Introduction
In today’s digital era, children’s online privacy and children’s privacy stand at the forefront of data protection concerns for both policymakers and online service operators. Whether through online services, information society services, or commercial websites, the rise of platforms targeting young users poses critical questions around collecting personal information online, the personal information collected, and safeguarding children’s data.
Children’s online privacy protection is the overarching goal of these regulations, aiming to ensure that children’s data and privacy are safeguarded through robust legal frameworks and compliance measures.
Two major frameworks anchor global efforts to protect children’s personal information:
- The Children’s Online Privacy Protection Act (COPPA) in the U.S., enforced by the Federal Trade Commission (FTC), governs data collection from children under 13.
- The General Data Protection Regulation (GDPR) in the EU, with its specific clause for childrenβcommonly called GDPR-Kβwhich sets rules for information society services regarding minors’ data.
To ensure protecting children online, these regulations mandate verifiable parental consent, set out age restrictions, and require online services, whether child-directed or with actual knowledge of collecting data from minors, to maintain reasonable procedures, provide direct notice, and ensure data collection is limited to necessary purposes.
The Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in 2000, overseen by the Federal Trade Commission (FTC). It pertains to “operators of websites or online services directed to children under 13, also called child-directed websites, and to those who knowingly collect personal information from children under 13 online.
Key COPPA obligations include:
- Publishing a clear and comprehensive privacy policy that explains what personal information is collected, how it is used, and with whom it is shared.
- Making reasonable efforts (in light of available technology) to provide direct notice to parents and obtain parental consent and verifiable parental consent before collecting, using, or disclosing the child’s personal information.
- Giving parents the right to review, delete, or refuse further use of their child’s information, and requiring operators to retain data only as long as necessary, then delete it with reasonable measures.
- Maintaining reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
- Not conditioning a child’s participation on the disclosure of more personal information than is reasonably necessary to participate in the activity.
In 2025, the FTC finalized major updates to COPPA (effective June 23, 2025, with compliance deadline April 22, 2026) to reflect technological advances. These include:
- Separating consent for third-party disclosures (like advertising) from consent for primary functions, requiring opt-in consent specifically for targeted advertising or non-integral uses.
- Expanding the definition of personal information to include persistent identifiers (e.g., device IDs, IP addresses), biometric data, geolocation, and behavioral or inferred data.
- Enforcing stricter rules around data retention, requiring operators to delete data once it is no longer necessary, provide clear data retention policies, and prove deletion upon request.
- Making third-party sharing for advertising, analytics, or AI functions subject to explicit parental consent unless it is integral to the service. Ad networks must ensure they comply with COPPA by relying on signals from websites about whether they are child-directed and by following lawful data collection and targeting practices.
- Increasing fines significantlyβup to $51,744 per child, per violation. Violating COPPA can result in substantial penalties and enforcement actions by the FTC.
These revisions aim to strengthen children’s privacy, limit kids’ data monetization, and ensure operators demonstrate compliance through proactive efforts.
GDPR-K: Children’s Privacy under the General Data Protection Regulation
While COPPA is a standalone U.S. law, the EU treats children’s privacy within the broader General Data Protection Regulation (GDPR)βspecifically through GDPR Article 8 (gdpr article), informally known as GDPR-K.
Key GDPR-K components include:
- Defining the age at which a child can provide their consent to data processing for information society services. The default is 16, but member states may lower it to as young as 13. If a child is below that age threshold, parents’ consent must be obtained, using reasonable efforts to verify identity.
- GDPR-K supports broader lawful bases beyond consentβsuch as legitimate interest or performance of a contractβbut these are less commonly used for children’s data due to sensitivity.
- It grants children (and parents) fundamental rights regarding children’s information: access, rectification, erasure, objection, and restrict processing, offering broader privacy protection than COPPA.
- Transparency is required, including providing detailed information in privacy policies about data collection and processing practices.
- Violations can result in fines of up to β¬20 million or 4% of global turnover, similar to GDPR general penalties.
