Child

Definitions vary by jurisdiction, but a child is commonly treated as an individual below the age of majority, which is often eighteen. This classification typically triggers heightened obligations, requiring organizations to apply stronger protections, safer defaults, and additional safeguards when processing children’s personal data.

Common protections include requiring verifiable parental consent for certain types of processing, restricting or prohibiting tracking, behavioural monitoring, profiling, and targeted advertising, and applying stronger security and privacy-by-default settings. Many regimes also emphasize preventing processing that could negatively impact a child’s well-being.

To obtain valid consent where required, the organization typically needs verifiable consent from the child’s parent or lawful guardian. This involves collecting permission and using proportionate methods to verify the guardian’s identity and authority, while minimizing the amount of personal data collected during the verification process.

Many jurisdictions restrict or prohibit tracking, behavioural monitoring, profiling, and targeted advertising involving children, especially for marketing purposes. Prohibitions can also apply to processing that is likely to cause harm or negatively affect a child’s physical or mental well-being, with strict expectations for child-safe defaults.

Consequences can include regulatory investigations, substantial monetary penalties, orders to stop processing, mandated remediation, audits, and reputational damage. Penalties vary by jurisdiction and severity, but enforcement is often strict because children are considered a vulnerable group.

Organizations commonly use age-screening or age-assurance measures appropriate to the risk, such as self-declaration with additional checks for higher-risk features, tokenized or third-party verification services, or document-based verification where justified. Controls should be proportionate, privacy-preserving, and designed to avoid collecting excessive identity data.

Parents or lawful guardians may be able to exercise privacy rights on behalf of a child, depending on the jurisdiction and the child’s age and maturity. This can include requesting access, correction, deletion, or restriction of processing, and withdrawing consent where consent is the legal basis.

Implementing child-safe practices typically involves privacy-by-design and safety-by-design defaults, minimizing data collection, disabling profiling and marketing features for child accounts, providing clear notices in age-appropriate language, and maintaining strong security controls. Regular reviews of third-party trackers, SDKs, and data sharing help ensure child protections remain effective over time. For organizations rolling this out at scale, WatchDog's Policy Management can help maintain child-safety and privacy-by-default policies with version control, approval workflows, and acceptance tracking for staff and teams that handle children's data.