Why Children's Cookie Consent Is Different
Most cookie consent flows assume the visitor is an adult. That assumption breaks the moment a child lands on your site.
Under GDPR Article 8, when an information society service is offered directly to a child, consent is only valid if the child has reached the digital age of consent - or if a parent or guardian has authorised the processing. The ePrivacy Directive adds a second layer: Article 5(3) requires consent before any non-essential cookie or tracker is placed on a device, regardless of the user's age. Together, these rules mean your cookie banner cannot simply collect a click from a 12-year-old and treat it as lawful consent.
The practical result is straightforward. If your audience includes minors, you need a mechanism to identify their age range and adjust the consent flow accordingly.
GDPR Article 8: The Digital Age of Consent
Article 8(1) of the GDPR states that processing a child's personal data is lawful only where the child is at least 16 years old. Below that threshold, consent must be given or authorised by the holder of parental responsibility.
Member states may lower this age, but not below 13. The result is a patchwork of thresholds across Europe. Controllers operating across borders must respect the threshold of each country where they have users - not just the country where the business is based.
Article 8(2) adds a verification requirement: controllers must make reasonable efforts to verify that consent was given or authorised by a parent, taking available technology into account. The regulation does not prescribe a specific verification method, which gives organisations flexibility but also leaves room for regulatory scrutiny.
Age Thresholds by Country
The table below shows the digital age of consent set by selected EU and EEA member states. Where a country has not formally legislated a different threshold, the GDPR default of 16 applies.
| Age Threshold | Countries |
|---|---|
| 13 | Denmark, Ireland, Latvia, Poland, Portugal, Spain, Sweden, United Kingdom |
| 14 | Austria, Bulgaria, Italy |
| 15 | Czech Republic, France, Greece, Slovenia |
| 16 (GDPR default) | Germany, Hungary, Lithuania, Luxembourg, Netherlands, Slovakia, Romania, Croatia |
For websites serving visitors from multiple jurisdictions, the safest approach is to apply the strictest threshold relevant to your audience. A site with significant traffic from Germany and France, for example, would need to handle visitors under 16 as children in both cases - even though France technically sets its threshold at 15.
EDPB Statement on Age Assurance (February 2025)
In February 2025, the European Data Protection Board adopted Statement 1/2025 on age assurance. The statement sets out ten principles that controllers should follow when determining a user's age or age range. Among them: data minimisation, proportionality, privacy by default, and effectiveness.
The EDPB explicitly warns that age assurance mechanisms must not create new privacy risks. Collecting a full ID scan to verify age, for instance, could violate the data minimisation principle if a less intrusive method would achieve the same goal. The statement also confirms that any automated age determination must comply with GDPR Article 22 on automated decision-making.
The Board is also preparing dedicated guidelines on the processing of children's personal data, expected to address consent, transparency, and online platform obligations in greater detail.
Practical Age-Gating Methods for Cookie Consent
There is no single mandated method for age-gating. The GDPR requires reasonable efforts, and what counts as reasonable depends on the risk to the child and the nature of the service. Below are the most common approaches, ranked roughly by verification strength.
Self-Declaration (Age Gate Screen)
The simplest approach asks visitors to enter their date of birth or confirm they are above a certain age before the cookie banner loads non-essential cookies. This method is low-friction but also low-assurance. A child can easily enter a false date. Regulators have signalled that a bare checkbox is unlikely to satisfy the reasonable efforts standard for services directed at children.
Email-Based Parental Verification
If a visitor declares they are under the applicable age threshold, the site can request a parent's email address and send a verification link. The parent clicks the link and authorises consent on behalf of the child. This is more robust than self-declaration alone, though it does not fully prevent a child from using a parent's email without permission.
Credit Card or Identity Verification
A stronger method involves verifying a parent's identity through a credit card micro-transaction or an ID check. COPPA in the United States explicitly lists credit card verification as an acceptable method. Under the GDPR, this level of verification is more likely to be expected for high-risk services - those involving special category data or behavioural profiling of minors.
Third-Party Age Estimation
Newer solutions use facial age estimation or document verification services. These can provide higher confidence but raise their own data protection by design questions. The EDPB's 2025 statement warns that such systems must comply with data minimisation and should not retain biometric data beyond what is strictly necessary for the age check.
Integrating Age-Gating with Your Cookie Banner
The technical integration depends on when in the user journey you perform the age check. Two patterns dominate.
