Protection of Children’s Personal Data under the GDPR: Key Risks and Recommendations

13.03.2026

Children’s personal data is one of the most vulnerable categories of data when processed. Therefore, companies that process such data, or may potentially process it, are subject to heightened regulatory scrutiny.

Recently, the UK data protection regulator fined MediaLab.AI, Inc. (MediaLab), the owner of the Imgur image-sharing and hosting platform, £247,590 for the improper use of children’s personal information.

The investigation found that MediaLab had allowed children to use Imgur without implementing the basic safeguards required under UK data protection law.

In other words, MediaLab breached the law in the following ways:

• It failed to take any measures to verify users’ ages.
• It processed the personal data of children under 13 without parental consent or another lawful basis when providing online services.
• It failed to carry out a data protection impact assessment in order to identify and mitigate risks to children’s privacy.

What does the GDPR say?

The GDPR provides that the processing of a child’s personal data is regarded as lawful if the child has reached the age of 16. If the child is under 16, such processing is permitted only where consent has been given by a parent or other legal representative. EU Member States may provide for a lower age, but not below 13.

To determine the minimum age established in your jurisdiction, you should consult the national data protection authority.

What liability is предусмотрена for non-compliance?

As a rule, the principal sanction is an administrative fine. The GDPR sets different levels of fines depending on the seriousness of the infringement, but they may be up to EUR 20,000,000 or, in the case of undertakings, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher.

What should be kept in mind?

If your company processes children’s personal data, in order to reduce the risk of liability for improper processing of personal data, we recommend following these rules:

Rule 1. Check whether your Privacy Policy contains the necessary information

The GDPR requires that a Privacy Policy must contain:

1. information about the controller and processors (registered address and contact details);

2. the purposes of the data processing;

3. the categories of data being processed;

4. the legal bases for processing;

5. the data retention periods;

6. information about third parties to whom the data is disclosed and the purposes of such disclosure;

7. the procedure for cross-border data transfers, where applicable;

8. a list of the measures taken to protect the data;

9. the rights of data subjects and the procedure for exercising them;

10. information about the appointed DPO (corporate email address).

Rule 2. Adapt the Privacy Policy so that a child can understand it

If your company’s activities are directed at children, the company must ensure that any information and communications addressed to children are easily accessible and presented in language that a child can understand.

Use the simplest and clearest possible style and do not overload the text with complex legal terminology and phrasing. When drafting the Privacy Policy, use graphic elements, such as cartoon-style illustrations, to explain clearly to children what data they are sharing.

Rule 3. Obtain parental consent for the processing of a child’s data

The GDPR requires explicit parental consent for the processing of a child’s personal data, but, unlike the US COPPA, such consent does not need to be verifiable.

As a basic step, in order to determine whether parental consent is required, you can ask the user for their age when they enter the website or application. The company must, taking into account available technology, verify parental consent for compliance with the law. In other words, your company must implement age-verification measures, for example, control questions or additional steps on the website.

Rule 4. Ensure the security of a child’s personal data

As a general rule, a company is required to ensure the security of the personal data of all users, regardless of age. However, children’s personal data requires a higher level of protection.

Consider adopting additional protective measures:

• ensure the minimum possible retention period for a child’s data;
• prohibit or restrict the disclosure of children’s personal data to third parties;
• prohibit or restrict the collection of data for analytics and advertising purposes;
• adopt additional measures to ensure the technical protection of the data.

In summary, in order to avoid adverse consequences both for the company and for users, it is necessary to comply with the legal requirements governing the protection of children’s data. To that end, follow the recommendations and regularly audit your data processing activities.

Authors: Liudmila Yepikhava, Aliaksandra Mahlysh.

 

The REVERA team of lawyers is ready to provide professional GDPR advice to ensure that your processes fully comply with the law.