Collecting and Using Children’s Information Online: the UK/US Dichotomy

December 12, 2011

A recent extensive survey carried out by market research firm Mintel revealed that half of all children aged 7 to 12 in the UK visit social networking sites.[1]  One million of these children use Facebook on a daily basis, notwithstanding Facebook’s policy of allowing only those over 13 years of age to register.  In the June 2011 edition of Consumer Reports Magazine, it was reported that 7.5 million of US Facebook users were under 13 years of age.[2]  Determined children can, of course, circumvent the age verification process by lying about their age or pretending to be adults or even to be their parent or older sibling.

The old adage that ‘on the Internet, nobody knows you’re a dog’[3] applies equally to children. 

According to the Mintel survey, only 5% of children claim ‘never’ to use social networking sites.  Facebook is the most popular social networking site among 10-12 year old girls.  Nearly one in ten children who use social networking sites do so on a daily basis. 

The Mintel survey comes only months after the publication of the Bailey Review which looked at the pressures on children to grow up too quickly.[4]  The UK Government asked Reg Bailey, Chief Executive of the Mothers’ Union, to look into the commercialisation and sexualisation of childhood amid parental concerns about increasing pressure on children to become ‘e-consumers’ at an early age. 

The Bailey Review is not the first government commissioned report to look into the issue.  Political and social concern to protect children and other vulnerable individuals was expressed in the Byron Review of 2008[5] and a subsequent review[6], the Buckingham Report of 2009,[7] and was mentioned in the Conservative Party’s February 2010 manifesto.[8]   In September 2011, the European Commission published a report which expressed the view that Member States need to take more action to safeguard children online.[9] 

Given such concerns, and the fact that the internet transcends national borders, businesses interacting with children should take care to ensure that they comply with all applicable legal requirements when doing so.  To illustrate the challenges faced by businesses, this article considers the conflicting requirements regulating the online collection and use of children’s’ information under UK and US law.

The US  

In 1998 the US House of Congress enacted the Children’s Online Privacy Protection Act[10], otherwise known as ‘COPPA’.  COPPA provides that the Federal Trade Commission issue and enforce a rule protecting children’s online privacy.  The FTC issued the Children’s Online Privacy Protection Rule 16 C.F.R Part 312, which became effective on 21 April 2000 (the ‘FTC Rule’).   

The principal aim of the legislation and the FTC Rule is to give parents control over what information online businesses may collect from their children.  COPPA ‘prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet’[11].  A child is defined as anyone under the age of 13.[12] The FTC Rule applies to operators of online businesses operating web sites or services directed at children who collect, use or disclose personal information from children.  But the FTC Rule also applies to those operators not directing their services at children directly if they are knowingly collecting, using or disclosing personal information obtained from those aged under 13.   

The Rule

Broadly, any online business operator covered by the FTC Rule must:

·        post a clear and comprehensive privacy policy on its web site describing its information practices for children’s personal information;

·        provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;

·        give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;

·        provide parents with access to their child’s personal information to review and/or have the information deleted;

·        give parents the opportunity to prevent further use or online collection of a child’s personal information; and

·        maintain the confidentiality, security, and integrity of information it collects from children. 

In addition, the FTC Rule prohibits operators from making a child’s participation in an online activity conditional on the child’s providing more information than is reasonably necessary to participate in that activity. 

The Privacy Policy 

The privacy policy statement which must appear on the operator’s web site should be clear, understandable, complete and contain no unrelated, confusing or contradictory material.[13]  The web site operator must provide a link on its homepage to the policy statement and a link on every page where personal information is collected from children.    

Parental Consent 

Under COPPA, an operator is required to obtain verifiable parental consent before collecting, using or disclosing information obtained from children.  Verifiable consent is also required for any material change to the collection, use or disclosure of that information.  The FTC Rule does not provide an exhaustive list of how verifiable consent may be obtained, except that it should be sought with regard to the available technology of the time and calculated to ensure that the person consenting is the child’s parent.   

The UK 

The Data Protection Act 1998 (DPA) is the principal applicable law in the UK that regulates the collection, use and disclosure of personal information.  The DPA does not, however, deal explicitly with the issue of obtaining consent from children.  The first principle of the DPA requires that personal data must be processed fairly and lawfully.  This can present difficulties where children are concerned, especially when questions of legal capacity also arise.  

