UK DUA Act Reforms Strengthen Data Protection for Children

On June 19, 2025, the United Kingdom enacted the Data Use and Access Act (DUA Act), which introduces significant reforms aimed at enhancing the legal protections for children's data online. This legislation amends the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, notably by embedding principles from the Age Appropriate Design Code (Children's Code) into primary legislation.

The DUA Act’s Section 81 specifically amends Article 25(1) of the UK GDPR, which mandates that data controllers consider 'children’s higher protection matters' when designing and developing processing systems that are likely to be accessed by children. These matters include several essential provisions such as age-appropriate presentation of privacy information, prominent default privacy settings, restrictions on profiling, geolocation being off by default, and the prevention of nudge techniques that encourage data sharing.

According to Dr. Nathalie Moreno, a partner at Kennedys Law LLP and an expert in cyber risks and data privacy, "The DUA Act significantly elevates the accountability of organizations by requiring them to consider children's specific needs in data processing systems. This shifts the paradigm towards a more child-centric approach in the digital economy."

While the DUA Act does not elevate the ICO’s Age Appropriate Design Code to a binding status, its principles are effectively enshrined in law, thereby enhancing the regulatory framework surrounding children’s data protection. The amendment to Article 25(1) UK GDPR ensures that even platforms not specifically targeting children must assess their services regarding children's potential access. This includes online gaming, social media, and e-commerce applications, which now face heightened scrutiny and regulatory expectations.

Internationally, the DUA Act marks a significant divergence from the EU GDPR, which does not impose a specific statutory obligation concerning children's data protection by design. The UK’s approach is unique in mandating compliance tailored directly to the data protection needs of individuals under 18. According to the Information Commissioner’s Office (ICO), adopting these stringent measures is crucial for fostering a safer online environment for children.

The ICO has noted that this new obligation aims to enhance accountability among organizations that fall within the scope of the Age Appropriate Design Code. In a statement regarding the DUA Bill, the ICO emphasized that organizations must identify online services likely to be accessed by individuals under 18, even if they are not explicitly targeted at children.

Dr. Sarah Johnson, a Professor of Law at the University of Cambridge, commented on the potential implications of the DUA Act, stating, "This legislation sets a precedent for other jurisdictions to follow, emphasizing the necessity of prioritizing children's rights in the digital landscape. The divergence from the EU GDPR may create compliance challenges for international platforms, which must now navigate differing legal frameworks."

The DUA Act does not specify an age threshold; however, it enforces a general understanding that individuals under the age of 18 are considered children for the purposes of data protection. This broad definition necessitates that organizations perform thorough risk assessments concerning their data practices, particularly regarding how children's data is collected, processed, and shared.

As the regulatory environment evolves, platforms must undertake proactive measures to comply with the DUA Act. Recommendations include updating Data Protection Impact Assessments (DPIAs), ensuring that design protocols reflect child-centric considerations, and closely monitoring forthcoming guidance from the ICO regarding age estimation and profiling techniques that apply to children's data.

This legislation is part of a broader series of reforms aimed at enhancing data protection in the UK, reflecting growing concerns about the safety and privacy of children in the digital age. As the DUA Act takes effect, stakeholders across various sectors will need to adapt to these changes, ensuring that children's rights are protected in the ever-expanding digital ecosystem.

In summary, the DUA Act represents a significant step forward in safeguarding children's data rights in the UK. By embedding child-specific protections into the legal framework, the legislation not only reinforces existing standards but also sets a new benchmark for data protection practices globally, encouraging a more responsible approach to handling children’s personal information online.