Children's Online Privacy Protection (GDPR and COPPA)

Online privacy and protection is a major concern for parents, no matter the age of their children. There are laws in places to protect data collection from children and this article briefly aims to compare how the law in EU (GDPR) and the US (COPPA) differ, but we also need to remember that some parts can differ between member states in the EU and States in the US!

Updated on:

May 28, 2023

At Green Arrow Consultancy we take everyone who uses the internet's privacy and protection seriously, especially the data that is collected from children. This article will show you how important it is that your website respects the laws around the protection of children’s data under the laws that govern it.

The European Union does not have an independent law that addresses the protection of children’s data like the United States Children’s Online Privacy Protection Act of 1998. Rather, it addresses the protection of children’s data throughout its General Data Protection Regulation by indicating which provisions within the GDPR warrant a higher standard to protect children’s data.

GDPR and COPPA are very different, with GDPR covering a broader spectrum of online data protection and COPPA being purely for the privacy of children’s data. GDPR also relates to all collection, use, and disclosure of data and states that this must be of an even higher priority when it is children’s data. On the other hand, COPPA focuses entirely on children’s data being protected online and only applies to online services where they know that they are collecting personal information from children.

Age of consent

Another difference between GDPR and COPPA is the age at which children can give consent for the collection and processing of their data. GDPR details the stipulations for consent for children’s data more clearly than that of COPPA.

COPPA states that the age of consent for data collection and processing is 13 years old. It isn’t quite so clear-cut with GDPR. Under GDPR Article 8, the age of consent, i.e. when a child is required or able to give their consent to process their data, is 16. However, member states can allocate their age of consent, although not below the age of 13, which is what the law states within the UK.

Parental consent and access

Other differences between the GDPR and COPPA are that of obtaining parental consent and parental access to data when someone is under the age of consent.

GDPR leaves it up to the controller of the data to make reasonable efforts to obtain verification. It is silent on the issue of parental access to their child’s data. Although COPPA doesn’t stipulate parental access it does clearly display downloadable consent forms and clearly displays the privacy policy describing information practices for personal information.

The potential for diversion

The difference between the European Union and the United States' approaches to privacy for children’s data online is rather different. Nevertheless, the two models of addressing children’s data may not be as different as you think. Both GDPR and COPPA protect children’s data, with the biggest difference being in how they handle parental consent and will produce as varied results as one might expect given the large role that individual member states still have in passing their national laws aside from GDPR.

If you would like to chat with us about ensuring that your website is COPPA and/or GDPR Compliant, please contact us today and a member of the team would be happy to discuss any issues that are concerning to you and your business.