Skip to content
Back to blog

GDPR Age of Consent Isn't Child's Play

4 minute read

GDPR
GDPR Age of Consent Isn't Child’s Play
Last updated: April 16, 2025

GDPR rules protect personal data. Not only does it protect adults' privacy, but it also guards children against exploitation. So, what's the age of consent?

As adults, we can make informed decisions about collecting or processing our data. But what about children? At what age are they expected to be able to make their own decisions? And is this reasonable or realistic?

See our Data Protection Training Package

What is the GDPR age of consent?

Under GDPR Article 8, the age of consent, i.e. when a child is required or able to consent to the processing of their data, is 16. However, member states can allocate their age of consent, with a cap of 13 years of age.

In the UK, the age of consent is 13, so the lowest age that the GDPR will allow.

Is that age of consent low enough? Or too high?

The purpose of consent is to draw a line in the sand showing from which age onward children can provide their consent for processing their personal data.

Generally, we tend to think of children's data used for social media purposes, such as Instagram, which is aimed at those 13 years of age or older. There is even an online form to enable the reporting of account users who are younger than that.

How does the GDPR age of consent differ in the EU?

Many EU member countries share the same age of consent as the UK. There are a few that have an older age of consent.

  • Austria - 14 years old
  • Belgium - 13 years old
  • Bulgaria - 14 years old
  • Croatia - 16 years old
  • Czech Republic - 15 years old
  • Denmark - 13 years old
  • Estonia - 13 years old
  • Finland - 13 years old
  • France - 15 years old (or younger with parental consent)
  • Germany - 16 years old
  • Hungary - 16 years old
  • Ireland - 16 years old
  • Italy - 14 years old
  • Latvia - 13 years old
  • Malta - 13 years old (and 16 years old for processing personal data)
  • Netherlands - 16 years old
  • Poland - 16 years old
  • Portugal - 13 years old
  • Republic of Cyprus - 14 years old
  • Slovakia - 16 years old
  • Slovenia - 15 years old
  • Spain - 14 years old
  • Sweden - 13 years old
  • United Kingdom - 13 years old
Read our GDPR Roadmap

Are children putting their online security at risk?

Despite the regulations, the UK's Children's Commissioner says that children unwittingly give away rights to their private data and put their online security at risk.

A digital childhoods survey undertaken by the Children's Commissioner revealed that between 36%-79% of users aged 8-17 are under the minimum age in the terms of service on social media platforms.

Nearly half of children aged between the ages of 8 and 17 have seen inappropriate content. To make matters worse, many children don't report seeing harmful content, with older children and girls being less likely to report this type of content. Of those who do report, 25% see no action on their reports.

According to Ofcom has found that 60% of children under the age of 13 who use social media have social media accounts despite being underage. The NSPCC report reveals that about 1 in 20 children have encountered sexual risks online.

Do children make informed choices on their rights?

Common sense should tell us that children, even at the age of 13, cannot reasonably be expected to make informed choices about their personal data rights.

The world of data protection is a minefield filled with legal and compliance professionals who can debate the topics and intricacies of such for hours on end. Yet under GDPR, we allow children as young as 13 to make decisions regarding their data protection.

Is there a need for parental intervention?

Clearly, there is still a need for parental intervention. Parents need to provide some guidance to their children at least. Interestingly enough, parents do intervene when it comes to financial matters, like choosing whether to provide or withhold their consent on child bank accounts and trust funds.

Similarly, it will be interesting to see in which direction financial services firms move regarding child consent. Whether children consent to receive marketing and promotional material or seek to restrict or withdraw consent, they are likely to lack any real understanding of the impact and consequences of such instructions.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have additional free resources such as e-learning modules, microlearning modules, and more.

Explore our collection

Related articles

explaining-gdpr-article-4-&-personal-data-|-skillcast
Information Security GDPR

Explaining GDPR Article 4 & Personal Data | Skillcast

2 minute read

GDPR Article 4 greatly widens the definition of personal data beyond the information that could identify a living individual like name and address.

Read more
gdpr-data-subject-access-requests-|-skillcast
Information Security GDPR

GDPR Data Subject Access Requests | Skillcast

6 minute read

Under GDPR, the way a data subject access request (DSAR) is dealt with has changed. But how can you manage them effectively while remaining compliant? 

Read more
gdpr-&-safeguarding-vulnerable-adults-|-skillcast
GDPR

GDPR & Safeguarding Vulnerable Adults | Skillcast

3 minute read

Effective management of vulnerable customer data is a necessity, not just for compliance, but for good business practice and ethical social responsibility.

Read more