Three Frameworks, Three Philosophies
Children's data receives special protection under privacy law in almost every major jurisdiction. But the way each regime defines "child," the obligations it places on website operators, and the penalties it imposes for violations differ sharply.
The United States focuses narrowly on under-13s through COPPA. The EU's GDPR Article 8 sets a flexible age range between 13 and 16, leaving member states to choose their own threshold. The UK has gone further than both with 15 binding standards that apply to anyone under 18. If your site attracts visitors from more than one of these regions, you need to understand where the rules overlap and where they diverge.
COPPA: The US Approach to Under-13 Protection
The Children's Online Privacy Protection Act applies to websites and online services directed at children under 13, or that have actual knowledge they are collecting data from under-13s. The FTC enforces COPPA and published substantial amendments in April 2025, the first update to the rule since 2013.
The amended COPPA Rule expanded the definition of "personal information" to cover biometric identifiers and persistent identifiers used for behavioural advertising. Operators must obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. Methods range from signed consent forms to knowledge-based authentication and facial recognition matching.
Companies had until April 2026 to comply. Penalties run up to $50,120 per violation, and the FTC has signalled that COPPA enforcement remains a top priority for 2026.
GDPR Article 8: Flexible Age Thresholds Across the EU
Article 8 of the GDPR governs consent for information society services offered directly to a child. The default age threshold is 16, but member states may lower it to no less than 13.
This flexibility has created a patchwork. Ireland, Denmark, Spain, and Poland opted for 13. Austria and Italy chose 14. France and the Czech Republic set theirs at 15. Germany, the Netherlands, and Luxembourg kept the default at 16. If your website serves visitors across multiple EU countries, the safest approach is to default to 16 unless you can determine the visitor's location.
Below this age, processing is lawful only where consent is given or authorised by the holder of parental responsibility. The controller must make "reasonable efforts" to verify that parental consent is genuine, taking available technology into account. The GDPR does not prescribe specific verification methods, unlike COPPA's detailed list.
What Article 8 Does Not Cover
Article 8 applies specifically to information society services - online services provided at a distance, electronically, at the individual request of the recipient. It does not cover all data processing involving children. Schools processing student records, for instance, typically rely on other lawful bases such as public task or legitimate interest.
The UK Age Appropriate Design Code: 15 Standards for Under-18s
The UK's Age Appropriate Design Code, often called the Children's Code, came into full effect in September 2021. Enforced by the ICO, it applies to any information society service likely to be accessed by a person under 18.
The scope is deliberately broad. If your service is not specifically age-restricted and children could reasonably access it, the Code applies. The ICO has made clear that "likely to be accessed" is a low bar.
The Code's 15 standards go well beyond consent. They include requirements for high-privacy defaults, data minimisation, transparency tailored to children's understanding, and restrictions on nudge techniques that encourage children to weaken their privacy settings. Profiling must be switched off by default for child users unless a compelling reason exists.
In December 2025, the ICO published a progress update on its Children's Code strategy. It confirmed plans to expand enforcement to mobile games in 2026 and to issue joint guidance with Ofcom on age assurance obligations. The Data (Use and Access) Act, which received Royal Assent in June 2025, may also affect how the ICO interprets certain Code standards going forward.
Age Thresholds Compared
| Framework | Jurisdiction | Age Threshold | Scope |
|---|---|---|---|
| COPPA | United States | Under 13 | Sites directed at or knowingly collecting from children |
| GDPR Article 8 | EU (default) | Under 16 (member states may lower to 13) | Information society services offered directly to children |
| UK Age Code | United Kingdom | Under 18 | Any online service likely to be accessed by children |
| LGPD (Brazil) | Brazil | Under 18 (heightened for under 12) | Any processing of children's personal data |
| PIPEDA (Canada) | Canada | Varies by province (typically 13-16) | Commercial activities involving personal information |
Consent Mechanisms: How Each Framework Handles Parental Approval
COPPA is the most prescriptive. The FTC lists approved methods of verifiable parental consent, including signed forms returned by post, credit card transactions, video calls, and government-issued ID checks. The 2025 amendments also recognise facial recognition matching as a verification method.
GDPR Article 8 takes a principles-based approach. Controllers must make "reasonable efforts" to verify parental consent, but the regulation does not mandate specific methods. In practice, many sites rely on email-based verification or checkbox confirmations, though regulators have criticised tick-box approaches as insufficient for younger children.
The UK Code does not require parental consent for all processing. Instead, it mandates that services apply high-privacy settings by default for child users. Parental consent under UK GDPR follows the same Article 8 model (with the UK retaining the age of 13), but the Code's 15 standards impose obligations regardless of whether consent is the lawful basis.
