AI Summarize

Share

If you make websites, apps, or games for kids, or services that are likely to be used by them, you need to make sure you comply with legal rules relating to minors.

In particular, a number of different privacy laws, including the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the UK GDPR, and others, have rules about how you should ask for consent.

This article will go through what a minor is, how COPPA and GDPR apply to minors, and how you should collect consent appropriately.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the Definition of a Minor?

The definition of a minor depends on the specific law.

For example, under COPPA, there are separate definitions for "child" and for "teen". COPPA defines a child as "an individual under the age of 13". In 2024, COPPA 2.0, an expansion of COPPA, added a definition for a "teen", which means "an individual over the age of 12 and under the age of 17". COPPA 2.0 will come into force on June 23, 2025. You should keep this in mind and remember to update your website or app practices.

For the purposes of the GDPR, Article 8 states that a- child is someone below 16 years of age.

The UK GDPR is in many respects the same as the GDPR. One difference is in Article 8, however, with the age of a minor being defined as someone below the age of 13 years in the UK.

Other laws, like PIPEDA, do not distinguish between adults and children. However, there are guidelines released by the Privacy Commissioner of Canada, which consider two cases of websites aimed at "kids" from 6-13, and "youths" from 13-18.

In the table below you can see the different laws, minimum age for valid consent, and whether parental consent is required.

Jurisdiction / Law Minimum Age for Valid Consent by Child Parental Consent Required Below This Age? Notes
US COPPA 13 Yes Applies to services directed at or knowingly collecting from children under 13.
US COPPA 2.0 (Proposed) 17 Yes Expands protection to teens under 17. Expands"knowing" collection to"reasonably likely" collection from a child.
EU - GDPR 16 (default) Yes Member states may lower the age to 13. Most have chosen 13 - 15.
UK GDPR 13 Yes Post-Brexit version of GDPR. The Age Appropriate Design Code (Children's Code) also applies.
Canada PIPEDA No specific age (guidelines suggest 13) Yes (under 13) Consent must be"meaningful"; children under 13 are assumed unable to provide it.

Let's take a look at those laws in more detail.

Each of these different privacy laws, COPPA, GDPR, UK GDPR, and PIPEDA, have rules about how the data of minors should be collected (or not).

The purpose is to protect the privacy and rights of young people, who may not understand or fully understand what it means to disclose their personal information.

The rules around consent in particular often ask for the consent of a parental guardian.

Children's Online Privacy Protection Act

The Children's Online Privacy Protection Act (COPPA), and COPPA 2.0 (the 2024 update to COPPA), are laws in the US that regulate the collection of children's data.

They apply to websites and online services (including apps and games) that collect the data of children in the US.

As required by COPPA, you must get verifiable parental consent before you collect personal information from a child. Note that this parental consent must be verifiable.

Screenshot from COPPA guidelines, highlighting children's privacy consent rules

You can also see that this verifiable consent can be obtained in a number of different ways.

However, the method needs to be "reasonably calculated" to make sure the consent is provided by the parent, and not the child (or someone else).

Screenshot showing methods of obtaining verifiable consent according to COPPA guidelines

This article will cover in a later section what methods you can use to obtain verifiable consent.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) applies to the data collection of EU residents, including EU resident minors.

You can see that processing the personal data of children is only lawful if the child is 16 or older.

Screenshot from GDPR guidelines indicating the legal age for data collection and processing

You can also see that consent needs to be authorised by the parent or person with "parental responsibility".

Screenshot from GDPR regulations regarding parental consent for data processing

You need to make "reasonable efforts" to verify that consent is given by the person with parental responsibility, and not the child or someone else.

UK General Data Protection Regulation

The UK General Data Protection Regulation (UK GDPR) applies to data controllers or processors in the UK, as well as any processor or controller who is processing the data of UK residents.

You can see that you can only process data of children lawfully if the child is 13 or older.

Image from UK GDPR guidelines, illustrating the defined age for lawful data processing

When the child is younger than 13, consent needs to be given by the holder of "parental responsibility" over the child. This consent has to be verified with "reasonable efforts".

Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) itself does not distinguish between data collected about adults and data collected about children.

However, guidelines from the Privacy Commissioner of Canada set out that it is not possible for younger children to give meaningful consent. You can only collect data on children under the age of 13 if their parents or guardians have given consent.

Screenshot of PIPEDA guidelines for collection of children's personal data

You can also see that you need to consider how to ensure that the parent/guardian has actually been "involved in the process". This is very similar to the requirement of verifiable consent under other laws.

Now let's look at how to obtain meaningful and verifiable consent.

Each of these laws has rules for how you should obtain consent from parents and guardians, or from minors themselves. Many of these rules require that the consent be verifiable, i.e. that you can prove a parent has given it.

The Federal Trade Commission in the US has provided a list of approaches that can be used to obtain verifiable consent. The parent can:

  1. Sign a consent form and send it back
  2. Make a token (1c) or reversible online payment with credit or debit card, or online payment system
  3. Call a phone number or make a video call and speak to trained staff
  4. Verify ID by checking against a database or using facial recognition
  5. Answer knowledge-based challenge questions

Each of these methods has their pros and cons, but can all be used to obtain valid consent from a parent or guardian on behalf of a minor.

