2026 is the year of children's privacy enforcement. Regulators worldwide are making age verification and child protection their top priority. The UK Online Safety Act, strengthened COPPA rules, and GDPR enforcement actions are forcing websites to rethink how they handle minors' data. This guide covers every major framework and practical implementation options.
Age of Digital Consent by Country
GDPR sets the baseline at 16 but allows member states to lower it to 13. Here's the current landscape:
| Age | Countries |
|---|---|
| 13 | Belgium, Czech Republic, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden, UK |
| 14 | Austria, Bulgaria, Cyprus, Italy, Lithuania, Romania, Spain |
| 15 | France, Greece, Slovenia |
| 16 | Germany, Hungary, Ireland, Luxembourg, Netherlands, Poland, Slovakia, Croatia |
| 13 (COPPA) | United States |
| Various | Brazil (12-18), Canada (province-dependent), Australia (16 proposed) |
Three Legal Frameworks You Must Know
1. GDPR — Parental Consent for Children's Data
Under GDPR Article 8, processing children's data based on consent requires "verifiable" parental consent for children below the applicable age. The controller must make "reasonable efforts" to verify that consent is given by the parent.
- When it applies: Only when the lawful basis is consent. Legitimate interest or contract performance may not require parental consent.
- What's required: "Reasonable efforts" to verify parental consent, considering available technology.
- Privacy notices: Must be written in clear, child-friendly language.
- Data minimization: Especially important — collect only what is strictly necessary.
2. COPPA — Children Under 13 in the US
The Children's Online Privacy Protection Act applies to websites and apps directed at children under 13, or that have actual knowledge of collecting data from children under 13.
- Verifiable parental consent: Required before collecting, using, or disclosing children's data.
- Approved methods: Signed consent forms, credit card verification, video/phone calls, government ID checks, knowledge-based questions.
- Privacy policy: Must include a specific children's privacy section.
- Data retention: Keep children's data only as long as reasonably necessary.
- Parental access: Parents must be able to review and delete their child's data.
Fines: The FTC has issued fines up to $520 million (Epic Games, 2022) and $170 million (YouTube/Google, 2019) for COPPA violations.
3. UK Online Safety Act — Age Assurance Requirements
The UK Online Safety Act 2023 requires platforms likely to be accessed by children to implement "proportionate" age assurance measures. Ofcom's guidance specifies a tiered approach:
- Tier 1 (low risk): Self-declaration (age gate checkboxes)
- Tier 2 (medium risk): Age estimation (AI-based facial analysis) or third-party verification
- Tier 3 (high risk — adult content): Hard age verification (ID documents, credit card, digital identity)
Age Verification Technologies Compared
| Method | Accuracy | Privacy Impact | User Friction | Best For |
|---|---|---|---|---|
| Self-declaration checkbox | Low | None | None | Low-risk, GDPR contexts |
| Date of birth input | Low | Minimal | Low | General age gating |
| Credit card verification | High | Moderate | High | COPPA, e-commerce |
| AI facial age estimation | Moderate-High | High | Moderate | UK OSA Tier 2 |
| ID document upload | Very High | Very High | Very High | Adult content, gambling |
| Digital identity wallet | Very High | Low | Moderate | EU eIDAS 2.0 (emerging) |
| Third-party age service | High | Moderate | Moderate | Scalable solutions |
Implementation Best Practices
- Proportionality: Match the verification method to the risk. A blog doesn't need ID checks; an adult content site does.
- Privacy by design: Age verification itself collects personal data — minimize what you collect and delete after verification.
- Don't create new risks: Storing ID documents or biometric data creates a larger attack surface. Use privacy-preserving methods or third-party services that don't share the actual data with you.
- Accessibility: Offer multiple verification methods. Not everyone has a credit card or smartphone camera.
- Transparency: Explain why you're asking and what happens with the verification data in your privacy policy.
What to Do If Your Site Might Attract Children
- Audit your audience — check analytics for potential underage visitors
- Determine which laws apply based on your audience geography
- Implement appropriate age gating before collecting any data
- Create a child-friendly privacy notice if you allow under-16 access
- Implement parental consent mechanisms if required
- Review third-party services for COPPA compliance
- Set up data retention limits specifically for children's data
- Train your team on handling children's data requests
Next Steps
Start by checking if your website collects data that could relate to children. PrivacyChecker scans your site for trackers, cookies, and third-party scripts that collect data without age-appropriate consent. If your site uses dark patterns that could manipulate minors, our scanner will flag them.