Step-by-step help to master cookie compliance

Guides

Kid Safe Online

Kid-Safe Online: COPPA, GDPR-K and Age Verification

In this article, we'll walk you through what’s changed in 2025 and what really matters.

Key Takeaways:

  • COPPA got a major refresh in April 2025, with new rules officially taking effect on June 23. Companies have until April 22, 2026, to meet the updated compliance standards.
  • Parental consent is finally catching up with real-world tech. New options like text-plus, face-match ID, and knowledge-based authentication are now acceptable ways to verify a parent.
  • Biometric and voice data now fall under COPPA’s scope, along with device IDs, geolocation, and behavioral profiling—broadening what counts as “personal information.”
  • Data retention rules are stricter than ever. Operators must delete children’s data once it’s no longer needed and have a clear policy explaining how and when that happens.
  • Sharing data with non-essential third parties now demands explicit parental consent—especially when it comes to advertising, analytics, or AI use.
  • GDPR-K rules vary across the EU, with digital consent ages ranging from 13 to 16. That means geo-targeted consent flows are no longer optional—they’re required.
  • Under GDPR-K, passive age checks don’t cut it anymore. In 2025, regulators want proof that platforms are using verifiable methods to confirm a parent is involved.
  • CookieScript helps manage all of this, offering features like geo-targeting, consent logging, cookie blocking, support for 40+ languages, and integrations with Google Consent Mode v2 and IAB TCF 2.2.

COPPA in 2025: Key Changes You Must Know

In April 2025, the Federal Trade Commission (FTC) — the U.S. agency behind most privacy and consumer protection rules — released the most significant overhaul of the Children’s Online Privacy Protection Act (COPPA) in over a decade.

The updates reflect just how much the internet has changed for kids and what companies need to do to keep up.

The new rule takes effect on June 23, 2025, and most companies have until April 22, 2026, to get compliant. If your site or app collects data from children under 13, this is your wake-up call.

New Consent Methods (Finally Modernized)

Getting verifiable parental consent used to feel outdated—some of it still involved printing forms. The new options are a lot more in tune with how families use the internet now.

  • With text-plus, parents can reply to a consent request by text message, but that alone doesn’t cut it. There needs to be a second step—like a phone call or a mailed confirmation—to make sure it’s actually a parent and not just a kid pretending. Honestly, this feels like a long-overdue fix.
  • The knowledge-based authentication method pulls questions from public records. A parent might get asked something like their old street address or the make of a previous car—stuff a child wouldn’t normally know. It’s not bulletproof, but it’s definitely a step up.
  • Then there’s face-match ID, which uses a quick selfie and a scanned government ID to verify the adult. The two images get compared on the spot, and then—this part’s important—they have to be deleted right after. It’s a clever approach that keeps privacy in mind.

Biometric and Voice Data Now Regulated

For the first time, biometric data is officially treated as Personal Information under COPPA.

That includes voice recordings, facial scans, fingerprints—anything that can uniquely identify a child based on their physical or behavioral traits.

If your platform uses voice features or facial recognition, you're directly in scope now.

The Definition of Personal Information Got Bigger

COPPA now covers a lot more than just names and email addresses. The updated rule includes persistent identifiers like device IDs and IP addresses, plus precise location data.

Even inferred data—like behavior profiles or predictions—can count, depending on how it’s used.

This change is a big deal because it closes loopholes. Just because you didn’t ask a child to type in their name doesn’t mean you're off the hook.

New Rules Around Data Retention, Deletion, and Disclosure

Keeping kids’ data “just in case” is no longer an option. The new version of COPPA is clear—operators have to limit how long they store children's data and be upfront about it.

  • Data has to be deleted once it’s no longer needed for the original purpose.
  • Companies must have a written data retention policy, and it needs to explain how children's information is handled.
  • Parents must be told how long data is stored and how they can request that it be deleted.

This isn’t just about saying you delete things—it’s about actually doing it and being able to prove it.

Third-Party Sharing Is Now Stricter

The FTC now makes a clear distinction between third parties that are integral to how a service works and those that aren’t.

