Insights The ICO publishes final guidance on “likely to be accessed by children” factors to consider for UK Age-Appropriate Design Code


The Information Commissioner’s Office (“ICO”), the regulator responsible for monitoring compliance with the UK’s Age Appropriate Design Code (“AADC”) has issued its final guidance on online services that are “likely to be accessed by children“. The AADC is a statutory code of practice in the UK that came into effect on 2 September 2021 under which online service providers must assess whether children are likely to access their service (and comply with the AADC’s principles if so). The recently released guidance includes a non-exhaustive set of factors to aid in the assessment of this, including:

  1. Accessibility: can children access your service? Self-declaration alone is unlikely to be sufficient to rebut the assumption that children do not access your service.
  2. Number of Child Users: consider the number of child users and their proportion in relation to total users.
  3. Evidence Sources: gather age information, use age profiling tools, conduct research on user behaviour, and analyse existing evidence.
  4. Access Patterns: observe access patterns, such as peaks after school and during holidays.
  5. Child-Centric Content: identify content, design features, and activities appealing to children, like animations, gamification, and child-focused advertising.

The ICO guidance includes a number of hypothetical case studies, including two that specifically relate to games. One of these is as follows:

A game publisher’s terms of service restrict users aged under 18 from accessing the game. However, the game’s design features, including cartoon animations, are attractive to children. The game is widely played, and video clips of teenagers playing it are popular. The publisher has also received numerous complaints from parents which indicate children’s engagement with in-app purchases.

The ICO state that in this scenario, the publisher must take action to comply with the AADC, which could be done in one of the following ways:

  1. Enhance age assurance mechanisms during account entry;
  2. Shift high-risk processing behind an age-assured gate; or
  3. Apply the AADC principles to all users to ensure data protection compliance.

Online services which fall under the scope of the AADC should revisit their existing data protection practices and make reasonable and proportional changes where needed to protect children’s privacy – and ensure that they document this process and decisions made.