Setting the scene
There has been a great deal of recent activity concerning children’s personal data and online safety. Following an unsuccessful attempt in the House of Lords to introduce an outright ban on children’s access to social media, the government has launched a national consultation on how best to keep children safe online. The consultation considers whether an age limit on children’s use of social media is appropriate and, if so, what that age should be. It forms part of a broader policy debate on children’s digital rights and protections, and is available here: Growing up in the online world: a national consultation - GOV.UK.
Alongside this, the Children’s Wellbeing and Schools Act 2026 has now received Royal Assent. One of the most significant late additions to the Act is the introduction of new ministerial powers to regulate how online platforms operate in relation to children. These powers include the ability to restrict access to certain services for under‑16s, limit harmful or addictive features, and impose more robust age‑assurance requirements.
Data protection by design and by default: what the ICO now expects with children’s personal data
The Information Commissioner’s Office (ICO) has recently refreshed its guidance (see link Data protection by design and by default | ICO) on data protection by design and by default, sending a clear signal that privacy should not be treated as a bolt on compliance exercise. For those organisations processing children’s personal data, the regulatory bar is being raised, with expectations that data protection is embedded into systems, products and services from the outset.
At its core, data protection by design and by default requires organisations to take a proactive, lifecycle wide approach to privacy. This means identifying risks early, limiting data collection to what is strictly necessary, and ensuring appropriate safeguards are built into both technical design and organisational decision making. The updated ICO guidance reinforces that these are not theoretical principles, but practical obligations regulators expect to see evidenced in real world operations.
These expectations are closely aligned with the ICO’s Age Appropriate Design Code (the Children’s Code), a statutory code of practice under the Data Protection Act 2018. The Code sets out 15 standards which operationalise UK GDPR requirements in the context of children’s data, including high privacy settings by default, limits on profiling and geolocation, and age-appropriate transparency. While the Code does not create new freestanding obligations, it is the primary means by which the ICO assesses whether organisations have complied with UK GDPR principles in practice.
The Data Use and Access Act (DUAA) impact
This regulatory update is underpinned by legislative reform. Section 81 of the DUAA strengthens this principle by amending Article 25 of the UK GDPR. It places greater emphasis on prioritising children’s interests when designing and operating data‑driven services by mandating controllers pay "particular regard to children's higher protection matters," focusing on high-default privacy settings. In practice, these “children’s higher protection matters” reflect the core principles of the Children’s Code, effectively elevating those design standards from regulatory guidance to a benchmark for compliance with Article 25.
EDPB and age assurance
The EU has also engaged with an age assurance which has become a key part of this conversation. Recent statements from the European Data Protection Board (EDPB) (see link here edpb_statement_20250211ageassurance_v1-2_en.pdf) underline a broader European regulatory trend: age assurance can support child wellbeing where it is necessary, proportionate and risk based. Crucially, the EDPB has rejected a one size fits all solution, instead emphasising the need for a contextual, case by case assessment depending on the nature of the service and the level of confidence required around users’ ages.
Alignment, and tension, with the EU approach
While the UK is not bound by EU data protection reforms, EU developments remain highly relevant for businesses operating cross border. Proposed changes under the EU’s digital reform package, including a narrow reinterpretation of when pseudonymised data may fall outside the definition of personal data, signal a more nuanced and technical regulatory debate across Europe. Although the UK has not adopted these changes, divergence between UK and EU regimes increases complexity for multinational organisations seeking consistent compliance strategies.
The Children’s Wellbeing and Schools Act (CWSA)
The CWSA received Royal Assent on 29 April 2026. The CWSA amends the UK GDPR to confer new regulation‑making powers on the Secretary of State in relation to the age of digital consent under Article 8 UK GDPR.
Article 8 currently provides that the processing of a child’s personal data is lawful where the child is at least 16 years old. Where a child is under the age of 16, processing is lawful only to the extent that consent is given or authorised by the holder of parental responsibility. Under the CWSA, the Secretary of State may, by regulations: (i) amend the age of digital consent under Article 8 UK GDPR (currently set at 13) to an age no lower than 13 and no higher than 16; and (ii) prescribe different ages of consent for specific services or categories of services, provided that those ages also fall within the 13 to 16 range. This flexibility demonstrates that data protection regulation is not intended to operate on a one‑size‑fits‑all basis and reflects the particular importance of ensuring appropriate and proportionate protections for children’s personal data.
Enforcement risk
The ICO has made clear that failures in this area will attract enforcement action. The £12.7m fine issued against TikTok in 2023 for unlawful processing of children’s data remains one of the most visible examples of the financial and reputational consequences of weak design choices; see TikTok monetary penalty notice. More recent enforcement action, such as the £14.47m fine issued to Reddit in March 2026, underlines the ICO’s readiness to act in this space. Good intentions are not enough as despite introducing age assurance measures, Reddit relied on self-declaration, which the ICO found could be easily bypassed. The judgement can be read here Reddit issued with £14.47m fine for children’s privacy failures | ICO.
What should businesses be doing now?
For many organisations, meeting the by design and by default standard will require more than updating privacy policies. It may involve revisiting the following at the outset: product architecture; rethinking age assurance model; carrying out robust DPIAs, and aligning commercial objectives with regulatory risk. There is further practical guidance published by the ICO, which can be found here: Data protection by design and by default | ICO. The enforcement risk is real, with penalties for businesses being the lower of £8.7m or 2% of the business’ total annual worldwide turnover of the preceding financial year, and where the same conduct also infringes core principles or data subject rights, the higher maximum of £17.5m or 4% of global turnover may apply. Embedding privacy by design and by default from the outset is not just best practice, but a critical step in mitigating enforcement and reputational risk.
