An Age-Appropriate Design Code Checker that scores your online service against the 15 standards of the UK ICO’s statutory Children’s Code (the Age Appropriate Design Code, or AADC). The code applies to any service likely to be accessed by children under 18 in the UK — a deliberately wide net covering games, social apps, ed-tech and connected products. This tool helps product, legal and trust-and-safety teams turn that into a concrete self-assessment, with cross-references to US COPPA where a parallel obligation exists.
Who the code applies to
The threshold is “likely to be accessed by under-18s” — not “primarily aimed at children.” An adult fitness app used by some teenagers, a general-purpose recipe platform, or a social reading tool all clear that bar. The ICO’s view has consistently been that operators should err toward assuming child access rather than waiting for a complaint. If your service has any public registration path, it almost certainly qualifies.
How it works
The AADC sets 15 cumulative standards. The tool lists each as a pass/fail question and computes the share you currently meet:
score = standards met / 15
The standards are: best interests of the child, data protection impact assessments, age-appropriate application, transparency, detrimental use of data, policies and community standards, default settings (high privacy), data minimisation, data sharing, geolocation (off by default), parental controls, profiling (off by default), nudge techniques (none detrimental), connected toys and devices, and online tools to exercise rights. Several standards — high-privacy defaults, geolocation off, profiling off, and no detrimental nudges — are weighted heavily by regulators because they protect a child who never touches a single setting.
The five standards regulators inspect first
In practice the ICO’s enforcement focus has centred on a subset where the harm is most direct and the implementation is most measurable:
- High-privacy defaults — settings must default to the most protective option. A child who never adjusts anything should have maximum protection automatically.
- Geolocation off by default — location services must be switched off unless a child actively enables them, and even then the service should avoid precise tracking.
- Profiling off by default — behavioural or interest-based profiling of children must be off unless the service has a clear reason and the child has engaged.
- No detrimental nudge techniques — features designed to encourage more screen time, data sharing, or purchasing must not be used against a child’s best interests. This includes dark patterns in consent flows.
- Data minimisation — collect only what the child’s experience genuinely needs. “Just in case” data collection fails this standard.
COPPA cross-reference
Where your audience plausibly includes under-13s in the US, the tool flags COPPA, which adds a consent obligation the UK code does not impose: verifiable parental consent before collecting personal data. COPPA is narrower in age scope (under-13 vs under-18) but stricter in mechanism — you must obtain, document, and retain parental consent, not merely apply protective defaults. Services that operate in both markets need both frameworks satisfied.
Remediation order
Treat failing standards as a sequenced backlog rather than a flat list. Fix default-setting standards first — they protect every child who never changes a preference — then nudge and profiling standards, then data minimisation and sharing. Transparency standards are important but are less immediately protective, so they can follow once the defaults are clean.
A high score here is not a substitute for a DPIA: the ICO expects one for any service likely to be accessed by children, because children’s data is inherently high-risk. Pair this checker with a DPIA to build a complete evidence base. Everything is calculated locally — none of your answers are uploaded or stored.