Skip to content

Children's Online Safety

DigitalUK-wideReviewed by Civil Help editorial team: 23 February 2026Next review: 8 June 20276 min
Verified against 4 sources

The Online Safety Act 2023 and the ICO's Children's Code (Age Appropriate Design Code) create a comprehensive framework protecting children online in the UK. Platforms must assess risks to children, prevent access to harmful content, and apply age-appropriate settings by default. This guide explains your rights as a parent and the protections that should be in place.

Key points

  • The Online Safety Act 2023 places specific 'children's duties' on platforms likely to be accessed by under-18s.
  • The ICO's Children's Code requires online services to provide high privacy settings by default for users under 18.
  • Platforms must implement age assurance mechanisms to prevent children from accessing harmful adult content.
  • Parents can report platforms failing their children's safety duties to Ofcom.
  • Children have UK GDPR rights including the right to erasure of data collected when they were under 18.

The Online Safety Act 2023: Children's Duties

The Online Safety Act 2023 imposes specific duties on platforms that are "likely to be accessed by children" (under 18). These platforms must:

  • Complete a children's risk assessment to identify and evaluate risks to children, including harmful content, contact with adults, and conduct risks (cyberbullying, grooming).
  • Implement safe design measures to mitigate identified risks — for example, preventing algorithmic recommendation of harmful content to children.
  • Prevent children from accessing primary priority harmful content — including pornographic content and content that promotes eating disorders, self-harm, or suicide.
  • Apply age assurance — proportionate measures to verify or estimate a user's age to restrict access to harmful content.
  • Provide an accessible, effective complaints process for users, including children and parents.

The ICO's Children's Code

The ICO's Age Appropriate Design Code (Children's Code) applies to online services likely to be accessed by children in the UK. Services must:

  • Apply the highest privacy settings by default for child users — geolocation, direct messaging, and public profile settings should be off by default.
  • Not use nudge techniques to encourage children to share more personal data than necessary or to spend more time on the platform.
  • Not use children's data in ways that are detrimental to their wellbeing — for example, algorithmic personalisation that increases anxiety or exposure to harmful content.
  • Provide clear, transparent privacy information in plain language appropriate for the age group.
  • Not collect more personal data than is necessary for the service.

The ICO can investigate platforms that fail to comply and impose fines up to £17.5 million or 4% of global turnover.

Rights and Options for Parents

As a parent, you have several options if you are concerned about your child's online safety:

  • Use parental controls — most devices and internet service providers offer parental control tools to restrict access to certain types of content. The UK's major ISPs (BT, Virgin Media, Sky, TalkTalk) provide free parental control filters.
  • Report concerns to platforms via their reporting mechanisms — platforms must have accessible complaints processes under the OSA 2023.
  • Complain to Ofcom if a platform is not complying with its Online Safety Act duties — Ofcom can investigate and take enforcement action.
  • Exercise UK GDPR rights on behalf of your child — as a parent you can submit SARs and erasure requests on behalf of children under 13 (or under 18 where the child lacks capacity to act for themselves).

Reporting Child Online Safety Harms

If your child has been harmed online:

  • Online grooming or sexual exploitation: Report to the police (999 if immediate danger, 101 otherwise) and to the Child Exploitation and Online Protection Command (CEOP) at ceop.police.uk.
  • Cyberbullying: Report to the platform and, if serious or persistent, to the school and police. The Diana Award's Anti-Bullying Pro programme and Childline (0800 1111) provide support.
  • Exposure to illegal content: Report child sexual abuse material (CSAM) to the Internet Watch Foundation at iwf.org.uk. Report other illegal content to the platform and, if serious, to the police.
  • Harmful algorithmic recommendations: Report to Ofcom if a platform's recommendation algorithm is exposing children to content that causes harm.

Age-Appropriate Design and the ICO Children's Code in Practice

The ICO's Children's Code — formally the Age Appropriate Design Code — is a statutory code of practice under Section 123 of the Data Protection Act 2018. It came into full effect in September 2021 and applies to any information society service (app, website, game, connected toy) likely to be accessed by children under 18 in the UK, regardless of where the service is based.

The 15 standards in practice: The Code sets out 15 standards covering data minimisation, default privacy settings, profiling restrictions, and transparency. In practice for parents, the most important are:

  • Default high privacy: Platforms should not require children to opt out of data sharing — privacy-protective settings should be the default, with children (or their parents) needing to actively opt in to sharing more data.
  • No profiling for advertising: The Code says children's data should not be used for targeted advertising by default. This is particularly significant for social media platforms that derive revenue from advertising.
  • Geolocation off by default: Location data is particularly sensitive for children. The Code requires location services to be switched off by default and requires platforms to provide clear information about when location data is being collected.
  • Nudge techniques prohibited: Platforms cannot use design features that nudge children into sharing more data, spending more time online, or making purchases — dark patterns that exploit children's developing decision-making.

What parents can do when the Code is breached: If you believe a platform is violating the Children's Code — for example, by enabling targeted advertising to your child without opt-in, or by making location-sharing the default — you can:

  1. Complain to the platform using their complaints process (required under the OSA 2023).
  2. Report to the ICO at ico.org.uk — the ICO can investigate and impose fines of up to £17.5 million or 4% of global turnover. The ICO has already taken enforcement action against TikTok for Children's Code violations and is actively monitoring major platforms.
  3. Report to the 5Rights Foundation (5rightsfoundation.com) which campaigns on children's digital rights and can direct you to specialist support.

Frequently asked questions

What age can a child consent to their own data being processed for online services?
Under UK GDPR as implemented in the DPA 2018, the age of digital consent in the UK is 13. Children under 13 cannot consent to their data being processed by information society services — their parent or guardian must give consent on their behalf. Between 13 and 18, children can consent but platforms must still apply the Children's Code protections.
My child signed up to a social media platform claiming to be 18. Do they still have protection?
Under the Online Safety Act 2023, platforms must implement proportionate age assurance — they cannot simply rely on self-declared ages. Platforms that are likely to be accessed by children must take reasonable steps to identify child users regardless of claimed age. Where a platform failed in this duty, Ofcom may be able to investigate.
Can I have my child's data erased from a platform they used when under 13?
Yes. If a platform collected your child's data when they were under 13 without valid consent, this processing was unlawful under UK GDPR. You can submit an erasure request (and a SAR first to understand what data is held) on your child's behalf. The platform should comply unless specific exemptions apply.
What should I do if my child has been groomed or exploited online?
Contact the police immediately — call 999 if there is an immediate threat, or 101 for non-urgent reports. Report to CEOP (ceop.police.uk) which is the dedicated unit for child online exploitation. Do not delete any evidence — messages, photos, or account details may be needed by police. Childline (0800 1111) and the NSPCC can provide emotional support for you and your child.
How can I tell if a platform is complying with the ICO Children's Code?
The ICO publishes its Children's Code enforcement decisions on its website. You can also check whether a platform has published a transparency report under OSA 2023 obligations. Practically, look at the default settings when your child creates an account: location, direct messaging, and public profile should all be off by default. If they are on by default, the platform is likely in breach of the Children's Code. Report this to the ICO at ico.org.uk.
My child is being targeted by a stranger online who claims to be their age. What do I do?
This is a potential grooming situation — act immediately. Do not confront the stranger or delete the messages. Take screenshots of all communications and contact CEOP (ceop.police.uk) and your local police (101 or 999 if you believe there is an immediate risk). Remove your child from the conversation without deleting the evidence. Childline (0800 1111) can provide support for both you and your child. Schools also have a safeguarding lead who can assist and log the concern.

What to do next

  1. 1
    CEOP — report a concern

    Report online grooming or child sexual exploitation to CEOP.

  2. 2
    Internet Watch Foundation

    Report child sexual abuse material found online.

  3. 3
    Childline

    Free, confidential support for children and young people up to 19.

  4. 4
    UK GDPR rights overview

    Understand data protection rights you can exercise on behalf of your child.

Official bodies and resources

Information Commissioner's Office

Regulator

The UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.

Office of Communications

Regulator

Regulates UK communications industries including telecoms, broadband, TV, radio, and postal services.

Home Office

Government

The lead government department for immigration and passports, drugs policy, crime, fire, counter-terrorism, and police.

Was this page helpful?

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.