.svg)
Children's privacy has become a top enforcement priority for regulators across every major market. There is increased scrutiny of consent mechanisms, age verification, default settings, and data minimization, backed by meaningful enforcement.
For global brands, the challenge is navigating an increasingly fragmented patchwork of obligations that vary by jurisdiction, age bracket, and service type.
This guide walks through the major laws, what they actually require, and where your organization can start to ensure great standards of children's data protection.
Key children's privacy compliance requirements for online services
Before we explore the details of the various laws and regulations in place, it helps to understand the recurring obligations that appear across every children's privacy framework. Below is an overview of the most important information you should know.
Data minimization and purpose limitation
Data minimization means that if a data point isn't necessary for the service to work, don't collect it. Regulators especially apply scrutiny to child-directed services.
Purpose limitation is a step further; data collected for one reason cannot be repurposed for another. For example, if you collected an email address for account creation, you can't use it to serve targeted advertising without a legal basis.
Personal information collected
Companies need a better understanding of every category of personal information their service touches. This includes identifiers such as names and addresses, as well as more sensitive ones. Precise location data and persistent device identifiers need extra care.
Biometric data (facial scans, voiceprints, fingerprints) is now regulated in several frameworks and is in a category of its own.
Parental consent
Verifiable parental consent methods include knowledge-based authentication, digital signatures, and text-based confirmation sent directly to a parent. A checkbox or date-of-birth field alone is not sufficient.
A 2025 sweep by the Global Privacy Enforcement Network, examining nearly 900 websites and apps across 27 jurisdictions, found that 72% had age-assurance measures that could be easily circumvented, most often when self-declaration was used. The verification process itself should also be privacy-preserving, avoiding the creation of a new data trail when confirming age.
Direct notice
Notice must be given at or before the point of data collection. The language needs to be plain and accessible. Regulators have flagged long, jargon-heavy privacy policies on children's platforms as a form of deceptive design.
Prohibition on conditioning a child’s participation
A child's ability to use a service cannot be conditioned on handing over more information than the service needs. Offering rewards, unlocking features, or granting access in exchange for extra data crosses the line. Whether that's requiring location data to play a game or a detailed profile to access basic content.
Children's privacy in the United States
The United States has the longest-standing dedicated children's privacy law in the world, but it has never operated as a single unified standard. For any company serving U.S. audiences, children's privacy means navigating both federal and state laws simultaneously.
The legal framework
Children's privacy in the United States is governed by two overlapping layers of law.
At the federal level, the Children's Online Privacy Protection Act (COPPA), in force since April 2000 and enforced by the Federal Trade Commission (FTC), sets the baseline for any online service directed at children under 13 or with knowledge that it is collecting data from children.
At the state level, a growing number of legislatures have expanded those obligations significantly, raising age thresholds, adding design requirements, and restricting data sharing in ways that go well beyond what COPPA requires.
Federal Trade Commission & Children’s Online Privacy Protection Act (COPPA)
COPPA is the federal baseline for children's privacy in the United States. The FTC finalized its first major update to the rule since 2013 in January 2025, to which operators were required to comply by April 22, 2026.
The requirements are verifiable parental consent before collecting personal data from children under 13, clear notice of data practices, and no conditioning of a child's participation on unnecessary data disclosure. The 2025 amendments strengthen these foundations in three areas:
- Operators must obtain separate parental consent before sharing children's data with third parties for targeted advertising; general consent for data collection is no longer sufficient.
- Retention is now limited; data must be deleted once it is no longer needed for its original purpose.
- The definition of personal information has been expanded to include government-issued identifiers and biometric data such as facial templates, voiceprints, and fingerprints.
State and regional laws: Comprehensive privacy laws & age-appropriate design codes
COPPA's under-13 threshold has long been seen as too narrow, and states have moved aggressively to fill the gap.
- California leads with the most developed framework. The California Age-Appropriate Design Code Act (AB 2273, 2022) imposes design-by-default obligations, high privacy settings, data minimization, and restrictions on profiling for any service likely to be accessed by children under 18. Note that as of March 2026, the law is subject to a partial enforcement injunction, with provisions including data use restrictions and the dark patterns prohibition remaining blocked pending further court proceedings. The CPRA separately requires opt-in consent for selling or sharing the data of users aged 13-15. Both are enforced by the California Privacy Protection Agency (CPPA).
