Latest Developments in the Processing of Minors’ Data

Across the globe, regulators are sharpening their focus on how organizations collect and use minors’ personal data in digital environments. In many jurisdictions, heightened regulations now apply where online products, services, or features are directed at, or likely to be accessed by, persons under the age of 18.

These developments reflect a broader shift toward treating children’s data as a high-risk category—requiring proactive design, stronger governance, and greater accountability. Regulators increasingly expect organizations to build child-centric privacy and safety protections into products and services from the outset.

Importantly, the scope of children’s protection is expanding. While traditionally there has been a focus on younger children (for example, those under 13), newer frameworks often extend to individuals up to the age of 18. Regulators are also placing more emphasis on online safety, platform accountability, age verification, and risk-based product design.

Global Trend: Heightened Protections for Minors

One of the most significant global trends is the expansion of rules beyond services specifically targeted at children. Legislatures are increasingly extending these laws to cover services that are likely to be accessed by minors, even where minors are not the intended audience. This broader applicability standard can bring a wider range of services into scope.

In parallel, lawmakers are shifting toward design-based obligations, including privacy by default and safety by design. This approach requires organizations to operationalize children’s privacy and safety across product teams, governance functions, and technical controls—not only in legal documentation.

Regulators are also increasingly framing children’s personal data as inherently high risk, driving expectations for additional safeguards and more robust governance and enforcement.

Common Requirements Emerging Across Jurisdictions

Despite fragmented legal frameworks, a set of common themes is emerging across many jurisdictions, with increasing convergence around the following requirements:

• Age estimation or verification obligations (often framed as “age assurance”)
• Privacy-protective default settings for younger users
• Restrictions on profiling and targeted advertising involving minors
• Increased parental involvement and consent mechanisms (particularly for younger children)
• Product- and feature-level risk assessments to identify and mitigate harms for children
• Enhanced transparency, easy to understand language and user controls for children and parents

Key Developments by Jurisdiction

United States: COPPA Enforcement and 2026 COPPA Rule Updates

In the United States, the federal Children’s Online Privacy Protection Act (COPPA) applies primarily to children under 13. Regulatory scrutiny has intensified in recent years, including through broader interpretations of what constitutes “child-directed” services and a series of high-profile enforcement actions.

For example, in September 2025, the U.S. Federal Trade Commission (FTC) announced a settlement requiring Disney to pay a USD 10 million penalty in connection with allegations that the company failed to properly label child-directed content on YouTube as “Made for Kids.” According to the FTC, these failures violated COPPA enabling the unlawful collection and use of children’s personal data without notifying parents or obtaining their parental consent.

Meanwhile, updated COPPA Rule amendments became enforceable on April 22, 2026, introducing enhanced requirements around data minimization, transparency, limitations on targeted advertising, and expanded parental rights.

California: Age-Appropriate Design Code (AADC)

At the state level, California’s Age-Appropriate Design Code Act (AADC) applies to online products, services, or features likely to be accessed by individuals under 18 and introduced a design-focused compliance model.

The AADC has been subject to ongoing litigation. In March 2026, the U.S. Court of Appeals for the Ninth Circuit issued a mixed ruling that allows significant portions of the law to move forward while certain provisions remain temporarily blocked.

Key AADC requirements currently in effect include:

• Configuring all default privacy settings for children to a “high level”
• Implementing age estimation with a level of certainty appropriate to the risks, or applying child-level protections to all users
• Restricting the use of age estimation data for unrelated purposes (e.g. advertising)
• Publishing privacy notices and terms of service using language suited to the age of children likely to use the service
• Limiting the collection, use, and sharing of precise geolocation data to what is strictly necessary
• Providing clear, accessible tools for children and parents to manage privacy settings and report concerns

Non-compliance with AADC requirements may result in administrative fines of up to USD 2,500 per negligent violation or USD 7,500 per intentional violation.

European Union: Digital Services Act (DSA)

In the European Union, the Digital Services Act (DSA) is now fully applicable and imposes obligations on online platforms to ensure a high level of privacy, safety, and security for persons under the age of 18.

Among other requirements, the DSA prohibits targeted advertising based on profiling where the platform is aware, with reasonable certainty, that a user is a minor. It also requires platforms to implement appropriate and proportionate measures—often emphasizing design and default settings—to protect children. Very large online platforms are required to assess and mitigate systemic risks to children, which may include implementing changes to platform design, recommender systems, and default settings.

United Kingdom: Age-Appropriate Design Code and Online Safety Act

The UK Age Appropriate Design Code (also known as the Children’s Code) remains an important foundation for the UK’s approach to children’s online privacy. It applies to online services likely to be accessed by children and requires them to build in age-appropriate protections, including high-privacy default settings and limits on data use and profiling.

More recent developments stem from the Online Safety Act 2023, which imposes duties on in-scope user-to-user and search services. It requires children’s access and risk assessments and the implementation of protective measures (including, for higher-risk services, effective age assurance). There is criminal liability in certain instances, for example for senior managers of online services who fail to follow information requests from Ofcom, the independent regulator of Online Safety.

UK regulators are actively enforcing requirements regarding online safety and children’s data. For example, in February 2026, the UK Information Commissioner’s Office (ICO) announced a £14.47 million fine against Reddit for the unlawful processing of children’s data. According to the ICO, Reddit failed to implement a sufficiently robust age assurance mechanism to verify users’ ages and failed to carry out a data protection impact assessment to assess and mitigate risks to children.

Brazil: Digital Statute of the Child and Adolescent

In Brazil, the Digital Statute of the Child and Adolescent (often referred to as “ECA Digital”) entered into force on March 17, 2026. The ECA Digital applies to IT products and services directed at, or likely to be accessed by, individuals under 18.

Key requirements of ECA Digital include:

• Reliable age verification for restricted (18+) content (self-declaration is not sufficient)
• High privacy and safety settings by default
• Prohibitions on profiling and targeted advertising involving children and adolescents
• Obligations to take reasonable measures to prevent exposure to harmful content

Additional obligations apply in specific cases, including biannual transparency reporting for providers with more than one million underage users and guardian-linked accounts for users up to age 16. Penalties can include warnings, fines, suspension, or prohibition of activities, and fines of up to 10% of Brazilian revenue.

Indonesia: Government Regulation No. 17 of 2025 on the Governance of Electronic System Implementation in Child Protection

Indonesia’s Government Regulation No. 17 of 2025 on the Governance of Electronic System Implementation in Child Protection (GR 17/2025) introduces child online protection obligations for electronic system operators (ESOs) whose services, products, or features are accessed by, or likely to be accessed by, individuals under 18. A two-year transition period runs until March 27, 2027.

Key requirements of GR 17/2025 include:

• Disclosing minimum age requirements by age group and implementing age-verification mechanisms
• Conducting risk-based self-assessments for products and features
• Applying privacy-protective defaults
• Restricting profiling and the collection or use of children’s precise geolocation data
• Obtaining parental or guardian consent where required
• Providing accessible reporting channels and child-protection tools
• Designating an individual responsible for carrying out personal data protection functions

Similarly to Brazil, regulators in Indonesia have significant enforcement powers and non-compliance may result in administrative sanctions, including fines, suspension, or termination of access.

Australia: Online Safety Regulation and Upcoming Children’s Privacy Code

Australia’s Online Safety Act 2021 provides the foundation for Australia’s online safety regime. More recent developments include the Online Safety Amendment (Social Media Minimum Age) Act 2024, which introduced a minimum-age framework for certain social media services and requires providers to take reasonable steps to prevent users under 16 from holding accounts.

Australia is also developing a children’s privacy code: the Office of the Australian Information Commissioner (OAIC) released a draft Children’s Online Privacy Code, which is expected to be in place by December 2026.

Key Business Implications

For organizations, these developments have several practical implications:

• Scope of regulation is expanding: many laws are moving beyond under-13 protections toward obligations that apply to all minors, significantly increasing coverage and compliance complexity. “Likely to be accessed by children” is a broad threshold, and many general-audience services may be in scope even if they are not “child-directed,” for example online dating services.
• Key markets are setting the pace: jurisdictions such as California, the UK, the EU, Brazil, and Indonesia are raising expectations for age assurance, default settings, and governance.
• Enforcement is accelerating: regulators are increasingly willing to pursue meaningful fines and corrective measures where platforms rely on age self-declaration or lack robust risk assessments.

Key Considerations for Organizations

Organizations that offer online products, services, or features that may be accessed by minors should consider a proactive, design-led approach. In practice, this includes:

1. Implementing age assurance in a scalable, risk-based way
   Age verification and estimation are becoming central expectations across multiple regimes, but implementation can be challenging—particularly for global services with diverse risk profiles and user bases. A common approach is to align assurance methods to the risk level of the content, features, or data processing involved (for example, using stronger assurance for higher-risk features or restricted content). Organizations should clearly document their approach to age assurance, across each relevant jurisdiction where they are operating.
2. Building privacy-by-default and safety-by-design into product development
   Regulators increasingly expect privacy and safety protections for children to be embedded into design decisions and not limited to policy statements. This can include privacy-protective default settings and friction, age-appropriate user journeys, and added friction for potentially risky interactions.
3. Aligning global strategies across differing local requirements
   Even where regulatory principles are converging, the legal details still differ by jurisdiction. Organizations should plan for a global baseline that can be adapted for local requirements, including age thresholds, consent models, restrictions on profiling, and risk assessment obligations.
4. Preparing for restrictions on profiling, targeted advertising, and data use
   Restrictions on profiling and targeted advertising involving minors are expanding. For organizations that rely on personalization or ad-supported revenue models, this may require revisiting product architecture, vendor arrangements, and consent flows.
5. Strengthening governance, security, and user controls
   Operationalizing children’s compliance often touches multiple functions, including product, legal, security, trust and safety, marketing, and engineering. Organizations should consider practical measures across:
   
   • Product design: default settings, feature gating, age-appropriate notices, and age assurance mechanisms
   • Data governance: minimization, retention, and third-party sharing controls
   • Cybersecurity: security program expectations and resilience against breaches of children’s personal data
   • Risk testing: assessing and testing relevant features from a child-safety and privacy-risk perspective
   • User controls: clear and easy-to-use tools for children and parents to manage settings and report concerns

Conclusion

Minors’ data protection and online safety requirements are evolving rapidly. Across jurisdictions, children’s personal data is increasingly treated as a high-risk category requiring proactive safeguards. While laws differ, lawmakers and regulators are aligning around core principles such as risk-based age assurance, privacy-protective defaults, restrictions on profiling and targeted advertising, and design-led accountability.

All signs point to continued regulatory developments and enforcement in this space. VeraSafe supports organizations in building global compliance strategies for children’s privacy and online safety. Schedule a free consultation to discuss your organization’s approach and to learn how VeraSafe can help.

You may also like:

Data Minimization: Why More Data Is Not Always Better
Data Protection Considerations for Impact Assessment Practitioners
Privacy by Design in the Age of AI

Related Topics: Compliance Tools and Advice, EU Privacy Laws, U.S. Privacy Laws