The "Age Appropriate Design Code" has 15 general principles of design that these companies will need to meet in order to protect children. The general gist is that it will no longer be viable to simply turn a blind eye to children on these services, selling ads off the back of their personal data. Instead, the general obligation will be to protect the privacy of these children at the expense of making a quick buck.
These principles include rules on setting privacy protections to the highest possible default and ensuring geolocation is off by standard. If you want to make a GPS-enabled device, you'll need to demonstrate that there's sufficient reason to use location services, and get consent. The rules also prohibit the use of nudge techniques -- making a Yes button bright and green while the No button is hidden in grey below -- to force consent in these cases.
In addition, providers will need to act proactively to hunt down content that could lead to sexual abuse, exploitation and self-harm. Or, at least, to maintain an adequate system of reporting and identification -- and tell users about it -- to ensure that such content isn't rife on the platform. Failure to do so, and to uphold their own stated acceptable use policies, will be treated as a breach of the GDPR.
And in order to ensure that these companies, which lobbied hard against the rules, toe the line, there are hefty penalties for failure. Regulators, when empowered by law, say that they'll take a common-sense approach to upholding the rules. And when they find failures, can dish out fines up to $22.1 million, or 4 percent of turnover, whichever is higher.