What ages count as a child under these rules?

COPPA applies to children under 13. GDPR Article 8 sets a digital consent age between 13 and 16 depending on the member state. The UK Age Appropriate Design Code applies to anyone likely to be accessed by users under 18, which is the broadest threshold.

Is a self-declared birthdate enough for age verification?

Generally no. COPPA and the UK AADC expect age assurance proportionate to the risk — a plain birthdate box is the weakest form and is often inadequate for higher-risk AI features. Stronger methods include age-estimation or verified parental accounts.

Can I train my AI model on children's data?

Only with a specific lawful basis and strong safeguards, and never for behavioural profiling or targeted advertising. Most regulators treat children's data as high-risk, so using it for model training without a clear, documented basis is a serious compliance gap.

What does the UK AADC require that COPPA does not?

The AADC adds standards beyond consent — high-privacy defaults, no nudge or dark patterns, geolocation off by default, age-appropriate transparency, and safety by design for any AI outputs a child could see. It is design-led, not just consent-led.

Is this checklist legal advice?

No. It is an educational tool that maps common obligations across COPPA, GDPR Article 8, and the UK AADC. Use it to structure your work and brief counsel, but a qualified lawyer should sign off on a product that processes children's data.

AI & Children's Data Compliance Checklist

AI and children’s data checklist

Building an AI product that minors will use raises the privacy stakes sharply. Children’s data is treated as high-risk across every major regime, and the rules do not just cover consent — they reach into defaults, design, profiling, and the safety of what the AI actually outputs. This checklist maps the core obligations of COPPA, GDPR Article 8, and the UK Age Appropriate Design Code so you can see where your product stands.

How it works

You enter your product type and target age range, then select the jurisdictions you serve. The checklist filters to the items that apply and separates critical requirements — age assurance, verifiable parental consent, data minimisation, deletion rights, a completed DPIA, AI output safety — from secondary ones. As you tick off what you have built, the tool tracks your score and flags the product as non-compliant while any critical item remains unmet. Every item is tagged with its legal basis so you know exactly which regime drives it.

Tips and notes

Default to the strictest regime. If you serve the UK or EU as well as the US, the AADC’s high-privacy defaults and no-profiling rules are usually the binding constraint — build to those and the others tend to follow.
Guard the AI output, not just the input. A children’s product is judged on what the model can say to a child, not only on what data you collect. Content filtering and guardrails are a first-class requirement.
Document a DPIA early. A data protection impact assessment is expected for child-facing AI and is the artefact a regulator will ask for first.