Will GDPR Move Age of Consent to 16?

In the United States, since the passage of the Children’s Online Privacy Protection Act (COPPA) in 1998 and the Federal Trade Commission’s (FTC) subsequent COPPA Rule in 2000, there have been specific rules regarding the collection of data from children under 13.

Namely, you can’t do it unless you obtain “verifiable parental consent,” with certain limited exceptions. Recently, you may have heard the FTC will now accept “selfies” as a method of parental consent, for example.

It was no surprise, then, when the European Commission released its first draft of the General Data Protection Regulation in 2012, to see language similarly protecting children under the age of 13. The current Directive has no specific protections for children.

In Article 8 of the original draft, the Commission proposed, “in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.”

There’s also language saying the Commission reserves the right to figure out what “reasonable” might mean and what specific methods of obtaining consent would be appropriate. In many ways, it’s similar to COPPA.

However, in the most recent draft of the GDPR, released by the European Council and obtained by Statewatch, the language is changed, most notably raising the age to 16:

“Where Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.”

This would be a significant departure from the likes of COPPA, and may take many of those offering services to teenagers by surprise.

Already the gaming industry, advertising industry and others had been preparing their members for the switch to the 13-year threshold. Raising the bar to 16 may be perceived as another matter entirely.

The Advertising Education Forum, for example, released an educational document in 2013 outlining the impact of the creation of an age limit where parental consent would be needed. In its policy recommendations to lawmakers, the document asserts, “Children should be defined as under 13, according to international and EU best practice.”

Similarly, an article in Games Industry from January of this year noted, “This will bring the EU's data protection regime more closely in line with the US's Children's Online Privacy Protection Act of 1998 which places similar requirements on any company that wishes to process any personal information relating to a child under the age of 13 years.”

As the trilogue negotiations are opaque, it’s unclear why this change would be made by the Council or who is particularly in favor of it. The Parliament’s draft has never wavered from the age of 13 and Article 8 is one of the few pieces of the GDPR where the Parliament’s draft is relatively unchanged from the original Commission proposal.

The Parliament added two significant pieces: First, a requirement that information provided to children and their guardians regarding consent be in plain language; second that the European Data Protection Board, and not the Commission, be entrusted with issuing best practices and guidelines for obtaining and verifying consent.

Up till now, no one has mentioned raising the age to 16.

“One area where Europe has previously lagged behind the U.S. is in the protection of children's data and this new rule will have significant implications,” noted Nicola Regan, CIPP/E, senior partner with the Privacy Partnership and a former policy analyst for the Information Commissioner’s Office in the UK. “A parental consent requirement for the processing of under 16's data will have huge implications on the use of social media by children. Younger European teenagers may miss out on services if companies think the burden of obtaining parental consent is too great. Instead they may opt to designate such services as only for those 'over 16.'”

This has some children’s advocates already weighing in. Janice Richardson, former coordinator of the European Safer Internet Network, and now expert to the ITU and the Council of Europe, has published an open letter strenuously objecting to the change. She notes that moving the age to 16, when the international standard has been 13 and many children between 13 and 15 have already been using many Internet services frequently, will likely only incentivize children to lie about their age, bar them from accessing information and services that are their fundamental human rights and possibly keep them from seeking support services if they are amongst vulnerable communities like those who are being abused or are LGBTQ.

“Online services have provided children with a safe place to explore and learn and indeed, according to renowned researcher Dr. David Finkelhor, appear to have had a significantly positive impact on many aspects of safety and behaviour,” she writes in the letter, which is co-signed by SOS il Telefono Azzurro of Italy, the UK’s Family Online Safety Institute and Diana Award organization, and Cyberhus of Denmark.

Hogan Lovells' Eduardo Ustaran, CIPP/E, didn't mince words on the topic. 

"My view is that requiring parental consent for the use of digital services of under 16s is probably the most unrealistic legal requirement I have come across in my career," he said. "Clearly whoever came up with that requirement does not have teenage kids. The obvious implication is that all such services will rely on different legal bases for the collection and use of young users' data." 

But, by contrast, Caroline Olstedt Carlström, chief counsel of global privacy at Sweden's Klarna, said she doesn't see such a change making a big impact.

"In Sweden and under the present regime [the directive], it's considered by the DPA that as a general rule children below 15 years of age would normally not be able to fully comprehend what the data processing activities may entail, hence, parental consent would be required (of course, in specific cases there might be exceptions)," she wrote in an email. "Furthermore, it's also a general legal requirement that children under 16 may not enter into a valid legal agreement without parental consent."

Given that, she continued, "I fail to see that this change would have a huge impact on the local market, local product offerings, etc. (very much a different view of course for US services now becoming in scope due to different territorial application). Based on the increased focus on children's online rights and needs over the last years, I find this to be a quite natural adaptation in line with the general views. Of course, it also remains to figure out effective ways of doing this and what parental authorization might entail in practice if this change makes it into the final text."

Currently, the generally held belief is that the GDPR negotiations will wrap up with a final trilogue meeting on December 15. Will this issue come up as a major negotiation point? Is the Parliament of the same mind that the age of consent should be raised to 16? Is this change in the Council draft something they’re trying to use for negotiating leverage to get some other point changed in the Parliament draft? Or is it a typo?

The latter seems unlikely, but those in the privacy community will have to wait and see.

Written By

Sam Pfeifle


If you want to comment on this post, you need to login.

  • John Berard Dec 11, 2015

    Arguing the value of online services for the under 16 set, as Finkelhor did, “Online services have provided children with a safe place to explore and learn," makes the opposite true, too.  Online services can be dangerous and ignorant places.  The trick is to know when it is OK to assume one knows the difference.  That is the right age to set.
  • Jeffrey Chester Dec 14, 2015

    Protecting adolescent privacy is important, and this article and the commenters fail to address how Facebook and other companies see teens as a lucrative market to monetize.  The IAPP and its supporters don't seriously address the privacy issues here--which illustrates why privacy advocates see IAPP more as defending the interests of industry to gather data than protecting it.  You should at least try for a more balanced approach on this issue, including discussing the calls by my NGO and many others on the need to better ensure teens control their data.
  • Sam Dec 14, 2015

    Hi Jeff - I have been following the GDPR debate closely and have never seen anyone call for a raise of the age from 13 to 16. That's the news, as far as I'm concerned, so I focused on what the impact would be and what the reaction is. I did not find anyone celebrating the change - I published the comments I received from a pretty balanced selection of people: a former regulator, an external counsel, an internal privacy pro, and a children's advocate. 
    If you have comments on this proposal that are substantively different from the comments I found online and solicited, please pass them along. I can't tell from your comment: You think raising the age to 16 would be a good thing and you are advocating for this to be part of the final text? Would that "better ensure teens control their data"? That seems like a different issue altogether.
  • Gregory Kudasz Dec 15, 2015

    That's a provocative headline, Sam.
    Aren't any of the EU Nations state signatories of the  Convention on the Rights of the Child? COPPA and laws like it are already in violation of articles (starting with 13). Parental consent disturbs and chills a child's right of self-expression, speech and ability to read what they wish. Government must have a compelling interest before curtailing any  rights. Since none appear presented and I don't think any exist, I am very much against this.
  • Sam Dec 15, 2015

    Thanks for that interesting point, Gregory. When do you think children have the ability to provide valid consent for their personal data to be collected and processed?


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»