Pattern 1: Age gate before the cookie banner. The visitor sees an age verification screen first. If they are above the threshold, the standard consent flow loads. If they are below, either no non-essential cookies are set at all, or a parental authorisation flow begins. This pattern is cleanest from a compliance standpoint because no tracking scripts fire until age and consent status are both confirmed.
Pattern 2: Age question within the cookie banner. The cookie banner itself includes an age declaration step. If the visitor indicates they are under the threshold, the banner blocks all non-essential categories and displays a message explaining that parental consent is required. This is simpler to implement but requires your script-blocking logic to handle the additional condition.
Whichever pattern you choose, the key technical requirement is the same: no marketing or analytics cookies may fire until valid consent - from an adult or an authorised parent - is confirmed. Your tag management setup should treat an underage declaration the same as a consent refusal until parental authorisation is received.
Beyond the EU: Children's Consent Rules in Other Jurisdictions
The GDPR is not the only regulation with age-specific consent rules. If your site has a global audience, consider these frameworks as well.
COPPA in the United States applies to services directed at children under 13, or services with actual knowledge that a user is under 13. It requires verifiable parental consent before collecting personal information, including through cookies that enable behavioural advertising.
The UK Age Appropriate Design Code (Children's Code) applies to services likely to be accessed by children. It requires high privacy settings by default for child users and restricts profiling, nudge techniques, and geolocation tracking. Under the UK GDPR, the digital age of consent is 13.
Brazil's LGPD requires specific and prominent consent from a parent or guardian for processing children's data (under 12) or adolescents' data (12 to 17), with the processing limited to what is in the child's best interest.
Common Mistakes to Avoid
Treating the age gate as a one-time barrier is a frequent error. If a visitor clears cookies or uses a different browser, the age declaration is lost. Consider tying the age status to an authenticated session rather than a cookie alone - though this introduces its own complexity around account creation for minors.
Ignoring the age question entirely because your site is not directed at children is another risk. The GDPR applies based on actual knowledge as well. If your consent logs show a pattern of visitors declaring ages below the threshold, you cannot claim ignorance.
Applying a single threshold across all of Europe is simpler but may not satisfy regulators in countries with lower thresholds. A site that uses 16 as the universal cut-off will over-restrict in countries like Ireland (13) or Austria (14), but will not breach any rules. A site that uses 13 universally, however, would be non-compliant in Germany, the Netherlands, and several other member states.
Frequently Asked Questions
Does GDPR Article 8 apply to all cookies or only to personal data processing?
Article 8 applies specifically to consent for processing personal data in the context of information society services offered to children. The ePrivacy Directive's Article 5(3) separately governs the placement of cookies on devices, regardless of age. In practice, both rules apply: you need valid ePrivacy consent for non-essential cookies and valid GDPR consent for the personal data those cookies collect.
What age should I use for cookie consent if my website serves multiple EU countries?
You should apply the digital age of consent set by each visitor's country. If geo-detection is not feasible, the safest fallback is to use 16 - the GDPR default - as your universal threshold. This may over-restrict in countries with lower thresholds but will not breach any national implementation.
Can a child under 16 consent to strictly necessary cookies?
Strictly necessary cookies do not require consent under the ePrivacy Directive. They may be set regardless of the visitor's age. Session cookies for login, shopping cart cookies, and load-balancing cookies all fall into this category.
Is a simple age checkbox enough to comply with GDPR Article 8?
Regulators have indicated that a bare checkbox or self-declaration is unlikely to meet the reasonable efforts standard for services directed at or likely to attract children. More robust methods - such as email-based parental verification - are generally expected.
Do I need age-gating if my website is not aimed at children?
If your service is not directed at children and you have no actual knowledge that minors use it, Article 8 obligations are less likely to apply. But if analytics or user feedback reveal that children do visit your site, you should implement appropriate safeguards.
How does COPPA differ from GDPR Article 8 for children's consent?
COPPA sets the age threshold at 13 for all US-based services and requires verifiable parental consent, specifying acceptable verification methods. GDPR Article 8 allows member states to set thresholds between 13 and 16 and requires reasonable efforts to verify parental consent without prescribing specific methods.
Take Control of Your Cookie Compliance
If your website attracts visitors under 16, your cookie consent setup needs more than a standard banner. Kukie.io supports geo-based consent rules that can adapt to different age thresholds by country, helping you handle age-gating alongside your regular consent flow.
