Under privacy laws, the age of consent is the minimum age at which a person can legally consent to a data processing activity.

From this age and above, kids can (by themselves) permit a company to collect and use their personal information. The age of consent varies from law to law, but it generally hovers between 13 and 18 years old.

This article will break down the ages of consent under modern privacy laws to help inform your compliance efforts. We'll also go over the requirements that come with catering to minors below the age of consent.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



The 'age of consent' is the legal age at which a person is considered mature enough to make independent decisions about specific activities. This age is one of several legally significant ages alongside:

  • The age of majority (typically 18)
  • The voting age (typically 17 to 18)
  • The legal drinking age (typically 21)
  • The legal driving age (typically 16 to 18)

The age of consent varies depending on different contexts. It's mostly often associated with engaging in sexual activity and approving medical treatment.

The age of consent takes on a new significance in data privacy. It's the legal age at which a person can independently give permission for the collection or processing of their personal information.

As a business owner, the age of consent spells out the minimum age you can legally ask minors for their consent to a data processing activity. While this age varies across privacy laws and jurisdictions, it generally hovers between 13 and 18 years.

Catering to minors below the age of consent isn't inherently unlawful. It simply means you'll need to fulfill additional obligations, the most important of which is obtaining verifiable consent from the parent(s) or legal guardian(s).

Privacy laws recognize that minors are less aware of the risks and consequences involved in sharing their information online. They're also more vulnerable to deceptive business practices (like dark patterns) that adults would likely recognize and avoid.

Imagine leaving a five-year-old unsupervised in a candy store. Chances are they go on a sugar binge with little understanding of the consequences. The same logic applies when it comes to kids and their data online.

For this reason, children are given special consideration through the 'age of consent' rules. Without this, companies may be tempted to trick kids into "consenting" to certain activities through confusing legal agreements.

Thanks to the age of consent, this would be a violation of child privacy laws with significant penalties attached, including but not limited to lawsuits, fines, and damaged credibility.

The age of consent varies across privacy laws, so it's important to learn the rules in the region where your business operates. You should also consider consulting a legal expert, especially for locations with ambiguous rules.

Without further ado, let's see the varying ages of consent under major privacy laws worldwide.

Under the EU's General Data Protection Regulation (GDPR), "the default age of consent is 16 years old. That said, the law allows EU member states to lower this threshold to as young as 13 years old if they choose.

If you're catering to anyone below the GDPR's age of consent, you must obtain verifiable parental consent before you can collect or use their personal data:

GDPR Article 8

In the United States, the Children's Online Privacy Protection Act (COPPA) sets the age of consent at 13. This federal law applies if your website or online service collects personal information from children under 13, even if your primary audience is adults:

COPPA scope and definition of a child sections

To comply with COPPA, you must provide clear privacy disclosures, obtain verifiable parental consent, and give parents control over their child's information, among other requirements:

COPPA Section 312 3 with a through e highlighted

Importantly, COPPA supersedes more permissive state-level laws where children under 13 are involved. So even if your business is based in a state with a lower age threshold, you still need to adhere to the federal standard.

When it comes to the sale or sharing of personal information, the California Consumer Privacy Act (CCPA) and its CPRA amendments set the age of consent at 13 to 16 years old.

In practice, you must obtain affirmative (opt-in) consent from children between 13 and 16 years old before you can sell or share their personal information. For children under 13, you must obtain verifiable parental consent before selling or sharing their personal information.

Here's how the CCPA (CPRA) legal text presents this:

CCPA Section 1798 120 with Section c highlighted

Following COPPA's footsteps, the Virginia Consumer Data Protection Act (VCDPA) sets the age of consent at 13:

Virginia's VCDPA: Definition of a Child

For children below the age of consent, the VCDPA essentially leaves all parental consent requirements in the capable hands of COPPA:

Virginia's VCDPA: Scope and exemptions section - COPPA

The Colorado Privacy Act (CPA) maintains the U.S. status quo set by COPPA when it comes to the age of consent. It places the age of consent at 13 years old:

Colorado Privacy Act: Definition of a Child

Like Virginia's law, the CPA also states that complying with COPPA's parental consent requirements will keep applicable businesses compliant with its parental consent requirements.

Unlike other major privacy laws, Brazil's Lei Geral de Proteção de Dados (LGPD) aligns its age of consent with its age of majority at 18 years old.

Below this age, you'll need to get consent from at least one parent or legal guardian before collecting, using, or sharing children's personal information. What's more, all data processing involving minors must be "carried out in their best interest."

The sole exception when a minor's personal information can be used (once) without consent is when it is necessary to contact the parent or legal guardian:

Brazil's LGPD Article 14: Personal Data of Children and Adolescents

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) doesn't specify a minimum age of consent in its provisions.

That said, various guidance and recommendations, including a suggestion from the Privacy Commissioner of Canada, indicate that getting consent from a child under 13 would be invalid.

China's Personal Information Protection Law (PIPL) sets the age of consent at 14 years old. To legally handle the data of minors under 14, you'll need to obtain consent from their parents or other legal guardians.

The PIPL also imposes additional restrictions around the handling of children's personal data, including the need to formulate "specialized personal information handling rules":

China's PIPL: Article 31

Other Notable Privacy Laws

The laws above represent some of the most prominent data privacy regulations in force today. That said, there are many other legal jurisdictions with their own age of consent requirements. A few of them are as follows:

  • India's Digital Personal Data Protection Act (DPDP): 18 years old
  • Singapore's Personal Data Protection Act 2012 (PDPA): 13 years old
  • South Africa's Protection of Personal Information (POPI) Act: 18 years old
Region/Jurisdiction Country Age of Consent for the Processing of Personal Information
The European Union (EU) and European Economic Area (EEA) Austria 14
Belgium 13
Bulgaria 14
Croatia 16
Czech Republic 15
Denmark 15
Estonia 13
Finland

15 for "ordinary matters"

13 for Information Society Services
France 15
Germany 16
Hungary 16
Ireland 16
Italy 14
Latvia 13
Malta

16 in the education sector

13 for Information Society Services
The Netherlands 16
Poland 16
Portugal 13
Cyprus 14
Slovakia 16
Slovenia 15
Spain 14
Sweden 13
Iceland 13
Liechtenstein 16
Norway 13
The United Kingdom England No set age
Scotland 12
Wales No set age
Northern Ireland No set age
The United Kingdom (DPA 2018) 13
North America The United States 13
Canada 14
Mexico 18
South America Argentina 18
Brazil 18
Peru 14
Chile 14 (16 for sensitive data)
Columbia 18
Asia-Pacific (APAC) China 14
Hong Kong 18
Australia 18
Singapore 13
India 18
Indonesia 18
Japan 15 (assessed on a case-by-case basis)
Africa South Africa 18
Nigeria 18
Egypt 18

Learning the age of consent in your legal jurisdiction is the first step. The next is complying with all child-related requirements imposed by the privacy laws that apply to your business.

The requirements of each law will be different, so it's important to pay keen attention to the specifics. That said, we've compiled a list of best practices to get you started.

Set up Age Verification Systems

To comply with the age of consent requirements, you must first accurately identify users' ages. This way, you can take appropriate action depending on whether or not users are below the age of consent.

Here's an example of an age verification system that uses self-declaration from BBC:

BBC iPlayer Guidance: Age verification

And here's a similar age verification pop-up from BeerCraft that checks whether users are above the legal drinking age:

Beercraft age verification pop-up

When minors are involved, it's advisable to use a higher-security age verification method than asking users to indicate their age. After all, kids are likely to make this up if doing so will grant them access to your content or service.

Other effective age-verification methods include but aren't limited to:

  • Integrating a third-party age-checking software on your platform
  • Asking users to upload a government-issued ID (e.g., a driver's license)
  • Using AI-powered facial recognition technology (such as taking a selfie)

Keep in mind that any age verification method you have in place should be frictionless and preserve user privacy.

Under privacy laws, you must provide crystal clear information about your data practices in legal agreements like your Privacy Policy and Terms and Conditions.

If you cater to children or collect their data, it's especially important that you address children's use of your services in your Privacy Policy by explaining the following:

  • What personal information you collect from children
  • How you will use this information
  • Whether or not you will share children's information with third parties and why
  • What rights or controls children and their parents have over their information
  • How you will obtain parental consent for children below the age of consent

Here's how The Walt Disney Company's sets out its practices when it comes to children's privacy:

The Walt Disney Company Privacy Policy: Protect children's information clause

In your Terms and Conditions, you can address children's use of your service with an Age Limitation Clause.

Here's an example of this, from Play2Pay:

Play2Pay Terms and Conditions: Age Limitation clause

Importantly, your Privacy Policy (and other relevant legal documents) must be age-appropriate with simple language and without any legal or technical jargon.

LEGO does a great job of this in its Privacy Policy:

LEGO Privacy Policy: Information for kids - Child friendly privacy information clause

Even if you don't actively cater to children, it's a good idea to disclose this in your Privacy Policy like Amazon does here:

Amazon Privacy Notice: Are children allowed to use Amazon Services clause

Letting users know that your service isn't available to children helps limit liability in the event that some kids bypass your age-verification systems.

Where required by law, you'll need to obtain clear, active consent before collecting, using, or sharing a minor's personal information.

Suppose you run an educational app targeted at children of all ages. Depending on the age of consent in your legal jurisdiction, you must either:

  1. Obtain consent from minors directly (if they're at or above the age of consent)
  2. Obtain consent from the parents or legal guardians (if minors are below the age of consent)

Here's an example of what clear, active consent looks like from PayPal:

PayPal Sign up page - Agree and Create Account with checkbox highlighted

To provide their consent, users would have to tick the empty checkbox above.

It's also important to keep detailed records of consent, including timestamps, IP addresses, and other metadata. This documentation could prove invaluable if you ever need to demonstrate compliance.

Observe Privacy by Design Principles

Privacy by Design (PbD) involves building privacy safeguards into your products and services from the ground up. Since the arrival of the GDPR, Privacy by Design has quickly become a data protection best practice.

When it comes to children's personal information, a few Privacy by Design best principles to observe include:

  • Age gating: Restrict access to certain features or content based on the user's age.
  • Transparency: Provide detailed information about your data processing practices using simple, easy-to-understand language.
  • Data minimization: Collect and keep only the personal information you truly need.
  • User-centric experiences: Provide age-appropriate experiences and privacy controls for minors from the onset.

Regulators take children's privacy seriously. As a result, violations often attract the harshest penalties. A few examples of the maximum fines under major privacy laws are as follows:

  • The EU's GDPR imposes fines of up to €20 million or 4% of a company's global annual revenue, whichever is higher.
  • COPPA in the United States allows for civil penalties of up to $50,120 per violation.
  • California's CCPA (CPRA) imposes fines of up to $7,500 for each intentional violation.
  • Brazil's LGPD sets out fines of up to 2% of a company's revenue, capped at 50 million Brazilian reais.
  • China's PIPL imposes fines of up to RMB 50 million or 5% of a company's annual revenue for severe violations.

But fines are only one part of the potential penalties. Privacy violations involving children can also trigger lawsuits, reputational damage, and enforcement actions that disrupt business operations.

Summary

Privacy laws are extra protective of children's data, and rightly so. The age of consent clarifies when minors are old enough to legally make decisions about their personal information - generally 13 to 18 years old.

The rules vary from law to law, but the intention is clear: protect minors and their data. Missteps in this area of law, whether intentional or accidental, can be costly for businesses.

Fortunately, once you've mapped out applicable laws and learned the relevant ages of consent for your region(s), the rest is pretty straightforward.

To recap, compliance with the age of consent rules means observing the following:

  • Set up age verification systems
  • Provide child-related privacy disclosures
  • Get active, verifiable consent when necessary
  • Implement child-related Privacy by Design (PbD) practices

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy