§What UK Children's Code requires
Source: Age Appropriate Design Code (the Children's Code) — Information Commissioner's Office, prepared under section 123 of the Data Protection Act 2018 — accessed 2026-05-11.
Jurisdiction. Applies to relevant information society services which are likely to be accessed by children in the UK. Statutory basis: section 123 of the UK Data Protection Act 2018. In force since 2 September 2020 (with a 12-month transition period that ended 2 September 2021).
Personal data definition. The Code operates inside the UK GDPR framework, where personal data has the same meaning as Art. 4(1) of the GDPR. A child is anyone under the age of 18 for the purposes of the Code, although the threshold for being competent to give their own consent under UK GDPR is 13.
Key requirements relevant to mobile analytics. The Code is not a regulation on its own — it is a statutory code of practice. Failing to follow it is not directly an offence, but the Information Commissioner must consider it in any enforcement action under UK GDPR or the Data Protection Act 2018, and courts must take it into account where it is relevant. The Code sets out 15 standards including data minimisation, privacy by default, profiling (default-off for children), parental controls disclosure, and the requirement that all processing of children's personal data be in the best interests of the child.
⚑Where mobile analytics typically creates exposure for telehealth apps
Two Code standards are directly relevant to mobile analytics: standard 8 (data minimisation) — collect only the minimum amount of personal data needed to deliver the elements of the service the child is actively and knowingly using; and standard 12 (profiling) — profiling should be off by default and only switched on where you can show a compelling reason and appropriate safeguards. A persistent advertising identifier shipped with every analytics event triggers both.
Telehealth apps routinely process appointment metadata, symptom descriptions, diagnosis codes, medication names, vitals (heart rate, blood pressure, glucose), and prescription details. Each of these is individually identifying when combined with a user identifier in an analytics event.
Health-related data is treated as a special category under most privacy regimes — GDPR Art. 9, CPRA sensitive personal information, and PHI under HIPAA. A single event like appointment_booked with parameters { specialty: 'oncology', user_id: '...' } is structurally health data tied to an identifier.
▸What Respectlytics's design does (technical facts)
Respectlytics's API stores exactly five fields per event: event_name, session_id (rotates every two hours, RAM-only), timestamp, platform, and country. Health-category fields are rejected at the API with a 400. A telehealth app can use Respectlytics to track product signals (appointment_booked_paid, prescription_renewal_attempted) at the session level — the actual clinical content stays in the EHR or telehealth platform where it belongs.
Reduces the surface. Removing the surface where the categories covered by UK Children's Code could be collected in the first place narrows what a UK Children's Code review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does the Children's Code apply if our app is not designed for children?
It applies to services likely to be accessed by children — a wider test than 'designed for children'. The ICO has published guidance on the likely-to-be-accessed test; assessing how it applies to your service is a fact-specific exercise for your legal team.
What happens if we don't follow a Code standard?
There is no separate offence for failing to follow the Code, but the Information Commissioner must take it into account when exercising enforcement powers under the UK GDPR and DPA 2018, and courts must take it into account where relevant.
Does using Respectlytics by itself resolve UK Children's Code obligations for our telehealth apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets UK Children's Code's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies UK Children's Code for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.