both the UK-based firms and companies processing the personal data of children in the UK.

Much like GDPR breach, firms that fail to follow the code will face financial penalties up to £17.5 million, or four per cent of their annual worldwide turnover, whichever is higher.

Several companies claim to have made changes to their child privacy measures to meet the code in recent months.

Google has introduced several privacy changes for children who use YouTube and its search engine; for example, YouTube's autoplay option is now turned off by default for all users aged 13-17.

Video sharing platform TikTok is restricting the sharing options of younger users and has disabled notifications from the app after bedtime for users under 18.

Instagram now requires all users to provide their date of birth.

Facebook has said that users under 18 will now receive default sharing settings and will also get protection from accounts that are flagged as 'potentially suspicious' - accounts that have previously been blocked by a large number of young people on the site.