Children's Code enforcement is the rising ICO priority for B2B vendors selling into education and consumer-adjacent markets

What is happening

The Children's Code (Age Appropriate Design Code) is a statutory code of practice introduced under the Data Protection Act 2018, in force from September 2021. It sets standards for online services likely to be accessed by children. The ICO has progressively shifted from publication and education through 2021-2023 to active enforcement focus from 2023 onwards.

Published ICO activity since 2023 has emphasised the Code consistently: review of major online services for adherence; called-out non-compliance from named services; published guidance refreshes to clarify edge cases; enforcement signals from the Commissioner.

Vendor implications

Three implications for B2B vendors:

First, EdTech vendors selling into UK schools and trusts face direct procurement scrutiny on Children's Code adherence. The buying school is the data controller; the vendor is the processor; the school cannot complete a Data Protection Impact Assessment without vendor input. Vendors who pre-build Children's Code adherence evidence compress procurement materially.

Second, gaming, social, and consumer-tech vendors with B2B routes (white-label deployments, B2B2C arrangements, services where the corporate buyer's product is consumed by under-18s) face rising attention. Procurement scrutiny from corporate buyers extends to the Children's Code dimension where relevant.

Third, B2B vendors with consumer-adjacent reach (services accessible without age verification, services used by both adults and children) should reassess their Children's Code position even if they consider themselves primarily B2B. The Code applies to services likely to be accessed by children, not exclusively to services targeted at children.

What sales leaders should do

For sales leaders at potentially affected vendors, three actions:

Map the product's reach to children honestly. Is the service likely to be accessed by under-18s, even if not targeted at them. The honest answer for many B2B and B2B2C vendors is yes.

Engage the data-protection function on Children's Code adherence proactively. The Code's standards (15 in number) cover transparency, default settings, profiling, data minimisation, and other dimensions. Procurement scrutiny will test these.

Equip the buyer with adherence evidence in the procurement pack. The school, the consumer-services buyer, the B2B2C buyer all benefit from vendor-supplied evidence. Vendors who treat Children's Code as the buyer's problem face cycle delays at data-protection-officer review.