In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

Historically the European Union’s Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike.1 That said, there was recognition within the EU that when applying general principles of privacy the age of a data subject may be relevant. For example, while the EU Directive permits companies to collect and process data about a person if the company receives their “consent,” a company may not be able to obtain valid consent of a child if local law would not view a child as having sufficient capacity to give such consent.2

The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, specifically recognizes that “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights ….”3 Like the United States, the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child.4 An “information society service” refers to most electronic services that a child might use, and that requests information about the child.5 The requirement that consent be obtained applies to information collected from children who are below the age of 16, although member states have discretion to lower the requirement so that, like the United States, it only applies to children who are below the age of 13.6 The following provides a snapshot of information concerning fines:

$3 million

The largest fine obtained by the FTC in the United States for a violation of COPPA.7


The percentage of a company’s revenue that may be fined if they fail to comply with the GDPR’s requirement to obtain parental consent.8

What to think about when reviewing your website for compliance with US law and the GDPR:

  1. Does your website ask children to provide information?
  2. If not, does your website automatically collect information about a child’s computer or session?
  3. Would your website appeal to children?
  4. Has the FTC or an EU Data Protection Authority received complaints about your website? If so, how many and were any issues concerning the collection of information from children raised in the complaints?
  5. Does your website ask for parents’ permission to collect information about children?
  6. Does your website verify that the parent is the actual parent of a child?
  7. Has the verification mechanism been approved by the FTC?
  8. Does your website’s privacy policy comply with COPPA and the GDPR?
  9. Can you limit liability by joining an FTC approved self-regulatory organization (sometimes called a “safe harbor” program) or an EU Certification program?
  10. Which safe harbor programs / certification program provides the most benefit to your organization?