The EU General Data Protection Regulation (GDPR)


Learn more about the GDPR from PRIVO's experts in the children's online privacy industry.


What is the General Data Protection Regulation?

The GDPR went into effect May 25, 2018. The regulation focuses on providing data protection and privacy for all individuals within the European Union and all individuals whose data is processed by an EU controller regardless of location. It also includes special protections for children’s data.

Children are vulnerable and need protection when online services are collecting and processing their personal data because they are often less aware of the risks involved when using Information Society Services ( apps, websites and connected devices). Here we take a closer look at the GDPR and Children and its impact on online services.

About  the GDPR and Kids

dataAsset 3@4x

Children merit special protection with regard to processing their data for marketing. Recital 38 protects young users because they may be less aware of the risks, consequences and safeguards concerned with marketing.

Familiar with COPPA but new to the GDPR? Listen in as Claire Quinn and Jeff Brennan compare GDPR vs. COPPA in our on-demand webinar.


verify ageAsset 2@4x

The GDPR sets the age of consent at 16, but individual member states may lower this as far as 13. A child below the age of consent cannot provide consent for themselves. When consent is the lawful basis for processing a child’s data reasonable efforts to verify that the person giving consent is old enough to do so, are required. Online services must obtain consent from the holder of parental responsibility for the child. View our Age of Digital Consent Map to see the age determined by each EU member state.

GDPR PRIVOAsset 5@4x

There are other key requirements when it comes to processing a child’s data such as clear, child friendly privacy notices and ensuring the child can action their rights including the right to be forgotten.

Transparency and accountability are especially important when it comes to children’s data online. Lack of transparency about the nature of processing data including persistent identifiers, is a violation of the regulation. This means ensuring that any third party processors your business works with are treating personal data compliantly too. Think analytics, attribution, email service providers and web hosting services to name just a few.


How to comply with the GDPR

coppachecklistAsset 4@4x

If you are an online service that processes children’s personal data it is vital to take the necessary steps to be GDPRkids compliant or risk a hefty penalty, brand damage and a loss of trust and integrity.

Things to keep in mind...

  • If you are a US based company, but process the data of children in the EU, the GDPR applies to your business.
  • Ensure you are jurisdictionally aware. Different national rules regarding processing exist for a reason.
  • Just because a service is COPPA compliant it doesn’t mean it is also GDPR compliant.
  • Provide clear, child-friendly notices explaining data practices
  • Ensure you can justify your lawful basis for processing data, whether it is consent or legitimate interest.
  • Don’t just rely on legitimate interest as an “easy way out” when consent is required.

The GDPR has changed the privacy landscape bringing the protection of personal data into sharp focus for industry and consumers.

To keep your business on the right track and avoid hefty penalties, contact our GDPR experts today.

Contact Us

Children's Rights Under the GDPR

Children have the same rights as adults under the regulation, which include:

  • to correct their personal data;
  • to withdraw consent to the processing of personal data;
  • to obtain a copy of the personal data;
  • to have their personal data deleted;
  • to transfer their personal data to another controller;
  • to restrict the personal data processed;
  • to request processing of their personal data is stopped.

For more information and tips to get your business in line with the GDPR, check out our GDPR Checklist.

Age of Consent

The GDPR has set the age of consent at 16, meaning users 15 years and younger need parent consent where applicable. However, member states can choose a younger age down to 13. See the map below.

Developers will need to prove that consent is valid, that it is informed and granular and that they have methods in place to allow parents to exercise their rights in relation to children. This may require parent dashboards or a parent portal to allow for the management of consent and revocation.



Here’s a few of our

Program Members

Visit my.PRIVO to see more!

GDPR Compliance by PRIVO

Work alongside our GDPR experts to ensure your services are compliant and still meet your business needs.

PRIVO was the first to market with its GDPRkids™ Privacy Assured Program. Some of the best loved brands in the kid’s space have met the program requirements and have been awarded the program Shield to display.

Learn more about Claire Quinn: PRIVO’s subject matter expert when it comes to the GDPR and children. Claire is PRIVO’s VP of Compliance and DPO, based in the UK. Check out our Interview with Claire to see more about how she works with businesses to make sure they are in compliance with regulations as they relate to children’s privacy.

Don't just be compliant, be GDPRkids™ compliant.

Noncompliance can result in significantly higher fines than have been issued before with an upper limit of 20 million euros or 4% or annual global turnover.

As a leader and pioneer in children's online privacy, we recognize the need for a dedicated compliance programs for businesses engaging with minors globally. Demonstrate to regulators and your EU customers that you meet the highest standards for children's privacy.

Protect your brand, build trust and integrity and see your business grow. Learn more about our program.

Contact Us

Sign up to receive the PRIVO newsletter

Contact Us