Children and the GDPR—code of practice for online services
Children and the GDPR—code of practice for online services

The following Practice Compliance guidance note provides comprehensive and up to date legal information covering:

  • Children and the GDPR—code of practice for online services
  • Scope of the Code
  • Key standards
  • Best interests of the child
  • DPIAs
  • Age-appropriate application
  • Transparency
  • Detrimental use of data
  • Policies and community standards
  • Default settings
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

As explained further in Practice Note: Children and the GDPR, anyone wishing to process children’s personal data in the UK or EEA must comply with the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) regime as it applies under applicable national laws and derogations. The UK supervisory authority, the Information Commissioner’s Office (ICO), has made children’s data a regulatory priority.

The Data Protection Act 2018 (the DPA 2018) required the ICO to produce a statutory Code of Practice on age-appropriate design for providers of information society services (ISS) that process personal data and are likely to be accessed by children.

For guidance on the meaning