.svg)
It wasn’t so long ago that the internet was likened to the Wild Wild West. For minors, not much has changed, from cases of cyberbullying to the spread of pornographic content, and a general lack of moderation of harmful content, there’s a global need to protect children in online spaces.
Regulators are rising up to this need, giving deserved attention to underage users’ privacy rights in global and local regulatory frameworks. As a result of this, businesses that collect and process data on underage users are made to comply with a slew of requirements, including age-verification laws.
These legal requirements could be privacy laws of countries/regions where these minors are located (where data privacy laws have an extra-territorial effect), or where the business operates. These laws may also vary based on the business itself; certain businesses are saddled with compliance requirements based on their revenue, size, and product/service offerings.
Keeping track of (and complying with) these many requirements can be demanding. In this post, we break down the patchwork of local, regional, and global laws that apply to businesses that collect/process minors’ data.
Privacy laws protecting minors in the European Union (and the UK)
The EU General Data Protection Regulation (GDPR)
In terms of data privacy legislation, the EU’s General Data Protection Regulation (GDPR) is generally regarded as the global benchmark. The GDPR applies to countries in the EU and the EEA (European Economic Area), setting out ground rules for data-controlling entities to follow when collecting/processing data of underage users
Such information includes sensitive data (e.g., trade union membership, genetic data, biometric data to uniquely identify an individual, data relating to an individual's sex life and sexual orientation; in brief, data relating to intimate details of an individual's life).
Protection under the GDPR also extends to underage users. Specifically, it sets a baseline age of consent for data processing at 16. It however grants individual countries the option to lower this threshold to 13 years of age.
Sweden and Spain have adopted this derogation; both countries allow 13-year-old teens to provide valid consent. Certain countries like Germany and the Netherlands stick to the stricter 16-year threshold. Others like France find a middle line with the French Data Protection Act (Loi Informatique et Libertés) which requires parental consent for under-15 users.
Age thresholds are far from the only requirement. The GDPR also requires privacy notices be written in “clear and plain language”, understandable to adult and underage users alike. Businesses are also bound by data minimization principles, which means they also can’t go overboard with data collection. This is to avoid practices like excessive profiling, which could expose minors to targeted ads or invasive tracking.
A violation of these rules can lead to fines of up to €20 million or 4% of a company’s global revenue, whichever is higher. Notably, Companies like TikTok have come under scrutiny for potential GDPR-level violations concerning a failure to protect children’s data.
The UK Data Protection Act 2018
Post-Brexit, the UK kept GDPR’s spirit alive through its Data Protection Act 2018, but with certain shifts. One such shift was that parental consent applies only to kids under 13. The UK GDPR adopts a similar stance in Article 8.
Further down the line, the Information Commissioner’s Office (ICO) doubled down with its Children’s Code (2021), also known as the Age Appropriate Design Code, which mandates businesses to design services with kids’ privacy in mind. The highlights of this code includes 15 age-appropriate design standards that online services providers are required to follow. To qualify as an online service provider, the business must offer a product/service to make money or is “likely to be accessed” by users aged under 18, even if they are not the target audience.
The design standards include “high privacy by default” settings, restrictions on data-heavy features like autoplay, and instructions to discourage minors from oversharing. The code enjoys the full force of the law, and breaches can lead to GDPR-level penalties.
Privacy protection for minors under the U.S. patchwork of state and federal laws
Unlike the single fortress that is the EU’s model, data privacy laws in the U.S. are fragmented. Each of the 50 states has its laws, along with several other laws dedicated to children’s privacy at the federal level.
Child Online Privacy Protection Act (COPPA)
At the federal level, the Children’s Online Privacy Protection Act (COPPA) has been the chief legislation on the privacy rights of underage users since 2000 when it entered into effect. The law targets kids' apps and websites under 13, requesting verifiable parental consent: signed forms, video calls with ID, and even a small fee to a credit card.
It further bans collecting geolocation information, photos, and persistent identifiers (like cookies) for kids' use without consent. Privacy policies must lay out in detail data practices, and violations can mean massive penalties. In 2019, TikTok (then Musical.ly) was forced to enter a $5.7 million settlement with the Federal Trade Commission following COPPA violations.
California Consumer Privacy Act (CCPA)
A business bound by the provisions of the CCPA is considered to be operating in the state, whether they set their commercial base in California, or sell goods/services in California beyond a certain threshold, or engage in any commercial activity for monetary gain.
For all the COPPA’s protection, it had certain loopholes exploited by businesses to the detriment of underage users. For instance, under the act, once a user claims to be over 13 (no documentation required), businesses can collect data at will.
That loophole has spurred state governments to act. In typical fashion, California is leading the charge. The CCPA places an obligation on businesses to confirm that a user is over the age of 16, and also restricts them from selling data that belongs to such users unless they have issued consent. Where the minor is under the age of 13, businesses are required to obtain parental permission.
The California Age-Appropriate Design Code Act (CAADCA)
The California Age-Appropriate Design Code Act (CAADCA) takes it a step further, mandating that default settings for under-18s' privacy reach the “the highest level” supported. An example of such a level of privacy could mean setting “off location tracking” as the default option or placing extreme restrictions on ad targeting.
California Privacy Rights Act (CPRA)
The CRPA’s scope is wider than that of the CCPA, in that it applies to businesses that collect data for non-commercial purposes. This brings non-profits under its scope. When it comes to processing minor’s data, there are certain requirements the law imposes on businesses. For instance, once a minor declines consent to share/sell their data, the business must ask for consent at a later date to seek consent again, specifically, no earlier than 12 months.
Violations involving minors under the law under the law attract a fine of $7,500 for any violations that may involve data of minors below the age of 16. This layers on the fine prescribed in the CCPA, which is within the range of $2,500-$7,500 per violation, regardless of whether they involved a minor.
Colorado Privacy Act (CPA)
In addition to data subject participation rights, The CPA allows underage users under 13 to opt out of the sale/sharing of their data for targeted advertising. In an additional requirement, where the purpose for processing is separate from the purpose disclosed at the time their data is initially collected, the business must obtain opt-in consent from a parent or guardian.
Virginia Consumer Data Protection Act (VCDPA)
Under the VCDPA, the term “sensitive data” includes a class of data that controllers are not allowed to collect or process without the user’s consent.
In terms of composition, this category of data is similar to what obtains in the GDPR (data that contain unique identifiers like fingerprints or facial images, inherited or acquired genetic characteristics, physical or mental health information, sexual orientation or sex life, racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union membership or associations). But it also notably includes personal data collected from a “known child” under the age of 13.
The states of Utah, Texas, and New York
States like Utah and Texas target access of underage users, not their data. Both require parental permission for under-18s to sign up for social media. Some critics state that these laws are less about privacy and more about controlling kids' access.
New York is floating its own requirements through laws like the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, including age requirements and bans for algorithms that expose kids to damaging content. There is also the New York Child Data Protection Act, which limits the information service providers can collect about their underage users.
Privacy laws protecting minors in other regions of the world
Away from Europe and North America, other regions are developing requirements for businesses that collect and process underage user data to observe.
Brazil
The General Personal Data Protection Law (LGPD) has many similarities with the GDPR, especially with parental consent for processing information of users under the age of 18. Under the LGPD, manipulative design is also banned due to the recent surge in "dark patterns" that manipulate kids into revealing more information than they'd prefer (for instance, by disorienting button colors or infinite scroll options.)
China
In China, the Personal Information Protection Law (PIPL) treats users under 14 as a "sensitive" group of users, deserving of protections that include parental consent requirements and tight restrictions on storing and distributing information about them.
India
Under the Digital Personal Data Protection (DPDP) Act 2023, regulators exclude tracking and ad targeting for under-18s altogether, while mandating parental consent for any processing activity.
Australia
While the 1988 Privacy Act doesn't have a specific age restriction, the Office of the Australian Information Commissioner recommends parental consent for under 15s. But with the Privacy and Other Legislation Amendment Act 2024 now in effect, the framework for a Children’s Online Privacy Code which would apply to social media platforms and online service providers is to be developed.
Japan
Japan’s Act on Protection of Personal Information (APPI) insists on explicit parental consent for those under 16 before collecting or processing their personal data. It also introduces additional obstacles to exporting kids' information abroad.
Moving forward: A balancing act between data protection and user experience
The challenge of protecting underage users online presents two critical dilemmas that businesses must navigate carefully:
- The technical complexity of age verification requires finding the right balance between accuracy and user experience. Simple birthdate entries can be easily circumvented, while more rigorous methods like ID verification or biometric analysis may create friction that drives users away.
- The verification of parental consent presents its own set of challenges. Current methods ranging from credit card verification to video calls with ID checks each have their limitations. But how can businesses definitively confirm that a "parent" is truly the legal guardian of a child?
As technology and regulations continue to evolve, businesses will need to stay adaptable, finding innovative ways to protect young users while maintaining engaging digital experiences.
The future likely lies in developing solutions that can verify age and obtain parental consent seamlessly, without creating barriers that compromise the user experience that consumers have grown to expect. To be continued!
Frequently Asked Questions (FAQ)
What are the main privacy laws businesses need to consider when handling minors' data?
Businesses must comply with various laws depending on their location and target audience. Key regulations include the GDPR (EU & UK), COPPA (U.S.), CCPA & CPRA (California), and PIPL (China). Many other countries, including Brazil, India, and Japan, have specific child data protection rules. These laws set age thresholds for consent, require parental approval, and limit how minors’ data can be collected or used.
How do businesses verify a user’s age to ensure compliance?
Businesses use different methods for age verification, ranging from self-declared birthdate entry (which is easy to bypass) to more advanced AI-based age estimation, ID verification, or third-party verification services. The challenge is balancing security and compliance while maintaining a smooth user experience.
What are the consequences of non-compliance with minors' data privacy laws?
Penalties vary by law and jurisdiction. Under GDPR, violations can lead to fines of up to €20 million or 4% of global revenue. COPPA violations have resulted in multi-million dollar fines, such as TikTok’s $5.7 million settlement. In California, violations involving minors under CPRA can carry fines of $7,500 per incident.
How can companies ensure they obtain proper parental consent?
Many businesses use parental verification systems, such as email approvals, small credit card transactions, or video calls with ID verification.
.avif.avif){kind=tracking}