  • If you’re sharing data with a provider that’s essential—say for hosting, fraud protection, or internal functionality—that usually doesn’t require extra parental consent
  • But if you’re sharing children’s data with third parties for advertising, analytics, AI training, or anything not considered core to your service, you’ll need separate, explicit parental consent—and it can’t be buried in a Privacy Policy

This change puts real pressure on companies to rethink how they’re working with vendors and what data they’re handing over behind the scenes. These updates signal a shift in how children’s privacy is enforced in the U.S. The FTC isn’t just updating language—it’s raising the bar.

If your platform targets kids or even just happens to attract a lot of young users, now’s the time to audit your consent flows, clean up your data retention practices, and make sure you're not quietly feeding kids’ data into third-party systems.

Violating COPPA in 2025 can lead to fines of up to $51,744 per child, per violation, making even small compliance failures a serious financial risk.

GDPR-K: How the EU Regulates Minors’ Data

In the EU, children’s data isn’t handled under a separate law like COPPA—it’s folded into the General Data Protection Regulation (GDPR). Specifically, Article 8 is what sets the rules for how kids can consent to the use of their personal data online.

This is often referred to as GDPR-K, the "K" standing for "kids" or "kids' data," depending on who you ask.

The rule might seem straightforward at first glance, but the details vary quite a bit from country to country—and in 2025, enforcement is tightening.

Age Thresholds Vary Across the EU

The GDPR gives member states room to choose the minimum age at which a child can give valid consent for information society services—basically, anything offered online for commercial purposes.

  • In most countries, the threshold is 16
  • Some—like France, Spain, and the Netherlands—set it at 15
  • Others, including Germany and Italy, dropped it to 14
  • A few, like the UK (when it still followed GDPR rules), settled at 13

This means that a single EU-facing platform might need to adjust how it handles consent depending on where the user is located. Not fun, but absolutely required.

What Counts as an “Information Society Service”

If your service is offered online, available on demand, and has a commercial angle—ads, subscriptions, in-app purchases, even data monetization—you’re very likely covered under this rule.

That includes apps, games, e-learning platforms, social networks, streaming tools, and many e-commerce experiences.

Even free services count if data is being collected and used in a way that serves a business model. The fact that a user doesn’t pay doesn’t get you off the hook.

Verifiable Parental Consent Is Still Required for Younger Users

If a child is under the country-specific age of consent, then you need verifiable consent from a parent or guardian.

The GDPR doesn’t spell out exactly how that consent must be verified—it leaves room for interpretation—but the expectation in 2025 is crystal clear: simple checkboxes and passive age-gates aren’t enough.

Some regulators have hinted that methods like email confirmation or credit card verification may still pass, but others want stronger identity validation.

If you're relying on automated tools, you should be prepared to prove they actually work and that they’re in line with the principle of data minimization.

Key Differences from COPPA

There’s overlap between GDPR-K and COPPA, but also some big differences that matter if you're working across both regions.

The age bands are different. COPPA applies to kids under 13 across the board, while GDPR lets countries set the age between 13 and 16.

The lawful basis for processing data is broader under GDPR—you’re not limited to parental consent. In some cases, a platform might be able to rely on legitimate interest, though that’s risky when kids are involved.

Children’s rights are more expansive under GDPR. Kids (or their parents) have the right to access, correct, or delete data and even to object to certain types of processing.

In short, GDPR-K treats kids as data subjects with full rights—not just passive users who need protection. That changes the tone of compliance entirely.

Violating GDPR-K requirements can result in fines of up to €20 million or 4% of global annual turnover.

Download CookieScript FREE GDPR checklist

What’s Happening in 2025

In 2025, EU data protection authorities aren’t exactly launching enforcement blitzes, but they’re no longer staying quiet either.

The focus has shifted toward setting clearer expectations, publishing strategic guidance, and applying pressure—especially when it comes to youth data, age verification, and child-targeted design.

Here’s what that looks like across the EU right now:

