Plain English guides to every piece of UK legislation protecting children online. Not legal advice — general legal information to help you understand your rights and obligations.
Max Penalty
£17.5m or 4% of global turnover
Governs how organisations process personal data, including children's data. Establishes the framework for the Children's Code (AADC). Requires high standard of protection for children's data, with age-appropriate privacy notices and legitimate interest assessments.
Key Points
Children cannot consent to data processing below age 13 in the UK
Data controllers must verify age where services are directed at children
Privacy notices must be written in language children can understand
Data Protection Impact Assessments (DPIAs) required for high-risk processing
Right to erasure ("right to be forgotten") applies to childhood data
Max Penalty
£17.5m or 4% of global turnover
Statutory code of practice containing 15 standards that online services likely to be accessed by children must follow. Covers everything from data minimisation to nudge techniques, requiring "best interests of the child" as a primary design consideration.
Key Points
15 standards covering the full lifecycle of children's data
Applies to any service "likely to be accessed by children"
Default settings must be privacy-protective ("high privacy by default")
Profiling of children is restricted unless there is a compelling reason
Nudge techniques must not be used to encourage data disclosure
Geolocation data must be off by default for children
Max Penalty
£18m or 10% of qualifying worldwide revenue
The UK's landmark internet safety legislation placing duties of care on platforms to protect users, with enhanced protections for children. Covers illegal content, content harmful to children, and transparency reporting. Implementation through Ofcom codes of practice.
Key Points
Platforms must prevent children encountering harmful content
Age verification/assurance required for services with harmful content
Ofcom given enforcement powers including fines and service blocking
Named categories of harm: self-harm, eating disorders, bullying, pornography, etc.
Platforms must publish transparency reports
Criminal offences for senior managers in cases of persistent non-compliance
Max Penalty
Ofsted enforcement action
Statutory guidance for schools and colleges on safeguarding children. The 2024-2025 updates include AI-specific provisions for the first time, expanded filtering and monitoring requirements, and updated guidance on sharing nudes/semi-nudes including AI-generated images.
Key Points
All staff must read Part 1 annually
DSLs must receive training on AI-specific safeguarding
School filtering must cover AI chatbot use
AI tools used in school must be risk-assessed
Policies must address AI-generated images and deepfakes
DfE Generative AI guidance referenced as supplementary
Scottish Government / Education Scotland
GIRFEC (Getting It Right for Every Child)
SHANARRI wellbeing indicators (Safe, Healthy, Achieving, Nurtured, Active, Respected, Responsible, Included)
Welsh Government
Social Services and Well-being (Wales) Act 2014
"More Than Just Words" Welsh language framework for child services
Department of Health NI
Children (Northern Ireland) Order 1995
SBNI (Safeguarding Board NI) procedures and guidance
Online Safety Act receives Royal Assent
Ofcom publishes first codes of practice under OSA
KCSIE 2024 comes into force (AI provisions)
Ofcom age verification requirements take effect
KCSIE 2025 comes into force (expanded AI guidance)
OSA Threshold Conditions Regulations reviewed
ICO Children's Code enforcement review
OSA full implementation review by Parliament
ICO fined TikTok for misusing data of 1.4 million UK children under 13 without parental consent. Platform had to improve age verification and reduce data retention.
£12.7m
ICO • 2023
YouTube fined for collecting children's data without parental consent, leading to creation of YouTube Kids and changes to comment and notification features for children's content.
$170m
FTC (US) • 2019
ICO investigation led Instagram to stop recommending children's accounts to adult users and disable direct messaging from unknown adults to under-18s.
Policy change
ICO • 2021
AUREN provides general legal information, not legal advice. For specific compliance questions, consult a qualified legal professional or contact the relevant regulator directly.
Guardian AI