Enforcement in 2025 is becoming more robust:
- Regulators like France’s CNIL have made child privacy a strategic priority, advising on age verification and encouraging privacy-preserving solutions.
- Spain’s AEPD continues strengthening guidance on minors in its 2024/2025 reporting.
Online Services Must Comply with Both Frameworks
Operators offering online services, commercial websites, or information society services that reach both U.S. and EU minors must align with both COPPA and GDPR-K simultaneously.
Key compliance requirements include:
- If a service is a child-directed site or an online service directed to children (or the operator has actual knowledge of data collection from children), COPPA demands verifiable parental consent, direct notice, reasonable procedures, and data minimization.
- For general audience sites, if the operator has actual knowledge of collecting personal information from children, COPPA obligations still apply.
- Under GDPR-K, below the applicable child-consent age, operators must also rely on parental consent, with documentation and transparent data practices that reflect the rights and choices of child data subjects for each relevant age group.
- Verifiable consent is central to both regimes, though methods may differβCOPPA encourages approval of methods by the FTC, while GDPR-K allows flexibility but demands proof of reasonable efforts to verify.
- Operators must demonstrate compliance through records, data retention policies, consent logs, and compliance mechanisms.
Understanding Verifiable Parental Consent
Both COPPA and GDPR-K hinge on verifiable parental consent, but their requirements diverge in nuance. Obtaining parental consent is a legal requirement under both COPPA and GDPR-K before collecting personal information from children, ensuring compliance with regulations and protecting children’s privacy.
Under COPPA:
- The FTC outlines various acceptable consent methods, such as knowledge-based authentication, video or call-in, digital signatures, or face-match ID with ID documents (modernized in 2025).
- The 2025 updates have added support for face-match ID, text-plus methods, and knowledge-based questions. Biometric data is now explicitly part of personal information and is regulated.
- Consent must be separate for targeted advertising or third-party data disclosures, and consent methods must be reasonably designed given available technology.
Under GDPR-K:
- Consent or lawful basis is required if the user is below the local age threshold.
- The law does not prescribe a specific verification method, but requires reasonable efforts, and passive age checks or unchecked checkboxes are insufficient.
- Consent flows must be tailored by geolocation, respecting different age thresholds in EU countries.
Age Verification in Online Services
While not always mandated by COPPA, age verification is a critical practical tool to determine when verifiable parental consent is required. Companies are expected to make a reasonable effort to verify a user’s age, especially as regulatory standards evolve beyond simple yes/no questions to more comprehensive and layered verification methods.
COPPA’s role:
- It relies on actual knowledge; if a service learns (e.g., via date of birth or grade level) that a user is under 13, it must comply.
- The 2025 update did not exempt age verification techniques; rather, they must not rely on children’s data beyond what’s reasonably necessary.
GDPR-K:
- Requires services to respect varied age thresholds across the EU (13β16), with geo-targeted flows to ensure proper consent methods.
- Passive or unchecked age gates are inadequateβevidence-based, reliable methods are expected.
Globally, other regions are tightening age verification:
- In Australia, the Online Safety Act (2021) now bans under-16s from social media unless their age is verified by 2025.
- In the UK, the Online Safety Act 2023 requires robust age verification (e.g., to block under-18s from adult content), though privacy and accessibility remain concerns.
Thus, while COPPA and GDPR-K do not mandate age verification per se, implementing it is crucial for compliance, and it must align with privacy-preserving, transparent, and child-appropriate data practices.
Collecting Personal Information from Children
When collecting personal information from children under 13 (COPPA) or below the consent age under GDPR-K, both frameworks demand strict controls. Operators must follow specific procedures to collect data and information from children, ensuring compliance with legal requirements and safeguarding minors’ privacy.
Personal information collected may include:
- Common identifiers like names, home or email addresses, phone numbers, which are often collected as part of the process to collect personal information.
- Persistent identifiers such as IP addresses, device IDs, and geolocation data, which may be considered children’s personal information under privacy laws.
