In this in-depth analysis, PRIVO highlights the real solutions for protecting children online

Today, there are more and more children online and more of them own their own devices. With this surge comes increasing concern around the use of children’s data by business and organisations and rightly so.

Children have become one of the fastest-growing digital audiences around the world. This was before the COVID-19 school closures that drove even more online.

The way that children engage digitally has changed too. TV viewing is down, and they are consuming and interacting with media online. They have become content creators that publish photos, videos and thoughts. Creativity amongst children should be promoted but with this digital canvas comes privacy and safety risks.

Children and importantly their parents, need to understand how to protect their information, not just for their safety, but also for their privacy and from exploitation by online business and the big tech giants. The tech giants spend time and resources understanding not only users’ shopping habits, but their psychological state and moods, user data is very valuable to them. Children exposing their social media profiles and digital footprints impact their futures not least when it comes to applying for university, jobs, insurance policies and references. The issue is much deeper than meets the eye.

In the past two years, the regulatory landscape has changed significantly and there have been some major changes and enforcement actions and fines that have helped support the protection of personal information and user data, including for children.

Children’s Online Privacy Protection Act (COPPA)

The U.S. Congress attempted to address children’s privacy with the Children’s Online Privacy Protection Act (COPPA) more than 20 years ago, and then again, when the Federal Trade Commission (FTC), the enforcer of COPPA, revised and strengthened it in 2013. The intent of the law was to give parents with children under 13 years old the final say regarding the collection, use and disclosure of their children’s personal information when engaging with online services, which includes mobile apps, websites, video games and connected toys.

Rapid changes in technology, including greater use of education technology, led the FTC to bring the COPPA Rule Review forward. In December 2019, the FTC received over 175,000 comments on the effectiveness of the amendments the agency made to the COPPA in 2013 and feedback on whether additional revisions are required in the face of the fast-developing online world and changing nature of children’s digital engagement. The FTC will be unlikely to announce its findings until later this year or early next.

General Data Protection Regulation (GDPR)

COPPA was considered the gold standard in child privacy protection until 2018 when the EU’s General Data Protection Regulation (GDPR) came into force with the goal of putting EU citizens in control of their personal data. The GDPR covers all data subjects from cradle to grave, but also includes special protection for children and minors. The key to protecting this vulnerable age range are measures to verify a child’s age and to obtain meaningful and informed consent from parents.

The GDPR has set the age of consent at 16, meaning users 15 years and younger need parent consent where applicable. However, Member States can adopt a younger age of consent as low as 13.

You can view PRIVO’s Age of Digital Consent Map to see the age determined by each EU member state, here.

Developers will need to prove that consent is valid, informed and granular and that they have methods in place to allow parents to exercise their rights in relation to children. Understanding the lawful basis for processing personal data of a child is key.

The problem: Children are encouraged to ‘age up’

The GDPR and COPPA do support the protection of children’s personal information. However, regulation has also created headaches for online content providers who face a hurdle when it comes to obtaining parental consent. In turn, parents are obliged to verify themselves and provide consent each time a child engages with the online service resulting in consent fatigue and a lack of engagement. As a result, many clicks-and-mortar businesses, social platforms and games avoid dealing with children online all together by turning their back on an important market segment: children and their parents. However, this means missing out on a valuable revenue stream and a chance to build brands with lifetime engagement.

protecting children, digital

Blocking children has had the inevitable effect of children lying about their age to access sites, apps and other online services. This hinders data integrity and accuracy and poses a privacy and a safety risk to the child. However, many parents encourage their child to ‘age up’ in order to avoid burdensome verification processes, not fully understanding the consequences. Platforms such as Facebook and Google serve as an interoperable online identity, offering an easy way to login to other sites and services with their single sign-on (SSO). When children ‘age-up’ both they and the businesses are exposed. The child has created a “fake ID” allowing access to other age-restricted products without a “bouncer at the door” verifying they are at the right age to enter. The implications of this are far-reaching and potentially hugely impactful on their well-being and future.

It is vital to compare how we treat children offline with privacy and safety standards and accountability online, the child makes no divisions in their world. Building online protected identities that a child can carry through the ecosystem and into adulthood is not a nice thing to have, it is necessary.

As a parent, would you feel comfortable dropping off your 11-year-old child to a school dance without any chaperones? Would it be acceptable for a child to hand out selfie photos of themselves with their address on the back in a public place to strangers? Is it okay for a child to show a fake ID to buy a porn magazine? Should children be hanging out in a bar alone with adult strangers for karaoke night? The big wide world with all its wonder and all its harms are carried into the safe space of home on their devices and in the services, they can access and even with the parent sat beside them.

Call to action

Fostering a privacy-preserving digital ecosystem that encourages organisations to safely and responsibly engage with children and families is para­mount not just for legal compliance, but for building a strong brand. The following actions would support this:

A reliable and robust age verification system to confidently distinguish age-appropriate users while meeting regulatory compliance requirements and preserving a frictionless experience with a focus on online access, privacy protection and security for minors.

A standardised consent process for holders of parental responsibility should be adopted to ensure a level playing field both for the children and parents and for industry. This would support the compliant free flow of data across borders. Streamlining process is vital for success.

Building a healthy online identity ecosystem will support privacy and allow children to engage and develop in a safer environment. Children need their own privacy-enhanced SSO, with the ability to obtain parental consent where required, manage preferences, and have privacy settings defaulted to high.

A kid-friendly SSO powered by a neutral third party and not by one of the commercial entities that currently collect and exploit personal data to worrying degrees is vital. The SSO should grow with the child through their teens and beyond into adulthood. The digital world will be a better place when children are not marginalised and can be honest about their age.

protecting children, digital

The PRIVO iD solution

PRIVO, a privacy-first company, is leading the way with an SSO for children. PRIVO supports organisations to be compliant with COPPA, GDPR and student digital privacy laws. This solution will support organisations to engage more safely online and at the same time, provide parents with a frictionless way to provide informed consent. In addition, PRIVO’s age-appropriate device registration technology, which is in development, will alert adult or age-restricted services to the fact are they are dealing with a minor to allow them to block that minor controlled device, thus advancing, helping a robust privacy-preserving global digital ecosystem.

PRIVO’s identity and consent management platform includes a parent dashboard that meets the requirements for transparent and granular consent and puts the parent and child in control of their personal data and how it is processed. As the data and consent manager, PRIVO does not track or sell children’s personal data for its own benefit, but rather operates a privacy-compliant like switchboard, providing a standard for how companies provide privacy notices and obtain parental consent when needed, under the GDPR and COPPA.


Let’s face it, children are curious by nature and will always want to try the forbidden and test the boundaries, it’s part of growing up. It is, therefore, industry, parents, regulators and educators’ job to give them the tools and protections to allow them to engage online in a meaningful way instead of lying about their age or blocking them entirely. Children are always online, there is no off switch in their world so turning a blind eye is not the answer. Engaging with children will benefit both them and your business or organisation.


*Please note: This is a commercial profile

Call 116 123 to speak to a Samaritan

Contributor Profile

VP of Compliance & DPO, CIPP/e
Privacy Vaults Online, Inc. (PRIVO)
Website: Visit Website

Contributor Profile

Co-Founder & CEO
Privacy Vaults Online, Inc. (PRIVO)
Website: Visit Website


Please enter your comment!
Please enter your name here