At what age can children give their own consent?

This varies by EU country. The GDPR sets the maximum at 16 years, but member states may lower it to a minimum of 13. In the Netherlands the limit is 16, in Belgium it's 13.

Does this only apply to online services?

The consent age from Article 8 applies specifically to 'information society services' (online services). But the general GDPR principle that children deserve extra protection applies to all processing.

Does a sports club need parental consent for membership registration?

Membership registration can often rely on contractual necessity or legitimate interest. But for posting photos on the website or sending a newsletter, you do need (parental) consent.

What if a child lies about their age?

You must make 'reasonable efforts' to verify age, taking into account available technology. A simple checkbox 'I am over 16' is insufficient if you know your target audience mainly consists of children.

GDPR and Children - Extra Rules for Minors' Personal Data

The GDPR sets additional requirements for processing children's personal data. This article explains the rules, when parental consent is needed, and what this means for schools, sports clubs, and online platforms.

Children deserve extra protection

The GDPR is clear: children are a vulnerable group. They are less aware of the risks and consequences of sharing their personal data. This is why additional rules apply when you process data of minors.

This is relevant to more organisations than you might think: schools, sports clubs, childcare centres, youth organisations, online platforms, webshops with children’s products, and even businesses that send newsletters to mailing lists that include minors.

Article 8 of the GDPR states that offering “information society services” (i.e. online services) to children requires the consent of a parent or guardian. The GDPR sets the maximum at 16 years, but allows member states to lower this to a minimum of 13.

In practice, this means:

Country	Age limit
Netherlands	16 years
Belgium	13 years
Germany	16 years
France	15 years
Spain	14 years
Ireland	16 years
Sweden	13 years
Italy	14 years

Note: these age limits apply specifically to consent as a legal basis for online services. The broader principle that children deserve extra protection always applies.

Enforcement: fines for mishandling children’s data

Supervisory authorities take violations involving children’s data very seriously:

TikTok - EUR 345 million (Ireland, 2023). The Irish DPC fined TikTok EUR 345 million for insufficiently protecting the privacy of minor users. Children’s profiles were public by default, and the “Family Pairing” feature had flaws that allowed non-parents to link children’s accounts.

Instagram/Meta - EUR 405 million (Ireland, 2022). The Irish DPC fined Meta for making teenagers’ email addresses and phone numbers public on Instagram, and for setting business accounts as the default for minors.

These are not amounts reserved for tech giants alone. The message is clear: supervisory authorities consider the protection of children’s data a priority.

What should you do if you process children’s data?

1. Determine whether you work with children’s data

Check whether your audience (partially) consists of minors. Consider:

Membership registration of a sports club or youth organisation
Student administration of a school
Registrations for a summer camp or after-school activity
A webshop with toys or children’s clothing
An app or online service used by children

2. Check your legal basis

If you use consent as a legal basis, you need parental consent for children below the national age limit. If you use a different basis (e.g. contractual necessity for a school enrolment), the parental consent requirement of Article 8 does not apply, but the duty of extra care does.

3. Verify age

You must make “reasonable efforts” to check whether someone is old enough to consent on their own, and whether consent actually comes from a parent or guardian. What is “reasonable” depends on the risk and available technology. A checkbox is not enough if you know your audience mainly consists of children.

4. Communicate in child-friendly language

The GDPR requires that information about data processing is understandable for the target audience. If you target children, your privacy policy must be written in simple, clear language that children can understand. Legal jargon is not sufficient.

5. Limit data processing

The principle of data minimisation applies even more strictly to children. Collect only what you truly need. Avoid profiling and automated decision-making based on children’s data.

Exception: preventive and counselling services

Article 8 contains an important exception: the parental consent requirement does not apply to “preventive or counselling services offered directly to a child.” Think of helplines for abuse, children’s hotlines, or online health information services. This exception prevents children who need help from being blocked by a consent requirement involving the parent who may be the problem.

Practical tips for sports clubs, schools, and youth organisations

Membership registration: only collect what you truly need (name, date of birth, parent’s contact details)
Photos and videos: always obtain parental consent before posting children’s photos on your website or social media
Newsletters: do not send marketing emails to children without parental consent
Sharing data with third parties: sign data processing agreements with sponsors, photographers, or other parties
Retention periods: do not retain children’s data longer than necessary; delete data of former members

auto_awesome Do you process children's data?

GDPRWise helps you map out which personal data you process, including data of minors. With specific recommendations for schools, clubs, and youth organisations.

Start your free scan