Children's Privacy and Cookie Consent: COPPA, Age-Gating, and GDPR's Special Rules

Why Children's Privacy Changes Everything About Cookie Consent

If your website attracts visitors under 16 — games, educational platforms, family content — standard cookie consent flows don't cut it. Multiple jurisdictions impose heightened obligations when minors are involved: the FTC has levied eight-figure COPPA fines, EU DPAs treat children's data violations as aggravating factors, and California's age-appropriate design requirements are taking effect after years of litigation.

This guide covers four major frameworks — COPPA, GDPR Article 8, the UK Children's Code, and California's CAADC — along with age-gating, permitted cookies, advertising restrictions, and EdTech-specific consent.

COPPA: The US Baseline for Under-13 Privacy

The Children's Online Privacy Protection Act (COPPA) applies to operators of commercial websites and online services directed at children under 13, or that have actual knowledge they're collecting personal information from children under 13.

The FTC's COPPA Rule was significantly amended in January 2025, with full compliance required by April 22, 2026. These are the first major updates since 2013.

What Changed in the 2025 Amendments

Separate consent for third-party disclosure. Operators must now obtain separate verifiable parental consent before disclosing a child's personal information to third parties — including for targeted advertising. Parents must have the option to consent to collection and use without consenting to third-party disclosure.

New verifiable parental consent methods. Three new methods join existing ones (credit card transactions, government ID checks, signed forms):

• Knowledge-based authentication — dynamic multiple-choice questions verifying a parent's identity
• Text-plus method — text message consent confirmed through a follow-up text or phone call
• Facial recognition with human review — biometric verification requiring human oversight

Data retention limits. Children's data can only be retained as long as reasonably necessary for the specific purpose collected. Indefinite retention is explicitly prohibited.

What COPPA Means for Cookies

COPPA defines "personal information" broadly enough to cover persistent identifiers — including cookies — when used to recognize a user across sessions or sites:

• Strictly necessary cookies (session, security, load balancing) — permitted without parental consent if they don't track the child across sites.
• Analytics cookies with persistent identifiers — require parental consent if they can identify a specific child across sessions. Aggregated, server-side analytics are safer.
• Advertising and marketing cookies — require separate parental consent under the 2025 amendments. Block all advertising cookies by default.
• Third-party pixels (Meta Pixel, Google Ads, TikTok Pixel) — require separate parental consent for disclosure, a higher bar than general consent.

Bottom line: default to blocking everything except strictly necessary cookies. Don't load analytics or advertising tags until you have verified parental consent — not child consent.

GDPR Article 8: The EU's Age-of-Consent Threshold

GDPR Article 8 establishes that where consent is the legal basis for processing, a child's consent is only valid if the child has reached the digital age of consent. The GDPR sets this at 16 by default but allows member states to lower it to 13.

The Member State Patchwork

• 16 years: Germany, Ireland, Netherlands, Luxembourg, Croatia, Romania, Hungary
• 15 years: France, Czech Republic, Slovenia, Greece
• 14 years: Austria, Italy, Bulgaria, Spain, Lithuania
• 13 years: Belgium, Denmark, Estonia, Finland, Latvia, Poland, Portugal, Sweden

Below the threshold, consent must be given or authorized by the holder of parental responsibility. Controllers must make "reasonable efforts" to verify the person giving consent is actually the parent — though unlike COPPA, the GDPR doesn't prescribe specific verification methods.

Impact on Cookie Banners

If your site uses consent as the legal basis for analytics or marketing cookies and your audience includes children: you cannot accept consent from a child below the applicable threshold. A standard "Accept All" click from a 12-year-old in France is not valid consent. Most mixed-age sites handle this by defaulting to strict posture (analytics and advertising denied) and only relaxing it for visitors known to be above the age threshold.

UK Age Appropriate Design Code (Children's Code)

The UK's Age Appropriate Design Code, enforced by the ICO since September 2021, imposes 15 design standards on any online service "likely to be accessed by children" — anyone under 18. The threshold is broad: you don't need to target children. If they might reasonably use your service, the Code applies.

Key Requirements That Affect Cookies

• High privacy by default. Settings must be "high privacy" by default — analytics, advertising, and personalization cookies should be off for child users.
• Data minimization. Persistent tracking cookies that build behavioral profiles of children are hard to justify.
• No detrimental use. Behavioral advertising targeted at children based on cookie-derived profiles is difficult to reconcile with this standard.
• No nudge techniques. Cookie banners must not use dark patterns — no pre-checked boxes, no confusing button hierarchy, no "Accept All" in bold with "Manage Settings" in small gray text.

Combined with PECR's consent requirements, the practical effect is that UK-facing children's services should block non-essential cookies by default and avoid behavioral advertising entirely.

California CAADC: Age-Appropriate Design Reaches the US

California's Age-Appropriate Design Code Act (CAADC), signed in 2022, applies to online services likely to be accessed by children under 18. After prolonged litigation, the Ninth Circuit issued a mixed ruling in NetChoice, LLC v. Bonta in March 2026:

• Now enforceable: Age estimation requirements and highest privacy settings by default for child users.
• Still blocked: Obligations tied to terms the court found unconstitutionally vague — "materially detrimental," "best interests," and "well-being."
• Next: The case returns to the Northern District of California for further proceedings on severability.

The enforceable provisions matter for cookie consent: covered businesses should deny analytics and advertising cookies by default for users identified as children, and may need some form of age detection.

Age-Gating: How to Detect Underage Users

Every framework discussed above assumes you know — or have made reasonable efforts to determine — whether a visitor is a child. That raises the practical question: how do you implement age-gating?