  • France (CNIL) has made child privacy a key theme in its 2025–2028 strategy, officially published on January 16, 2025. They’re pushing age verification as a compliance priority and encouraging platforms to adopt privacy-preserving methods. So far, no headline-making fines—but the message is loud and clear: you’re on their radar.
  • Spain (AEPD) released its 2024 annual report on June 30, 2025, which reinforced earlier guidance on protecting minors. The focus includes ethical design and age assurance in apps used for learning, gaming, and social networking. No formal action yet, but you can feel the regulatory pressure building.
  • The Netherlands (Autoriteit Persoonsgegevens) has flagged concerns about profiling and behavioral targeting in platforms popular with children. While no formal investigations have been announced in 2025, these issues were highlighted in its late 2024–early 2025 AI risk report. It’s clear they’re watching.
  • Sweden (IMY) issued updated guidance on Data Protection Impact Assessments (DPIAs) on February 18, 2025, and emphasized a “guidance-first” approach for platforms aimed at minors. They’ve suggested that high-risk child services involving AI or personalization may soon face stricter pre-launch review expectations.
  • Ireland’s DPC continues to monitor Big Tech closely, especially where platforms rely on legitimate interest to personalize content for teenage users. While there will be no new youth-focused enforcement in 2025, the DPC’s child privacy strategy (2022–2027) remains active and publicly referenced.

At the EU level, the European Data Protection Board (EDPB) published a formal statement on Age Assurance on February 11, 2025, signaling an EU-wide push for stronger and more consistent age verification practices across member states.

Common Pitfalls and Legal Risks in 2025

Even with the right tools in place, it’s surprisingly easy to slip up when handling children’s data. And in 2025, regulators aren’t just scanning your privacy policy—they’re looking at what’s actually happening behind the scenes.

Whether you’re building games, educational platforms, or just running a content site that attracts younger users, here are the mistakes that still trip up even well-meaning companies.

Assuming GDPR Consent Covers COPPA

It doesn’t. This is one of the biggest misunderstandings we still see. GDPR-K and COPPA both deal with protecting minors online, but they’re based on very different standards.

Under GDPR-K, a 13- to 16-year-old (depending on the country) may be allowed to give valid consent themselves. But COPPA requires verified parental consent—no exceptions, no shortcuts.

A single consent banner won’t cut it across all regions. If you’re treating GDPR-style consent as enough for U.S. users under 13, you’re likely violating COPPA without realizing it.

Over-Relying on Age Self-Declarations

“Are you over 13?”—that question still pops up on too many sites, and it’s not fooling anyone. In 2025, regulators want to see more than a yes/no button. Age verification is supposed to involve a reasonable effort.

Depending on your risk level, that could mean more structured forms, step-up identity checks, or, at the very least, layered consent flows with some friction.

If a child can fake their way through your age gate in five seconds, it’s not doing its job.

Skipping Consent Logs and Retention Rules

You might think getting consent once is enough. It’s not. Both COPPA and GDPR-K require not just getting consent but being able to prove it—when it was collected, how it was collected, and what the user (or parent) agreed to.

The FTC expects full records for COPPA compliance. In the EU, consent must be revocable, and any logs you keep must follow strict retention guidelines.

If you’re not storing this data—or if you’re keeping it forever without purpose—you’re risking penalties on both sides.

Letting Third-Party Trackers Slip Through

Here’s a simple rule that’s still widely broken: don’t load trackers before consent—especially when minors are involved.

If your site pulls in analytics, advertising scripts, or third-party widgets before a parent gives verified consent, you’re in breach of COPPA. GDPR-K expects the same logic: no cookies or identifiers unless the user (or their guardian) clearly says yes.

Even platforms with good banners sometimes forget to block behind-the-scenes trackers—and that’s exactly what regulators are focusing on in 2025.

The good news? These mistakes are preventable. With the right configuration—and a little extra attention to regional differences—you can avoid becoming the next cautionary tale.

How CMPs Help Implement Parental Consent

So you’ve figured out who needs to give consent and when. Now comes the practical part—actually managing those consent flows in a way that’s compliant, flexible, and verifiable. That’s where a Consent Management Platform (CMP) like CookieScript becomes essential.

In 2025, parental consent isn’t just about collecting a yes or no—it’s about handling that consent in a way that’s region-specific, logged, and fully audit-ready. CMPs are built to manage exactly this kind of complexity.

How CMPs Help with Verified Parental Consent

Modern CMPs allow you to:

  • Display different banners based on the user’s location
  • Block Third-Party Cookies until proper consent is given
  • Log every consent action for audit purposes
  • Maintain detailed consent records for legal review

With laws like COPPA and GDPR-K, flexibility and traceability matter just as much as the initial consent itself.