- Biometric data, including facial scans and voice recordings, is now explicitly included in COPPA’s definition.
- Behavioral profiles or inferred data when used to identify or target a child.
Obligations for operators:
- Under COPPA, no personal information should be collected before obtaining verifiable parental consent, except for very limited exceptions.
- Data minimization is requiredβdon’t condition children’s participation on providing unnecessary information.
- The 2025 updates reinforce limitations on third-party sharing and require clear retention and deletion policies.
- Under GDPR-K, children’s personal data must be processed lawfully, transparently, and with respect for the child’s rights. Data subject rights include access, deletion, and objection; operators must facilitate these.
- Operators must be transparent about how they handle children’s information and comply with all rules regarding the online collection of data from minors.
These obligations ensure both frameworks maintain children’s privacy protection, consumer protection, and accountability.
Consumer Protection and Enforcement
At the core of both COPPA and GDPR-K lies consumer protection, particularly around transparency, control, and safety for child and parent users.
Under COPPA, the FTC leads enforcement, offering guidance and imposing fines for non-compliance. The 2025 expansions heighten enforcement risk and financial exposure.
Under GDPR-K, enforcement is decentralized across EU member state data protection authorities (DPAs). With penalties up to β¬20 million or 4% of global turnover, enforcement is meaningful. Agencies like CNIL (France) and the AEPD (Spain) are prioritizing child data protection in strategic plans.
Both systems also aim for consumer trust through:
- Clear language in privacy policies and notices, avoiding jargon.
- Parents control tools and mechanisms for reviewing or deleting a child’s information.
- Strong data security, access controls, and privacy-preserving design.
Key Differences Between COPPA and GDPR-K
Despite shared goals, COPPA and GDPR-K differ in several critical respects:
Feature | COPPA (U.S.) | GDPR-K (EU) |
|---|---|---|
Age threshold | Under 13 (nationwide) | Under 16 by default; member states may lower to 13 |
Consent scope | Verifiable parental consent mandatory | Parental consent needed below threshold, but alternative lawful bases possible |
Rights granted | Notice, consent, review/delete, data security | Full GDPR rights: access, erasure, correct, object, restrict |
Scope of definition | Expansive, now includes biometric & persistent identifiers | Broad, includes all personal data, with emphasis on transparency |
Enforcement | FTC, fines per child; updates in 2025 widen scope and penalties | DPAs across member states, high maximum fines (4% of turnover) |
Verification | FTC-approved methods, modern biometric/text-plus methods allowed | “Reasonable efforts” required; passive age gates insufficient |
Third-party sharing | Separate opt-in required for ads and non-integral uses | Permissible under GDPR if lawful and consensual, but subject to transparency/privacy principles |
These key differences require operators to tailor processes depending on jurisdictionβe.g., age verification, data processing justification, rights management, and consent flows must align with both regimes to ensure full compliance.
Conclusion
A patchwork of robust regulatory frameworks governs children’s online privacy. In the U.S., COPPA demands verifiable parental consent, precise direct notice, and protective data handling practices for children under 13. The sweeping 2025 updates raise the bar, especially around biometric data, third-party disclosures, data retention, and strict penalties.
In the EU, GDPR-K serves a similar mission, protecting minors across a dynamic landscape of age thresholds, rights, and consent methods, tied to broader GDPR enforcement.
Operators of online services, whether child-directed, general audience with actual knowledge, or commercial platforms (information society services), must carefully implement age verification, verifiable parental consent, privacy by design, and rights management, while also demonstrating compliance through clear documentation, policies, and technical safeguards.
As of today, these regulatory frameworks are not only activeβthey are evolving. With COPPA’s updates now in effect (and compliance timelines underway) and EU regulators pushing child privacy enforcement, it’s more critical than ever for online platforms to align with these standards proactively. Doing so ensures they genuinely contribute to protecting children online, uphold consumer protection, and maintain trust in the digital ecosystem for young users, their parents, and broader society.