Enforcement and Penalties
The three regimes differ significantly in how they punish non-compliance.
Under COPPA, the FTC can impose civil penalties of up to $50,120 per violation. High-profile settlements have reached tens of millions of dollars. Epic Games paid $275 million in December 2022 for COPPA violations related to Fortnite, and the FTC has continued to pursue cases at pace through 2025 and into 2026.
GDPR fines can reach 4% of global annual turnover or 20 million euros, whichever is higher. The Irish Data Protection Commission fined TikTok 345 million euros in September 2023 for breaches related to children's accounts, including default public profile settings for under-18s. GDPR penalties for children's data violations rank among the largest ever imposed.
The ICO enforces the UK Age Code through the same powers it holds under the UK GDPR. Fines of up to 17.5 million pounds or 4% of global turnover apply. The ICO has favoured engagement over formal fines so far, though its December 2025 strategy update signalled a shift toward more direct enforcement in 2026.
Cookies, Tracking, and Children: Practical Implications
For website operators, children's privacy laws have direct consequences for cookie management.
Under COPPA, you cannot use cookies or similar technologies to collect personal information from known under-13 users without verifiable parental consent. This includes analytics cookies like _ga and advertising pixels like _fbp that create persistent identifiers. The 2025 amendments explicitly classify persistent identifiers used for targeted advertising as personal information.
Under the GDPR, cookies on sites likely accessed by children require a lawful basis. If that basis is consent, age-gating mechanisms may be needed to ensure the person giving consent meets the relevant threshold. Valid consent from a child below the applicable age requires parental authorisation.
The UK Code goes further by requiring that profiling and behavioural advertising be switched off by default for child users. Even if a child (or parent) technically consents to marketing cookies, the Code's high-privacy-by-default standard means you should not enable tracking that serves personalised ads to under-18s without careful justification.
How to Approach Multi-Jurisdictional Compliance
Running a single website that complies with all three frameworks is achievable, but it requires deliberate design choices.
Start by determining whether your site is likely to be accessed by children. If it is, apply the strictest standard as your baseline - the UK Code's under-18 threshold with high-privacy defaults. This approach satisfies the UK requirements and substantially addresses COPPA and GDPR Article 8 obligations as well.
Implement age verification or age estimation at the point of data collection. For COPPA, you need a mechanism to identify under-13 users and obtain verifiable parental consent. For GDPR, the mechanism should reflect the lowest age threshold relevant to your audience.
Configure your consent management platform to suppress non-essential cookies for users identified as children. Geo-detection can help apply the correct rules based on visitor location, ensuring that under-13 US visitors trigger COPPA requirements while under-16 German visitors trigger GDPR Article 8 obligations.
Frequently Asked Questions
Does COPPA apply to websites based outside the United States?
Yes. COPPA applies to any website or online service that is directed at children in the United States or has actual knowledge that it collects personal information from US children under 13, regardless of where the operator is based.
What age counts as a child under the GDPR?
GDPR Article 8 sets a default of 16 for information society services, but member states can lower this to 13. The applicable age depends on the country. Ireland and Spain use 13, France uses 15, and Germany uses 16.
Do I need to age-gate my website to comply with children's privacy laws?
Not necessarily. COPPA requires action only if your site is directed at children or you have actual knowledge of under-13 users. The UK Code applies if children are likely to access your service. If neither condition applies, age-gating may not be required, though it can serve as a useful safeguard.
Can I set analytics cookies for child visitors without parental consent?
Under COPPA, analytics cookies that create persistent identifiers tied to a child count as personal information collection and require verifiable parental consent. Under the GDPR, you need a lawful basis such as consent, and if the user is below the relevant age threshold, parental authorisation is required. The UK Data Use and Access Act introduced limited analytics cookie exemptions, but these do not override the Children's Code obligations.
What happens if I violate COPPA or the UK Children's Code?
COPPA violations can result in FTC civil penalties of up to $50,120 per violation. The ICO can impose fines of up to 17.5 million pounds or 4% of global turnover for breaches of the UK Code. Both regulators have signalled that children's data is a top enforcement priority in 2026.
Does the UK Age Appropriate Design Code apply to small businesses?
Yes. The Code applies to any online service likely to be accessed by under-18s, regardless of the organisation's size. There are no revenue or employee thresholds. If children can access your site, the 15 standards apply.
Take Control of Your Cookie Compliance
If your website attracts younger visitors, cookie compliance becomes more complex. A free cookie scan can identify which cookies your site sets and whether any create the persistent identifiers that trigger children's privacy obligations. Kukie.io categorises cookies automatically and supports geo-based consent rules, so your banner adapts to the legal requirements of each visitor's location.
