Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Whether you’re building an EdTech platform, running an online shop with youthful customers, or marketing an app with interactive features, understanding youth privacy law isn’t just “nice to have”-it’s essential. If your business handles personal data from children, you need to be clear on when you can lawfully collect and process it without parental involvement.
But at what age are children legally able to give their own consent for their data to be processed in the UK? This simple-sounding question is actually a key legal checkpoint for any business dealing with under-18s online. If you get it wrong, you could face complaints, reputational knockbacks, or even enforcement action from data protection regulators.
In this practical guide, we’ll unpack the legal requirements for children's data consent in the UK, highlight what your business must do to comply, and share tips to help you set up bulletproof privacy practices-so you’re protected from day one.
What Counts as ‘Consent’ for Processing Children’s Data?
Let’s get back to basics. When you process personal data in the UK-whether it’s names, emails, location data, or even photos-you usually need a lawful basis under the UK GDPR (General Data Protection Regulation). For many businesses, especially those offering online services directly to young people, consent is often the most relevant legal basis.
But not just any ‘tick box’ will do. Consent must be:
- Freely given: No pressure, no making access to services conditional on consent if not necessary.
- Specific: Clear about exactly what you’ll do with the data.
- Informed: The child (or parent) must fully understand what they are agreeing to.
- Unambiguous: It can’t be hidden in the fine print or bundled in with other terms.
And crucially-children must actually be able to give valid consent themselves for it to count. That’s where the question of age comes in.
For more on data processing under UK GDPR, see our guide: Key Requirements For Storing Business Information In The UK
At What Age Are Children Legally Able to Give Their Own Consent for Their Data to Be Processed?
The short answer: It depends on what kind of service you offer and the nature of the data you’re collecting. But the central rule is set out in the Data Protection Act 2018 (which implements the UK GDPR).
For information society services (ISS)-which covers most online services including apps, games, e-commerce, social networking, and educational platforms-children over the age of 13 can consent to online personal data processing themselves in the UK.
So, if your business provides an online or app-based service directly to a child, you can generally accept consent from the child at age 13 or above. Before that, you need to get valid, demonstrable consent from someone with parental responsibility.
Key facts:
- Under 13: Only a parent or legal guardian can provide consent for personal data processing.
- 13 or above: Children can legally consent themselves provided you are satisfied they understand what they are agreeing to.
- Some sites, especially social media, set a higher minimum age (e.g. 16). That’s lawful-businesses can choose stricter standards.
This age threshold is sometimes called the “age of digital consent”. It’s particularly crucial when your service is likely to be used by children or collects their data in any direct way.
Remember, these rules apply even if your business is based abroad but targets or collects data from children in the UK.
For broader context on data controller duties, see: Data Controller Duties: A Hands-On GDPR Playbook For UK Firms
Are There Any Exceptions or Special Situations?
Most of the time, this 13+ rule applies to standard online services-like apps, stores, games, forums, and platforms where the child is directly signing up.
However, there are some points to note:
- For offline services (such as schools, sports clubs, or healthcare providers), the threshold for a child’s ability to consent is less clear and generally depends on whether the child has “sufficient understanding and intelligence” (the so-called Gillick competence test).
- If processing is not based on consent (e.g. required for a contract, legal obligation, or legitimate interests), then parental consent may not always be required-but you must still act lawfully, fairly, and transparently.
- If you process special category data (such as health, ethnicity, or biometric data), stricter safeguards apply and you may need to assess capacity more carefully.
- If you knowingly collect data from under-13s and rely on consent, you must implement effective, auditable age checks and parental consent mechanisms.
Unsure which basis applies? It’s always wise to get specific legal advice, as data protection for children can be complex.
What Do UK Businesses Need to Do to Comply?
If you run (or plan to launch) a business that may attract under-18 users, getting children’s data consent right should be a priority. Here are your action points:
1. Assess Whether Children Use Your Service
Consider whether children are likely to use, sign up for, or be targeted by your service. If yes, you need to comply with special children’s privacy rules, even if you don’t intend to attract kids.
2. Build Age Checks and Parental Consent Flows
- Put systems in place to check users’ ages-self-declaration, age gates, or independent verification for higher-risk services.
- If you process data from users under 13, ensure you collect, verify, and record parental consent (such as via an email loop, phone call, consent form, or other verifiable means).
- Keep clear records to show you’re acting lawfully and, if challenged, can prove consent is valid.
3. Make Privacy Notices Child-Friendly
Your privacy policy and any consent requests must be easy for children to understand. Use age-appropriate language, visuals, or summaries-no legalese or complicated small print.
4. Review Data Collection and Retention Practices
- Only collect the data you genuinely need (“data minimisation”).
- Don’t keep children’s data for longer than necessary (see our GDPR data retention guide).
5. Comply with the Children’s Code (Age-Appropriate Design Code)
UK businesses must follow the Children’s Code, which sets specific, high-bar privacy expectations for online services likely to be accessed by children under 18-including making sure default privacy settings are high, and that profiling and marketing is limited.
More on this: UK Children’s Code: Age-Appropriate Design Made Simple
6. Update Your Contracts and Data Protection Policies
- Ensure that contracts with third-party processors, platforms, or suppliers also uphold your duties regarding children’s data.
- Update your Data Processing Agreements to explicitly cover under-18s’ data risks as relevant.
If you need tailored help, see our Privacy Policy and GDPR Packages
What Happens If You Get It Wrong?
Data protection law is clear: mishandling children’s data (especially consent and transparency) is a high-risk area for fines, enforcement, and reputational damage.
If you fail to obtain valid consent (from the right person, at the right age, in the right way), you could face:
- Regulatory action from the ICO (Information Commissioner’s Office), including audits, compliance orders, or penalties.
- Fines: Under the UK GDPR, fines for breaches can reach up to £17.5 million or 4% of global annual turnover-especially for large-scale or deliberate failures to protect children’s privacy.
- Claims for compensation from affected users or their parents.
- Lasting reputation loss-as young people and their families are increasingly privacy-savvy and likely to publicly report issues.
Avoiding these outcomes starts with getting your legal setup right from the ground up.
For more advice on minimising risk, see: GDPR Penalties: Steering Clear of Hefty UK Fines
Key Takeaways
- In the UK, children over the age of 13 can legally give consent themselves for their personal data to be processed in most online services. Under 13s require parental consent.
- Consent must be truly informed and freely given-your privacy notices need to be child-friendly, clear, and unambiguous.
- If your service is accessible to under-13s, build robust age checks and verifiable parental consent workflows into your signup and data request processes.
- Don’t keep data for longer than needed, and review how you store, share, or process under-18s’ information-complying with the Children’s Code is essential.
- Non-compliance can result in serious fines, regulatory attention, and loss of consumer trust-getting your privacy practices right is not optional.
- Review and update your contracts, data protection agreements, and internal processes to cover children’s privacy obligations.
- Unsure how the rules apply to your new platform or online business? Get tailored legal advice before you collect children’s personal data.
Need Help Navigating Children’s Data Consent Law?
It can feel overwhelming to balance growth, user engagement, and UK privacy law-especially where children are involved. But by setting up your legal foundations correctly, you’ll avoid pitfalls, build family trust, and make your business resilient for the future.
If you have questions about children’s data consent, UK GDPR, or updating your privacy practices, our team is here to help. Reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligation chat with a friendly legal expert.