Who Are You Calling a Child? 

First of all, in the UK there is no uniform law which determines the age at which a person ceases to be a child.  Generally in England and Wales and Northern Ireland, children reach the age of capacity at the age of 18.[14]   Children can, however, enter into contracts for ‘necessaries’, although quite how far this extends in the Internet context is open to doubt, however much a child may insist otherwise.  In contrast, in Scotland children reach the age of capacity at the age of 16.[15]  Although in Scotland, those under the age of 16 do have legal capacity to enter into transactions of a kind ‘commonly entered into’ by persons of their age and circumstances, and on terms which are not unreasonable.[16]  This complexity immediately creates a challenge for online businesses dealing with children resident in the UK.  Do businesses decide that they are directing services at children aged 16 and below and risk non-compliance for those aged under 18 in England, Wales and Northern Ireland.  Alternatively, do they decide that anyone under 18 is a child and risk any negative impact this might have on the market for 16 to 18-year-olds in Scotland?  There is no definitive answer.  Unless an online business can distinguish between its visitors from Scotland and elsewhere in the UK, the business will have to choose which age limit it is going to apply and accept the risk of any non-compliance.   

The issue of age does not end with the disparity between the jurisdictions’ legislative positions. There are various marketing codes of practice in the UK which differ in their treatment of children.  The British Code of Advertising, Sales Promotion and Direct Marketing (the ‘CAP Code’), applicable to all non-broadcast advertising, defines a child as anyone under the age of 16.[17]  In contrast, the Direct Marketing Association (‘DMA’) Direct Marketing Code of Practice broadly defines anyone under the age of 18 as a child.[18] Similar codes of practice exist for television and radio advertising which have their own specific rules on children.  

The DPA explicitly recognises that children in Scotland may be able to exercise rights conferred by the Act.[19]  In essence, if there is any issue as to whether a Scottish child under the age of 16 has the capacity to exercise any right conferred by the DPA, the child will be regarded as having the necessary capacity if he or she has ‘a general understanding’ of what it means to exercise that right.  There is a presumption in Scotland that children aged 12 or above have the necessary understanding.  There is, however, no corresponding statutory provision which deals with children from other parts of the UK.    

Collecting Data Online 

With regard to data collection online, specific guidance is available from the Office of the Information Commissioner (the ‘ICO’) through its Personal information online code of practice which was issued in 2010.  The Code of Practice confirms that ‘Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly.’    

Where services are directed at children, the ICO guidance provides for the following:

·                  that the level of understanding of the child should be ascertained rather than only their age;

·                  that parental consent should usually be sought for children under the age of 12 (as detailed below);

·                  information should only be collected in a way the operator’s ‘core audience’ will understand and which parents are unlikely to object to;

·                  where the information sought from the child is relatively minor, such as their name, then a simple e-mail to the parent notifying them of this may suffice; and

·                  where the operator is processing a photograph of the child, say for a social networking profile, then something more akin to verifiable parental consent will be needed. 

Parental Consent 

The ICO guidance recognises that the need for parental consent will depend upon the complexity of the proposition being presented to the child and on the maturity of the particular child, accepting that not all children of the same age have reached the same level of maturity.  The ICO further acknowledges that, even if a business knows the age of the child it is dealing with, a resourceful and determined child may find ways of circumventing mechanisms for obtaining parental consent.   

The ICO indicates, as a general rule, that some form of parental or guardian consent will normally be necessary for the collection of personal information from anyone under the age of 12.[20]   However, it also recognises that parental consent for children over 12 may be necessary in certain circumstances.   

The ICO advise that it is good practice to seek parental consent if the collection or use of information about a child is likely to result in: 

•          disclosure of a child’s name and address to a third party, for example as part of the terms and conditions of a competition entry;

•          use of a child’s contact details for marketing;

•          publication of a child’s image on a publicly accessible web site (a signed parent consent or an e-mail acknowledgement from the parent may be required);

•          making a child’s contact details publicly available; or

•          the collection of personal data about third parties, for example where a child is asked to provide information about his or her family members or friends (other than collecting parents’ contact details to obtain parental consent). 

The ICO also acknowledges the difficulty in obtaining reliable parent consent.   Where a child is asked to provide their parents’ details, they may provide false ones. The problem may be particularly acute if the web site incentivises the child to obtain parental consent.  