- Texas, Virginia, Connecticut, and Colorado have omnibus state privacy laws that classify children's data as sensitive, requiring consent for its processing regardless of the specific use case.
- Maryland and New York have enacted standalone children's online safety bills that impose data minimization by default, mandatory privacy impact assessments, and default protective settings for services likely to be accessed by minors.
- Other states, such as Florida, Utah, and Indiana, have passed or are advancing laws that restrict social media access for minors under 16.
- New Hampshire's HB 1460, if signed, would go further than COPPA by prohibiting the sale of children's sensitive data without a knowledge qualifier, effective January 1, 2027.
Age threshold
COPPA sets the primary federal threshold at under 13, requiring verifiable parental consent for data collection. For users aged 13-15, California and several other states require opt-in consent for the sale of data and targeted advertising. At 16-17, general privacy protections apply under most state omnibus laws, though some states (notably California) extend stricter obligations to this group as well.
Key obligations for companies
Verify parental consent
Organizations should verify parental consent before collecting any personal data from users known to be under 13.
Provide a targeted notice
Organizations must provide a targeted notice describing what is collected, how it is used, and whether it is shared with third parties. Notices directed at children must be written in age-appropriate language, and notices to parents must be direct and complete.
Apply data minimization and avoid profiling minors for advertising
Organizations should apply data minimization and avoid profiling minors for advertising by default for any service that might be accessed by minors, even if that service is not explicitly directed at children. Default privacy settings must be protective, and collection should be limited to what is necessary for the service to function. Data collected for one purpose cannot be repurposed for behavioral targeting of minors.
What makes this jurisdiction distinctive
No other jurisdiction combines a federal enforcement agency (the FTC) with 20+ state-level children's privacy laws, each with different age thresholds and enforcement rules, which requires parallel compliance programs rather than one approach.
While the United States has a federal-state framework, Europe has taken a different approach, with a single binding regulation applied consistently across member states, and recently extended by platform-specific rules that go further still.
Children's privacy in Europe
Europe's children's privacy framework is the most structurally consistent in the world, with the GDPR applying across all member states and, since 2024, supplemented by the Digital Services Act, which explicitly prohibits profiling-based advertising to all users under 18 on large platforms.
The legal framework
The primary law is the General Data Protection Regulation (GDPR), which has been in force since May 2018 and is enforced by each member state's national Data Protection Authority (DPA).
General European Union children's data protection principles
Article 8 of the GDPR requires parental consent for processing a child's personal data in connection with information services, provided the national age threshold is set between 13 and 16.
Recital 38 recognizes that children have specific protections given their limited awareness of the risks involved. Enforcement priorities across the EU include age verification, behavioral advertising, and dark patterns.
Discover our complete GDPR compliance guide here.
United Kingdom
The ICO's Children's Code (Age Appropriate Design Code), enforceable since September 2021, requires platforms likely to be accessed by children to apply 15 design standards by default, including high privacy settings, a ban on nudge techniques, data minimization, and restrictions on location tracking.
The UK Online Safety Act 2023 adds a further layer, requiring age verification and content safety measures for platforms accessible to children.
To learn more, check out our guide to UK data protection laws.
France
The Commission Nationale de l’Informatique et des Libertés (CNIL) has focused its enforcement on children's privacy on social media platforms, parental controls, and age-verification infrastructure.
It has pushed back on checkbox-style consent that does not distinguish between adult and minor users, and has required platforms to demonstrate that consent interfaces cannot be manipulated by children to bypass protections.
In 2026, the CNIL priorities include further scrutiny of platforms that rely on self-declared age without any technical verification layer. Discover the French DPA's (CNIL) 2026 consent priorities.
Germany
Enforcement in Germany is split across the federal BfDI and 16 state-level Landesbeauftragte. State authorities in Baden-Württemberg and Hamburg have been particularly active on children's privacy, including investigations into school technology platforms and educational apps.
Age threshold
GDPR sets the range at 13-16, with each member state choosing its own national threshold. France applies 15, Germany and most others apply 16. Above that threshold, standard GDPR protections apply, though the DSA's prohibition on profiling-based advertising extends to all users under 18.