Common Approaches

Neutral age screen. Present a date-of-birth or age prompt before the user accesses the service. The FTC requires this to be "neutral" — don't tell the user what age threshold you're checking, or they'll just lie. A dropdown asking "What year were you born?" works better than "Are you 13 or older?" because it doesn't telegraph the right answer.

Age estimation technology. Facial age estimation tools analyze a selfie to approximate the user's age range. The CAADC explicitly contemplates this method. It raises its own privacy concerns — you're collecting biometric data to check age — but it's more resistant to misrepresentation than self-declaration. Any biometric data collected for age estimation should be deleted immediately after the check.

Account-level age flags. If your site has user accounts, store the declared age at registration and apply appropriate consent rules for the lifetime of the account. This is the most reliable approach for platforms with authenticated users.

Contextual signals. Some sites infer that their audience includes children based on content type (educational games, children's cartoons) and apply restrictive defaults globally rather than per-user. This avoids the need for individual age-gating but applies the strictest rules to everyone.

What Cookies Are Permitted on Children's Content?

Across all four frameworks, the pattern is consistent: essential cookies are fine, everything else needs heightened justification or parental consent.

Generally Permitted

• Session cookies for login state, shopping cart, language preference
• Security cookies for CSRF protection, bot detection, fraud prevention
• Load-balancing and accessibility cookies

Restricted or Prohibited

• Behavioral advertising cookies — prohibited or require separate parental consent across all frameworks
• Cross-site tracking cookies — virtually impossible to justify under any children's privacy framework
• Retargeting pixels (Meta, Google Ads, TikTok) — should not fire on children's content
• Personalization cookies that build behavioral profiles — problematic under the UK Children's Code and CAADC

The Analytics Gray Area

Aggregate analytics that don't create child-level identifiers are generally acceptable. But GA4's default configuration collects more than you might expect. If you use GA4 on children's content, disable user-ID tracking, Google Signals, remarketing audiences, and set data retention to the minimum period.

The safest approach: move analytics server-side and avoid client-side cookies entirely on children's pages.

EdTech: Where COPPA Meets FERPA

EdTech platforms used in K-12 schools navigate COPPA, FERPA, and state student privacy laws simultaneously.

The School Consent Exception

COPPA allows schools to consent on behalf of parents when an operator collects children's personal information for educational purposes. This "school official" exception means EdTech vendors don't need individual parental consent — the school district authorizes collection through a contractual agreement (DPA). But the limits are strict:

• Educational purposes only. School consent doesn't extend to commercial uses, advertising, or analytics serving the vendor's business interests.
• DPA required. Without a contract specifying data use and school authority, the exception doesn't apply.
• No ad targeting. The 2025 COPPA amendments reinforce that school consent does not cover third-party disclosure for advertising. Loading advertising cookies under school consent violates COPPA.

FERPA's Role

When an EdTech vendor processes student data under a school contract, that data qualifies as education records under FERPA. The vendor must operate under the school's direct control, use data only for specified purposes, and not re-disclose personally identifiable information. For cookies: only set those necessary for the educational service. Advertising cookies are flatly incompatible with the school consent model.

Configuring Consent for Children's Content With CookieBeam

CookieBeam's regional consent rules let you apply different consent behavior based on visitor location — the same system that enforces stricter defaults for audiences that include children.

Regional Rules for Children's Privacy Jurisdictions

The regional rule engine matches visitors by country or region and applies the appropriate consent framework. For children's privacy:

• Set US visitors to strict opt-in with analytics and advertising denied by default, matching COPPA requirements.
• Configure EU rules per member state — 14 in Italy, 15 in France, 16 in Germany and Ireland — with non-essential cookies denied.
• Apply UK-specific rules reflecting the Children's Code's high-privacy-by-default requirement.

CookieBeam's script-blocking ensures advertising tags and third-party pixels don't load until consent is recorded — critical because loading a Meta Pixel before consent constitutes collection from the child, even if you later prompt.

Practical Configuration for Children's Sites

1. Default all regions to opt-in with analytics and advertising denied. Treat every visitor as potentially underage.
2. Block all third-party scripts by default to prevent tags from loading before consent.
3. Keep your cookie inventory clean. Run regular cookie scans to catch third-party cookies outside your consent flow.
4. Minimize cookie categories. Children's sites often need only two: strictly necessary and analytics (opt-in). A simpler interface is easier for parents to understand.

Enforcement Trends: Why This Matters Now

Children's privacy enforcement is accelerating. FTC actions against Epic Games totaled $520 million, including a $275 million COPPA penalty. EU DPAs cite children's data violations as aggravating factors — the Irish DPC's actions against TikTok and Instagram specifically targeted children's data failures. The ICO has audited major platforms against the Children's Code and issued enforcement notices. California's AG intends to enforce CAADC provisions that survived the Ninth Circuit ruling.

Regulators are done issuing warnings. If your site has an underage audience and you're running standard adult consent flows, you're exposed.

Checklist: Children's Privacy Cookie Consent

1. Identify your audience. Does your site target children, or is it likely to be accessed by children?
2. Map applicable laws. COPPA (US, under 13), GDPR Article 8 (EU, 13-16 by country), UK Children's Code (under 18), CAADC (California, under 18).
3. Audit your cookies. Identify every cookie and script. Our cookie audit guide walks through this.
4. Block non-essential cookies by default. Deny analytics and advertising until valid consent is obtained.
5. Implement age-gating with a neutral date-of-birth prompt — not a checkbox.
6. Remove advertising tags from children's content pages. If you can't, block them until separate parental consent is verified.
7. Review EdTech contracts. Confirm school agreements authorize the cookies your platform sets.
8. Test. Load your site with cookies cleared and check the network tab — anything firing before consent is a violation.