Twelve months ago, the primary law protecting children’s data privacy was COPPA in the US. COPPA makes it illegal to capture any personal data on children under the age of 13. In less than a year, this has radically changed.

Europe has now passed GDPR. Within this far-reaching set of data privacy laws was essentially a version of COPPA for Europe: GDPR-Kids (more commonly referred to as GDPR-K).

Although similar to COPPA, it has one key difference: countries have been allowed to increase the age of a child from 13 to 16. Over half have done so, including Germany, Italy and Ireland. The UK has stayed with 13 but is drafting additional legislation that will effectively raise the age to 16.

The changes aren’t just within Europe. In a surprising (yet welcome) move, China passed the Personal Information Security Specification. Broadly similar to GDPR-K, it sets the age of a child at 14.

In the last few weeks the US Senate has debated the Do Not Track Kids Act, which proposes to extend COPPA to cover children up to the age of 16. It comes as the first class action lawsuit was filed against YouTube alleging an infringement of COPPA.


Over the last twelve months, data privacy law for kids has effectively tripled in coverage (from the US to Europe and China). Australia is now also considering the same protections. Given that there are over 170k children going online for the first time every single day, this seems a sensible reaction. Europe’s GDPR-K is already reshaping the landscape for kids content owners, advertisers and everyone in between, who are now choosing 16 as the age of a child in practice, regardless of the specific country decision

It seems inevitable that these protections will increase over time, and that we’ll see the emergence of 16 as the global standard for the digital age of a child.