Key obligations for companies
Obtain verifiable parental consent
Obtain parental consent below the applicable national threshold. DPAs across Europe have consistently held that checkbox or self-declaration flows do not meet this standard.
Write privacy notices in clear, age-appropriate language.
Notices directed at children must be comprehensible to the target age group. Legal language aimed at adult users does not comply.
Apply strict data minimization and avoid profiling minors for advertising.
The DSA prohibits profiling-based advertising to under-18s on large platforms. The GDPR's minimization principle reinforces this across all services.
What makes this jurisdiction distinctive
No other jurisdiction combines a binding cross-border regulation (GDPR) with a secondary layer of platform-specific law (the DSA) that prohibits profiling-based advertising to minors. Companies operating in Europe face both simultaneously.
Children's privacy in the rest of the world
Beyond the U.S. and Europe, a growing number of jurisdictions are advancing their own children's privacy frameworks, and most share a common approach of higher age thresholds, stronger verification requirements, and shorter data retention windows. Here, we list some notable examples.
The legal framework
There is no single global standard equivalent to the GDPR. The frameworks described below operate independently, though many have been shaped by GDPR principles and some are explicitly modeled on them.
Canada
Canada's primary privacy framework is PIPEDA (federal, in force since 2001), enforced by the Office of the Privacy Commissioner (OPC).
Enforced by the Commission d'accès à l'information (CAI), Quebec's Law 25 (fully in force September 2023) adds stricter obligations, which include mandatory privacy impact assessments, consent requirements, and an active enforcement posture.
The OPC treats users under 13 as unable to provide independent consent. In May 2026, the OPC published formal age assurance guidance for both website operators and age assurance developers, and released findings from its consultation on a dedicated Children's Privacy Code, currently in preparation. This marks a shift from a principles-based approach to a structured, code-based framework more closely aligned with the UK's Age Appropriate Design Code.
Australia
Australia's Privacy Act 1988 is enforced by the Office of the Australian Information Commissioner, with additional platform-specific obligations under the Online Safety Act. The Privacy Act is currently under reform, with children's data flagged as a priority.
The OAIC prioritizes data minimization, retention limits, and valid consent for minors, while the eSafety Commissioner plays a growing role on age verification, with enforcement action against platforms that fail to prevent minors accessing harmful content.
In 2026, Australia's age checks and Digital ID will push more services to verify identity using face scans or government ID. At the same time, downloadable AI models (open-weight), including from higher-risk jurisdictions, make deepfake scams cheaper and AI-generated code harder to govern.
With data flows hard to track, organisations must collect less, retain less, and log every access.
- Chris Brinkworth, Managing Partner at Civic Data (Source: 2026 data privacy trends: Predictions from the experts, Didomi)
Learn more about the state of data privacy in Australia in our interview with Will Shepherd from Australian consultancy Civic Data.
Asia
Asia has no unified regional framework. Compliance requirements vary by jurisdiction, and companies must assess each country's rules independently. The three most active jurisdictions for children's privacy are Japan, South Korea, and Singapore:
In Japan, the Act on the Protection of Personal Information (APPI), amended in 2022 and enforced by the Personal Information Protection Commission (PPC), applies a principles-based approach without a fixed statutory age threshold for children. Users under 18 are treated with additional care in practice.
In South Korea, the Personal Information Protection Act (PIPA), enforced by the Personal Information Protection Commission (PIPC), is among the most prescriptive privacy frameworks outside Europe. It requires verifiable parental consent for children under 14, and the 2023 amendments introduced new requirements for privacy policies to be written in language accessible to children, along with stronger rights for minors to understand how their data is processed.
In Singapore, the Personal Data Protection Act (PDPA), enforced by the Personal Data Protection Commission (PDPC), does not set a fixed statutory age threshold but treats users under 18 with heightened care in its advisory guidelines. Singapore's enforcement approach is principles-based and dialogue-first, though the PDPC has demonstrated willingness to impose fines for significant violations.
Age threshold
Canada does not have a specific age threshold, though the OPC treats under 13 as the practical age below which independent consent is not meaningful. Australia has no fixed statutory age, but organizations apply 13 in line with international norms, with reform likely to push this higher. In Asia, South Korea sets a hard threshold at under 14 for parental consent. Japan and Singapore have no fixed statutory age, but treat those under 18 with additional care.