Feature Checklist (What to Look For)

If your CMP needs to support GDPR-K, COPPA, and a mix of global regulations on minors’ data, these are the features that matter in 2025:

  • Consent bundling control helps ensure consent is broken out into categories (e.g., analytics vs advertising) rather than offered as an all-or-nothing agreement—especially important when a parent is involved.
  • Per-feature consent handling allows you to request separate consent for things like embedded games, video players, or third-party education tools—rather than bundling them all together.
  • Geolocation-based flows let you apply different rules depending on where the user is accessing your service from. For example, a 13-year-old in the U.S. may need parental consent under COPPA, while the same user in the EU may be protected under GDPR-K.

CookieScript Tips (What It Can Do Today)

CookieScript includes several built-in tools that support age-appropriate and region-specific consent flows:

  • geo-targeting lets you show different banners and consent flows depending on the user’s location—critical for aligning with regional laws like COPPA and GDPR-K.
  • user consent logging tracks every action taken by the user, including acceptances, rejections, and changes—complete with timestamps for compliance audits.
  • Automatic cookie blocking ensures that no cookies or third-party services are triggered until valid consent is received.
  • Advanced reporting provides insight into how consent is being given (or not), which can be exported and used to demonstrate compliance to regulators.

Register for free Show pricing plans

Beyond child-specific privacy support, CookieScript also includes tools to help manage broader privacy compliance:

  • Support for 40+ languages, making it easier to communicate clearly with users and parents around the world.
  • A self-hosted code option, offering more control over performance and data residency.
  • Automatic monthly cookie scans that detect new trackers as your site evolves.
  • Google Consent Mode v2 compatibility, which helps sync consent with Google Ads and Analytics services.
  • IAB TCF 2.2 integration for publishers and ad networks needing to comply with standardized consent frameworks.
  • A built-in Privacy Policy Generator, which aligns your policy content with your actual consent setup.
  • Cookie Banner sharing across domains is ideal for businesses managing multiple websites under the same compliance setup.

In short, your CMP does more than display a banner. It’s the foundation for executing parental consent, geo-based compliance, and cookie control—and platforms like CookieScript already include many of the tools you need to do that responsibly.

In Spring 2025, CookieScript was awarded its fourth consecutive G2 badge for Best Consent Management Platform.

The platform is also listed as a Google-certified CMP in the Gold tier, reflecting compliance with the latest consent management requirements.

Final Thoughts

Let’s be honest—most platforms didn’t build with kids’ privacy in mind. But in 2025, there’s no more room for shortcuts. If you collect data from minors, you need to handle it like it matters—because it does.

Laws are tightening, and so are expectations. The time to get your consent flows in order is now before the fines or headlines hit.

Frequently Asked Questions

What’s the current age for online consent under COPPA and GDPR-K?

In the U.S., COPPA sets the bar at under 13. In the EU, GDPR-K lets each country decide—anywhere from 13 to 16. CookieScript helps you handle this by showing the right consent banner based on where your visitors are coming from.

How can I collect verifiable parental consent in 2025?

Accepted methods now include things like knowledge-based questions, text-plus confirmation, and even ID photo matching. CookieScript supports custom flows and works with third-party tools that handle this level of verification.

Do I need to block cookies until consent is given?

Yes, absolutely. Under both COPPA and GDPR-K, trackers and cookies shouldn’t load until you’ve got the proper consent. CookieScript can block scripts automatically until everything checks out.

Can I use a single consent flow for both the U.S. and EU?

Unfortunately, no. The rules are too different. CookieScript can run separate consent setups for different regions so you’re not trying to force one-size-fits-all compliance.

Is it enough to just get consent once?

Nope. You also need to show when and how you got it—and be ready to delete or update that data if asked. CookieScript keeps detailed consent logs and makes them easy to export if needed.

What counts as personal data for children?

The definition’s gotten a lot broader. It now includes things like voice recordings, geolocation, and even behavior-based profiles. CookieScript’s Cookie Scanner helps spot trackers that fall under these rules.

Do these rules apply if my service is free?

Yes. If you collect data, even through a free game or app, the same laws still apply. CookieScript can help you manage consent and limit tracking regardless of your pricing model.

How do I prove to regulators that I’m compliant?

You’ll need clear records of who gave consent, how you verified it, and how long you kept the data. CookieScript handles all of that behind the scenes—logging every action for audits and reports.

How Can I create a Privacy Policy that reflects my consent flow?

CookieScript includes a Privacy Policy Generator that stays in sync with your actual consent setup and updates when your tracking changes.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.