PolicifyAI
Back to Blog

PolicifyAI

Published March 2026 · 10 min read

Privacy

Protecting Children Online: COPPA, UK Children's Code, and GDPR Article 8

If your product could be accessed by under-18s, you have specific legal obligations.

Why Child Privacy Demands Separate Attention

Children are afforded substantially stronger privacy protections than adults under law. The key question is not whether you are building a product for children — it is whether children could foreseeably access your product. If yes, multiple overlapping regulatory frameworks apply.

COPPA: The US Baseline

The Children's Online Privacy Protection Act applies to services directed at children under 13, or general-audience services with actual knowledge of collecting data from children under 13.

  • Verifiable parental consent before collecting personal information from a child
  • Data minimisation — collect only what is strictly necessary
  • A clear and comprehensive privacy notice in plain language
  • The right for parents to review, delete, and refuse further collection

COPPA enforcement carries civil penalties of up to $51,744 per violation.

UK Age Appropriate Design Code (Children's Code)

The ICO enforces 15 standards applying to any online service likely to be accessed by children under 18:

  • Best interests of the child must be a primary consideration in design decisions
  • Default privacy settings must be set to high by default
  • Geolocation services must be off by default
  • Profiling for targeted advertising is prohibited unless you have a compelling reason
  • Nudge techniques that encourage children to weaken privacy settings are prohibited

GDPR Article 8: Age of Digital Consent

Children below the age of digital consent cannot provide valid consent. The threshold varies by member state — 16 in Germany, 15 in France, 14 in Spain, 13 in the UK. Below the threshold, consent must be given or authorised by a parent.

Practical Steps for SaaS Founders

  • Conduct a DPIA specifically for child users
  • Review default privacy settings and tighten them
  • Audit third-party SDKs — advertising and analytics tools are a common compliance gap
  • Add age-gating at registration if your service is not designed for children
  • Update your privacy policy to include a dedicated children's section

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles