The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Age Appropriate Design Code (The Children's Code)

Relevant DUA Act Provisions: Section 81 DUA Act: amendment to Article 25(1) UK GDPR to include “children’s higher protection matters”

The DUA Act introduces key reforms that reinforce the legal framework protecting children’s data online, particularly through amendments to the UK GDPR and the DPA 2018. While it does not directly elevate the ICO’s Age Appropriate Design Code (“Children’s Code”) to binding legislative status, it enhances the Code’s regulatory effect by embedding its core principles into primary legislation.

First, Section 81 of the DUA Act amends Article 25(1) UK GDPR (Data protection by design and by default) to require that, when designing and developing processing systems, controllers must have “particular regard to children’s higher protection matters” where their services are likely to be accessed by children. These matters are defined to include:

• Age-appropriate presentation of privacy information;
• Prominent default privacy settings;
• Profiling limitations;
• Geolocation off by default;
• Prevention of nudge techniques that encourage data sharing.

These statutory elements reflect the substantive content of the ICO’s Children’s Code but are now expressly required by UK GDPR, even for services not expressly captured by the Children’s Code.

Second, although the DUA Act does not amend Section 123 DPA 2018, it reinforces the status of the Children’s Code by embedding its themes into primary data protection law and by strengthening the ICO’s regulatory basis to consider compliance with the Code in enforcement actions, particularly where breaches affect children’s data.

The reform embeds into Article 25(1) UK GDPR a duty to have particular regard to “children’s higher protection matters” when designing data processing systems likely to be accessed by children. These matters, defined in the DUA Act and aligned with the Children’s Code, include age-appropriate presentation of information, default privacy settings, restrictions on profiling, and minimisation of geolocation. This amendment preserves the general structure of Article 25 but makes it explicitly child-centric in UK law.

The reform expands the regulatory scope: online services with a general audience - such as gaming platforms, social networks, and e-commerce applications - must assess whether children under the age of 18 are likely to access the services. If so, they are expected to implement measures aligned with both the Children’s Code and amended Article 25(1) UK GDPR. The DUA Act does not define a numeric age threshold, but services must treat individuals under 18 as children for this purpose, subject to ICO scrutiny of the controller’s risk-based assessment.

Divergence

The DUA Act marks a clear divergence from the EU GDPR, which does not impose a statutory data-protection-by-design obligation specifically focused on children. While codes of conduct under Article 40 GDPR remain voluntary and sector-led, the UK now imposes a baseline legally binding child-specific design obligation across the digital economy. This introduces a two-tier compliance burden for international platforms that must treat the UK’s obligation under Article 25(1) as a legal requirement, even where equivalent EU obligations remain interpretive or guidance-based.

ICO commentary

The ICO commented on the reform in relation to the DUA Bill, stating the amended requirement to consider “children’s higher protection matters” when designing online services likely to be accessed by children aims to strengthen accountability. It noted that:

“The new obligation to consider ‘children’s higher protection matters’ is specific to organisations falling within the scope of the AADC[Age Appropriate Design Code of Practice]” and requires controllers to take account of these matters…when assessing what are appropriate technical and organisational measures”.

Recommendations

• Identify online services likely to be accessed by under-18s, even if not child-targeted.
• For in-scope platforms, update DPIAs, design protocols, and engineering documentation to demonstrate how “children’s higher protection matters” are addressed.
• Align product development and design with a child‑centric approach embedded in Article 25.
• Monitor forthcoming ICO guidance on age estimation, profiling, and nudge‑techniques as they apply to children’s data.

This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) 2. Purpose limitation  3. Automated Decision-Making (ADM) 4. ADM in Law Enforcement and National Security 5. Data Subject Access Requests (DSARs) 6. Complaints handling 7. Age Appropriate Design Code (AADC or Children’s Code) 8. Scientific, historical and statistical purposes 9. International data transfers 10. Cookies and PECR Reform 11. Information Commissioner’s Office (ICO) Reform 12. Codified convergences with EU Law