What makes these jurisdictions distinctive
Canada's dual federal-provincial structure means Quebec's Law 25 effectively sets the national compliance bar for organizations that cannot afford a province-by-province approach. Australia is moving faster than any peer jurisdiction in age-verification infrastructure, with government-backed digital ID and face-scan verification entering the mainstream in 2026.
In Asia, South Korea stands out, as its consent requirements and enforcement posture more closely resemble Europe's GDPR than the principles-based approaches of Japan and Singapore.
Enforcement trends and significant fines for children's privacy
Children's privacy is one of the most actively enforced areas of privacy law globally. The cases below span multiple jurisdictions, regulators, and legal actions. The fines reflect how seriously violations are now being treated.
I expect regulators will increasingly focus on the personal data of children, including guidance on how to avoid collecting their data and, if you need to, how to obtain the appropriate consent and protect it with the utmost security.
While I don’t agree with bans on social media (for some kids, it may be their only lifeline to a community), I do agree that companies should take a bit more care in thinking through their data processing practices for this group online.
- Julie Ford, Executive Director of the Digital Advertising Alliance of Canada (DAAC) (Source: 2026 data privacy trends: Predictions from the experts, Didomi)
The cases and figures below illustrate how that enforcement pressure is playing out in practice.
The biggest fines
The biggest fine so far came in 2022, when the FTC reached a $520 million settlement with Epic Games, still the largest children's privacy penalty on record in the U.S. Google and YouTube had come before in 2019 with a $170 million settlement. Since then, Genshin Impact's developer ($20 million in January 2025) and Disney ($10 million in December 2025) have followed. In Europe, Italy's Garante fined OpenAI €15 million that same month, citing inadequate age verification as the main violation.
Recent FTC enforcement actions
In June 2024, the FTC referred TikTok to the DOJ for litigation, alleging the platform allowed children under 13 to bypass its age gate in violation of COPPA. The FTC also banned NGL Labs from offering anonymous messaging apps to minors after finding the service was being marketed to children despite known harm.
Notable state attorney general actions
California, Connecticut, and New York jointly settled a $5.1 million action against ed-tech company Illuminate Education in November 2025, following a data breach that exposed the sensitive personal records of millions of students, including names, race, disability status, and coded medical information. The case is a reminder that children's privacy enforcement extends well beyond social media platforms and advertising practices; data security failures at companies handling student records carry the same enforcement risk. Texas has taken a different but equally aggressive approach, suing multiple companies under its SCOPE Act for sharing minors' data with advertisers without parental consent.
Litigation around Age-Appropriate Design Codes
California's Age-Appropriate Design Code has been subject to legal challenge since 2022, with tech trade group NetChoice contesting it on First Amendment grounds. As of March 2026, a federal appeals court delivered a split ruling, allowing provisions such as age estimation and default privacy protections to move forward while leaving data use restrictions and the dark patterns prohibition enjoined pending further proceedings.
Enforcement compared across jurisdictions
U.S. enforcement under COPPA has traditionally been case-by-case, but state attorneys general are increasingly targeting the same companies. European regulators tend to scan entire sectors rather than wait for complaints, and the fines are significantly larger. South Korea is closest to Europe in terms of how aggressively it monitors and penalizes.
Practical children privacy compliance checklist: 6 steps you can take today
How Didomi helps global brands navigate children’s privacy laws
Children's privacy law varies by market, and the regulatory ecosystem is moving faster than most compliance programs can keep up with.
In that environment, the vendors and experts an organization works with are part of the compliance picture. These are some of the ways that Didomi works with global brands to manage that complexity:
- Configure an age-gated consent flow that corresponds to the applicable regulation
- Sync consent across web, mobile, and connected TV so a child's privacy protections don't break across devices or platforms
- Integrate with your CRM and tag management system to ensure consent data flows through your entire stack
- Implement server-side tracking to reduce fingerprinting risks and limit data exposure at the collection point
- Audit third-party SDKs and trackers to map exactly what data leaves your properties and to whom
Talk to a Didomi expert about building a children's privacy compliance program that works across every market you operate in.
{{talk-to-an-expert}}
.png)
