With an increasing number of children regularly consuming digital content, online privacy laws
protecting their personal information from being accessed, shared, or misused without their
consent or knowledge is vitally important.
Various online privacy laws recognize this reality and aim at protecting children and their
personal information from misuse and abuse.
COPPA, a US federal law, GDPR the General Data Protection Regulation in Europe, and the
CCPA, under the California State law, are some of the notable laws in this space.
The Children’s Online Privacy Protection Rule (“COPPA”) was enacted in the US, in 1998. The
primary goal of COPPA is to allow parents to be in control over what information is collected
from their children online.
COPPA applies to digital service providers like operators of websites, mobile apps, and smart
toys makers (Internet-of-Things) that collect, use, or disclose personal information from children.
Among other rules, they are required to:
● Obtain verifiable parental consent before collecting personal information online from
● Give parents the choice of consenting to the collection and use of a child’s information,
and refrain from disclosing that information to third parties
● Provide parents access to their child’s personal information to review and/or have the
● Maintain the confidentiality, security, and integrity of information they collect from
children, and securely delete the information after fulfilling the purpose for which it was
Personal information here includes first and last name, physical home address, screen and user
name, telephone number, social security number, photographs, videos, audio files, geolocation
information, as well as any persistent digital identifier that can be used to recognize a user
(cookie, IP address, a device serial number etc.).
COPPA applies to any online service that is directed to users in the United States, regardless of
the country of origin of the service. A court can hold operators who violate COPPA rules liable
for civil penalties of up to $50,120 per violation.
The rules laid out by COPPA are clearly vital to protect and safeguard the privacy and the
personal identifiable information (PII) of children.
Except with one caveat. COPPA defines child to mean “an individual under the age of 13”.
“Individuals” and their personal information are no longer protected online once they hit their
The European Union’s General Data Protection Regulation (GDPR) recognizes that children’s
personal data should be afforded special protections because they may be less aware of the
risks and consequences of data sharing.
The GDPR sets the age of consent at 16 years of age but allows individual member states to
lower the age of consent to a minimum of 13 years old. This has lead to the following cut-off
number for the age of consent:
16 years: Croatia, Germany, Netherlands, Poland, Hungary, Ireland, Slovakia
15 years: Czech Republic, France
14 years: Austria, Italy, Republic of Cyprus, Spain
13 years: Belgium, Bulgaria, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden,
The State of California provides its residents the most expansive privacy protections in the
United States, under the California Consumer Privacy Act (CCPA).
On the subject of protection of privacy of children, the CCPA extends its protection beyond
COPPA’s 13 year cutoff to children up to the age of 16.
End of Privacy Protection
With laws oscillating between 13 to 16 as the age when children’s personal information can be
freely collected, used, and shared, the focus on the child and their need to be protected seems
to be lost.
Can laws prevent children from accessing pornography and age-inappropriate material, from
lying about their age while using internet service, and from circumventing parental controls?
No, No, and No.
However, privacy laws are essential to keep digital content providers in check and keep them
from having a free rein over children’s PII and being callous with the information.
Are 13 year olds capable of comprehending the grave consequences of loss of privacy? Are
they old enough to make choices around their personal data rights? Is parental intervention and
oversight no longer required at the magic age of 13?
In this digital world consumer data is the top commodity that all websites, social media, apps,
and smart device makers seek. With laws ending their protection at 13, they are essentially
silent about older children’s PII floating forever in the Ether. And this is a grave concern.
Internet crimes against children are on the rise and task forces work relentlessly on horrific
cases involving “child pornography, luring children with technology, kidnap, sexual assault,
statutory sexual seduction, lewdness with a minor, open and gross lewdness, interstate travel
for the purpose of sex with a minor, and interstate transmission of child pornography”.
The underbelly of the Internet isn’t pretty. In this grim reality, do we want the names, addresses,
pictures, videos, phone numbers, and geolocations of 13 year olds collected, used, and sold?