Another option is the "email plus" approach is when you email the parent, and have them respond with their consent.

Download and Sign a Form

One option is to have a downloadable consent form that parents can download, sign, and return by email.

Here's one example from Lloyd's Insurance Company in Europe, which has provided a consent form for cases when an insurance policy will be taken out by a person under 16.

In this form you can see that consent is requested to process data under the GDPR, and that children under the age of 16 need written consent from their parents or guardians.

Lloyd's Insurance Company - Data Protection Consent Form - Parental consent for childeren personal data - introduction

You can see the data requested from the parent is a clear declaration of consent, a signature, the child's full name and signature, the date, parent's full name, and policy number.

Image of a Parental consent form by Lloyd's Insurance Company for minors' data processing

The form should then be signed and sent back, and used as evidence that consent was obtained from the parent to process the personal data of a person under 16.

This example shows compliance with the GDPR in the EU, but you can use a similar form in any jurisdiction (as long as you follow the relevant age limits).

Online Payments

Another option is using a credit or debit card transaction, or a transaction through an online payment system. This can be used as a verification of consent from an adult.

However, many websites don't want to use this process, as it requires asking for additional information (credit or debit card information), which can be contrary to the data minimisation principles of many laws. Data minimisation means you should only collect as much information as is necessary, and no more.

Phone Call or Video Call

Another option is to make a phone call or video call with the parent or guardian, to confirm their consent. This option can be time consuming, however, and parents may be hesitant to provide additional personal information such as a phone number or Skype ID, to make a call.

ID Verification Check

Verifying a parent's ID is another option to gain verifiable parental consent. You can either compare a photograph of a government-issued ID to a database, or provide a link to an ID comparison and verification program. This is usually done through an embedded video call with qualified staff who compare the parent's face to the parental ID to confirm it.

Knowledge-based Authentication

Knowledge-based authentication is when the parent is required to answer a series of questions that only the adult would know. The questions that are asked should be difficult for a child to answer, but easy for a parent. The questions should not be able to be answered easily from the internet, or from data in a parent's wallet. The FTC also notes that the questions should be "multiple and dynamic questions".

Email Plus

Email plus is when an email is sent to the parent or guardian, who must provide their consent by email. Then, a follow-up confirmation is made, through email, phone call, or letter. For example, when signing up for a Battle.net account, if the user is a child, they are asked for their parents' permission through the email plus approach.

Image of Battle.net's account setup page for acquiring parent's consent using the email plus practice

Here's another example from Days of Wonder with a similar process, in which a link is sent to the parent's email account to provide their approval.

Screenshot from Days of Wonder's parental consent process via email link

You can also see this on the LEGO Builder app, which asks for a parental email to be provided through the app for the user to continue to make an account.

Image showing LEGO Builder app's parental email consent requirement

Another example is from the Minion Rush app. This app has a pop-up that explains parental consent is needed to process the information of children using the app.

However, there is no verifiable consent mechanism. The adult (or child) can simply press the "Accept" button and continue. This would not be verifiable consent for the purposes of any of the above laws.

Screenshot of the Minion Rush app's consent requirement prompt, noting the lack of a verifiable consent mechanism

Now let's take a look at additional clauses you need to include in your Privacy Policy when you're dealing with kids' data.

Privacy Policy for Kids Websites and Apps

Once you've set up an appropriate consent mechanism, you also need to make sure that you have a Privacy Policy that is tailored for minors.

You need to make sure this Privacy Policy is clear and conspicuous, and is agreed to actively by users.

Your Privacy Policy should cover the usual requirements, such as what data you collect, how you collect it, what you use it for, and data subjects' rights. This includes the right to access data, the right to correct data, the right to data being deleted, and the right to withdraw consent, among other things.

For kids, you also need to include clauses on parents rights and access to their children's data, as well as any notices required by law, such as a COPPA notice.

Here's an example of a COPPA notice from Adobe:

Image of Adobe's COPPA notice used to disclose data collection practices from children

A COPPA notice is a disclosure about how the website, app, or service collects data from children.

Privacy Policy clauses should outline these things as well. For example, ABCYa provides a clause on parental rights to review and delete the personal information of their children. The clause provides a contact email address so that parents can do this.

Screenshot of ABCYa's privacy clause enabling parental review and deletion of their child's data

You can also see on the NASA Privacy Policy that it explains what data is collected about children, and how COPPA-specific information is provided any time a website page collects information about a child.

Image from NASA's Privacy Policy indicating their data collection practices for children

Here you can see from Warner Brothers' Discovery that they also have a child-friendly Privacy Policy tailored so that young people can understand it.

Screenshot from Warner Brothers' Discovery child-friendly Privacy Policy

This would not be suitable for getting the consent of a child under 13 (who cannot provide valid consent), but can be useful for older kids and teens (between 13 - 18 in the US and UK, or over 16 in the EU) who need a simpler document to read.

Summary

If your business is collecting data from minors, you need to know how to collect consent on your websites, apps, games and other services. Make sure you know which laws apply to you, such as COPPA, the GDPR, UK GDPR, PIPEDA or others. Request consent from the parents of minors, and make sure this consent is verifiable. You also need to make sure you have a clear, easily-readable Privacy Policy, that is conspicuous and clearly agreed to by your users.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy