COPPA and GDPR Article 8: Children's Privacy Compliance for SaaS Founders
Children's privacy is the highest-stakes area of data protection law. COPPA fines reach $51,744 per violation per day. GDPR penalties for violating Article 8 can reach €20 million or 4% of global annual revenue, whichever is higher. The UK ICO's Children's Code, which came into full effect in September 2021, carries fines up to £17.5 million or 4% of global turnover.
And enforcement is accelerating. The FTC fined Epic Games $275 million in 2022 for COPPA violations. The Irish DPC fined TikTok €345 million in 2023 for processing children's data without adequate safeguards. The UK ICO issued an enforcement notice against TikTok, prompting a £12.7 million settlement offer.
Most SaaS founders assume children's privacy doesn't apply to them because their product isn't "for kids." That's a dangerous assumption. This guide explains when you're in scope, what compliance requires, and the most common mistakes.
The Three Major Regimes
COPPA (US) — Under 13
The Children's Online Privacy Protection Act applies to operators of websites or online services directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13. Key obligations:
- Verifiable parental consent before collecting any personal information from children under 13
- Notice to parents of data practices (direct notice, not just a privacy policy link)
- No conditioning service access on data collection beyond what's necessary
- Parental rights: review, delete, stop further collection
- Data retention: retain only as long as reasonably necessary
- Data security: reasonable procedures to protect child data confidentiality
"Directed to children" is assessed using factors including: subject matter, visual content, music, animated characters, celebrities popular with children, age of models, advertising on the site, and evidence of actual child users. Mixed-audience sites that are not primarily directed at children, but where children may use them, face reduced obligations — but "actual knowledge" triggers full compliance.
COPPA 2.0 is currently advancing through the US Congress. It would extend protections to teens under 17 and ban targeted advertising to children entirely. Expect changes in 2026-2027.
GDPR Article 8 (EU/EEA) — Ages 13-16 by Member State
GDPR Article 8 applies when consent is the lawful basis for processing and the user is a child. Each EU member state can set the age of digital consent between 13 and 16. Where the child is below the threshold, the consent of a parent or legal guardian is required.
| Country | Age of Digital Consent |
|---|---|
| Germany, Netherlands, Sweden, Finland, Austria, Czech Republic | 16 |
| France, Belgium, Luxembourg | 15 |
| Spain, Italy, Bulgaria, Croatia, Cyprus, Greece, Hungary, Latvia, Lithuania, Malta, Portugal, Romania, Slovakia, Slovenia | 14 |
| Denmark, Estonia, Ireland | 13 |
Critically: GDPR Art. 8 applies only when consent is the lawful basis. If you rely on contract (Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)) as your basis, Art. 8 doesn't automatically apply — but you may still need to consider child-specific protections under data minimisation and fairness principles. For B2C products where users sign up and provide their data, consent is typically the basis — bringing Art. 8 into scope.
If a child provides false information about their age and you cannot reasonably have detected this, you may not be liable — but "reasonable" detection is increasingly scrutinised by DPAs. Age assurance is a growing regulatory requirement.
UK Children's Code (Age Appropriate Design Code)
The UK ICO's Children's Code applies to online services "likely to be accessed by children" under 18 in the UK. Note: this is broader than COPPA and GDPR Art. 8 — it's not about whether your service is directed at children, but whether children are likely to access it.
15 standards apply. The most operationally demanding:
- Standard 1: Best interests of the child — the primary consideration in design decisions
- Standard 4: Data minimisation — collect only what you strictly need
- Standard 5: Data sharing — don't share children's data unless you can demonstrate compelling reason
- Standard 7: Geolocation — off by default; don't share location with others without explicit consent
- Standard 8: Parental controls — provide tools, but don't undermine the child's privacy
- Standard 9: Profiling — off by default; don't profile children unless you can demonstrate compelling reason
- Standard 10: Nudge techniques — prohibited if they encourage children to provide more personal data or weaken privacy settings
- Standard 12: Online tools — provide age-appropriate privacy information and controls
- Standard 13: Connected toys and devices — if your product connects to IoT for children
- Standard 15: Detrimental use of data — no use of data that is detrimental to the child's wellbeing
When Does This Apply to SaaS?
The honest answer is: more often than founders think.
| Scenario | COPPA? | GDPR Art. 8? | UK Code? |
|---|---|---|---|
| EdTech platform for K-12 students | Yes (under 13) | Yes | Yes |
| Learning app for all ages | Yes (if under 13 access) | Yes | Yes (likely accessed by under 18) |
| B2B HR/recruitment platform | No — not directed at children | No — contract basis | No (unlikely child access) |
| Social or community platform | Depends on actual usage | Yes if consent-based | Yes (likely child access) |
| Creative/content platform (all ages) | Mixed audience — monitor carefully | Yes | Yes |
| Gaming or entertainment SaaS | Yes if under 13 use is foreseeable | Yes | Yes |
| Developer API / no end users | No (no direct child interaction) | No | No |
| Healthcare app (direct to consumer) | Monitor carefully | Special category + Art. 8 | Yes if children use it |
If you're a pure B2B platform selling to businesses who in turn serve end users, your downstream customers' child-facing obligations are typically theirs — but your DPA with them should address it.
Verifiable Parental Consent: The Hard Part
Under COPPA, consent must be "verifiable" — meaning the mechanism provides reasonable assurance that the person consenting is the parent. The FTC has approved these methods:
- Signed consent form returned by postal mail or fax
- Credit card transaction combined with a direct notice (not just a purchase)
- Toll-free phone number staffed by trained personnel
- Video conference call
- Government ID check
- Knowledge-based authentication with strong assurance
- Email with additional steps (for low-risk internal communications only)
Email alone ("send consent email to the address the child provides") is NOT verifiable consent under COPPA. This is one of the most common mistakes.
Under GDPR Art. 8, the standard is that the controller must make "reasonable efforts" to verify parental consent, taking into account available technology. The UK Children's Code similarly requires "age assurance" that is appropriate for the risk level of the processing. A simple age-gate ("are you 13?" checkbox) is not sufficient for high-risk processing.
Age assurance technologies — including digital identity verification, AI-based age estimation from facial analysis, credit card checks, and government ID matching — are evolving rapidly. The UK ICO has published guidance on age assurance. The EU's eIDAS 2 framework will eventually provide interoperable digital identity verification across EU member states.
CCPA and CPRA: California's Child Data Rules
Under CCPA/CPRA, California has specific opt-in requirements for children:
- Under 13: parent or guardian must affirmatively authorise the sale or sharing of the child's personal information
- 13-16: the child themselves must affirmatively opt in to the sale or sharing of their personal information
Note the word "sale or sharing" — this is broader than a traditional "sale" and includes sharing data with third parties for cross-context behavioural advertising. If you use any advertising technology or share user data for ad targeting, this is relevant.
CPPA, the California Privacy Protection Agency, has signalled that children's privacy enforcement is a priority focus for 2026.
The Five Highest-Risk Mistakes
- Age gate by self-declaration only. A checkbox asking "Are you 13+?" does not satisfy COPPA, GDPR Art. 8, or the UK Children's Code for services with meaningful risk. If a child lies, your exposure depends on whether you took "reasonable efforts" to verify — a checkbox is not reasonable efforts for high-risk processing.
- Relying on school or institutional consent as COPPA compliance without understanding FERPA. The school official exception under COPPA (§312.2) is narrow and requires the school to be acting as the parent's agent. Misunderstanding this creates FTC exposure.
- Advertising on platforms accessible to children. Using Google Ads, Facebook Pixel, or similar ad technology on a service accessible to children without proper consent and opt-out mechanisms is a COPPA violation (operators must not disclose personal information to third parties for advertising) and likely violates CCPA for California users 13-16.
- Keeping child data longer than necessary. COPPA requires deleting children's data when it's no longer needed. GDPR's storage limitation principle (Art. 5(1)(e)) applies generally, but with heightened importance for child data. Inactive accounts of child users should be auto-deleted after a reasonable retention period.
- Not having a separate children's privacy notice. Your main privacy policy is written for adults and may be too complex for children or parents to navigate. COPPA requires a direct notice to parents. GDPR Art. 8 implies plain-language notice. The UK Children's Code explicitly requires age-appropriate privacy information.
Build Your Children's Privacy Framework
- Children's Privacy Policy Generator — COPPA & GDPR Art. 8 children's privacy notice
- Privacy Policy Generator — main privacy policy (complement with children's notice)
- DPIA Template Generator — GDPR Art. 35 for large-scale processing of children's data
- DSR Response Template — for parental access/deletion requests
- AI Acceptable Use Policy — if AI features interact with children
⚠️ This article is for informational purposes only and does not constitute legal advice. Children's privacy law varies significantly by jurisdiction. Given the high penalties involved, consult a qualified lawyer specialising in children's privacy before launch.