As mentioned earlier, the CAP Code treats anyone under 16 as a child.  The CAP Code contains specific rules on marketing to children.  For example, marketers are prohibited from collecting personal information from a child under 12 about that child for marketing purposes without prior consent from their parent or guardian.[21]   In addition, marketers should not knowingly collect personal information about third parties from children under 16 unless certain conditions are met.[22] Businesses should also bear in mind that, on 1 March 2011, the reach of the CAP Code was extended to include marketing communications on an organisation’s own web site and in other non-paid-for online space under its control.  This includes social networking sites, which (as highlighted earlier) are heavily used by many children.   

The recently published 4th edition of the DMA Code also prohibits data collection from children under 12 years of age without parental consent.[23]   


Confused?  You should be.  Whilst the age of capacity has not been harmonised among the UK’s jurisdictions, in the UK businesses should not normally collect personal information from children under the age of 12.  The ICO guidance acknowledges potential problems but does not lay down  definitive rules on data collection from children.  This is because the ICO is not a law-making body and can only provide its interpretation of the DPA.  The CAP Code and the DMA Codes also appear to go further than the ICO guidance by placing an absolute prohibition on the collection of personal information from children under 12 without parental consent.    

The lack of harmonisation across the EU may be addressed by the uupcoming revision to the Data Protection Regulation, which has now been published in draft form. Article 8 of the draft provides that the processing of personal data of a child under 13 years of age in relation to information services supplied directly to the child will be lawful only if and to the extent that consent is given by the child’s parent or custodian. While it is intended that this requirement will not affect the construction of general contract law of individual member states as to the validity, formation or effect of contracts entered into by minors the draft proposal may go some way to addressing the disparity between the current UK and more prescriptive US position

The child specific nature of the legislation provides greater clarity for operators targeting US children.  Nevertheless, the age rule apart, the ICO guidance and the principle based framework provided for by the DPA is not necessarily inconsistent with COPPA.  With the extra-territorial reach of COPPA, businesses  based in the UK, but directing online services at children in the US, are, of course, required to comply with the FTC’s Rules. The challenge for organisations collecting information from both UK and US children is to comply with both approaches whilst not losing any competitive advantage with operators that may only be required to comply with one of those approaches.   

David Gourlay is a Partner at McClure Naismith LLP.

David Gallagher is a Solicitor in the Corporate Unit at that firm.



[1] Mintel report available for purchase from, also see ‘Facebook now a ‘must have’ for children, with 1m seeking daily fix’,

[2] See Consumer Reports Magazine at

[3]  From the cartoon by Peter Steiner, first published by The New Yorker on 5 July 1993

[4] Letting Children be Children – Report of an Independent Review of the Commercialisation and Sexualisation of Childhood by Reg Bailey, June 2011.  See

[5] Safer Children in a Digital World The Report of the Byron Review, 2008, Dr Tanya Byron.   See

[6] Do we have safer children in a digital world? A review of progress since the 2008 Byron Review, 2010,  Dr Tanya Byron.  See

[7] The Impact of the Commercial World on Children’s Wellbeing: Report of an Independent Assessment, December 2009Professor David Buckingham. See


[9] European Commission findings on assessment of the implementation of the Safer Social Networking Principles for the EU, September 2011 See

[10] 15 U.S.C §§ 6501-6508

[11] FTC Rule §§ 312.1

[12] 15 U.S.C §§ 1302 sub-paragraph 1, FTC Rule § 312.2

[13] §§ 312.4

[14] Section 1, Family Law Reform Act 1969 (for England and Wales) and Age of Majority Act (Northern Ireland) 1969 (for Northern Ireland).

[15] Section 1, Age of Legal Capacity (Scotland) Act 1991

[16] Section 2(1), Age of Age of Legal Capacity (Scotland) Act 1991

[17] The UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, 12th edition, effective 1 September 2010 Scope of the Code, |III (i)

[18] Section 2.17 DMA Code (4th ed.)

[19] Section 66, Data Protection Act 1998

[20] pp15 – 16, Age and Understanding, ICO Personal Information Online – Code of Practice.

[21] Rule 10.15 CAP Code

[22] Rule 10.16 CAP Code