Certification scheme is designed for “Information Society Services (ISS) likely to be accessed by Children”


This certification scheme is designed for “Information Society Services (ISS) likely to be accessed by Children”. It is designed for data processors, controllers and joint controllers (Auditees) of any size that process Personal Data of Children.  It covers  apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children. Auditors may provide the scheme, as agreed by contract with the Auditee, for one or more data processing systems, including all algorithmic systems, artificial intelligence, or autonomous systems when Personal Data of Children is involved.  

There are a few selected systems that are out of scope for ForHumanity’s Children’s Code Certification Scheme as they are outside the scope of the Children’s Code (CC) itself such as:

  1. Counselling or preventive services, 
  2. Online services dedicated to law enforcement purposes
  3. General Broadcast Services
  4. “Real world “ business information with no additional services
  5. Voice telephony or Voice Over Internet Protocol
  6. The service monitors or engages no UK users
Target of Evaluation

The Auditee determines the system(s) to which the Auditor will apply the scheme and memorialises this agreement via contract. The Target(s) of Evaluation (ToE) shall be defined within the contract between the auditor and the organisation (auditee).  The Auditee will contract for any or all data controller/joint-controller/processor ToEs that are in scope, including, but not limited to algorithmic systems, artificial intelligence or autonomous systems that include Personal Data. 


The Auditor will perform an audit to the breadth and scope upon the ToE determined by the contract with the Auditee.  The Auditee bears the responsibility of ensuring that all necessary systems undergo an Audit.  The contract must specify one of the following:

  1. For an individual system certification — The Auditee shall identify the ToE by name/identifier, specifically noting the boundaries of the systems.  Associated systems or adjacent processing must be clearly delineated as “in scope” or “out of scope” by the contract and have defined beginnings and endings. In scope functions can include Data Processors acting on behalf of a data controller. 
  2. Multiple named systems, with the same criteria as #1 for each system or the sum of the combined systems, where the Auditee must delineate the “beginnings and ends”. 


A firm can demonstrate compliance with the Children’s Code through an official or recognised Children’s Code Certification scheme. 


There are certain audit criteria that apply only to Data Controllers. As a result, an organisation that functions solely as a Data Processor will be unable to comply with audit criteria specified for Data Controllers. This will not prevent them from achieving certification.  Data Processors will not need to comply with criteria that applies only to Data Controllers and marked “Controller-only”.  A Data Controller or Joint-Controller must be compliant with all criteria for certification.


Compliance with the Children’s Code, and thus a Children’s Code Certification Scheme, implies that the organisation is engaging in some form of data processing that includes the use of Children’s Personal Data or Special Category Data from Children. The ToE should be identified transparently and willingly by the organisation in order to achieve compliance with the Children’s Code.  


This certification scheme is a modular enhancement to the UK GDPR Certification scheme.  An organisation shall not receive Children’s code certification without also having achieved a UK GDPR certification. This scheme as designed requires separate UK GDPR for foundational areas of compliance such as  principle of Data Minimisation, which exists both in UK GDPR and the Children’s Code.

For this reason, this certification scheme focuses on assuring compliance with the interrelated laws and associated Codes that underpin children’s data control, processing and privacy. Compliance with this certification scheme alone and neglect for UK GDPR compliance would likely leave the entity exposed to compliance risk.

Territorial Scope

The territorial scope of this certification is unlimited, but it is intended to certify organisations processing the data of Children in the United Kingdom, and any service provided by a company that has “a branch, office or other ‘establishment’ in the UK”.