AI & Children's Data Compliance Checklist

COPPA, GDPR-K & UK AADC checklist for AI products used by minors

Assess your AI product's compliance with children's data protection across COPPA, GDPR Article 8, and the UK Age Appropriate Design Code — covering age assurance, verifiable parental consent, data minimisation, default privacy, and AI output safety. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What ages count as a child under these rules?

COPPA applies to children under 13. GDPR Article 8 sets a digital consent age between 13 and 16 depending on the member state. The UK Age Appropriate Design Code applies to anyone likely to be accessed by users under 18, which is the broadest threshold.

AI and children’s data checklist

Building an AI product that minors will use raises the privacy stakes sharply. Children’s data is treated as high-risk across every major regime, and the rules do not just cover consent — they reach into defaults, design, profiling, and the safety of what the AI actually outputs. This checklist maps the core obligations of COPPA, GDPR Article 8, and the UK Age Appropriate Design Code so you can see where your product stands.

How it works

You enter your product type and target age range, then select the jurisdictions you serve. The checklist filters to the items that apply and separates critical requirements — age assurance, verifiable parental consent, data minimisation, deletion rights, a completed DPIA, AI output safety — from secondary ones. As you tick off what you have built, the tool tracks your score and flags the product as non-compliant while any critical item remains unmet. Every item is tagged with its legal basis so you know exactly which regime drives it.

How the three regimes differ

Understanding where each framework focuses helps you prioritise work:

COPPA (US, applies to children under 13) is primarily a consent regime. Its central requirement is verifiable parental consent before collecting personal information from a child. “Verifiable” means more than a checkbox — the FTC expects a mechanism that has a reasonable chance of actually reaching a parent: a signed form, a video call, a government ID check, or a credit card authorisation. COPPA also prohibits conditioning a child’s participation in an activity on disclosing more personal information than is reasonably necessary for that activity.

GDPR Article 8 (EU) sets the age of digital consent at between 13 and 16 depending on the member state (most set it at 16, with some at 13 or 14). Below that age, parental consent is required for processing based on consent. Article 8 interacts with broader GDPR principles — lawful basis, data minimisation, purpose limitation — which all apply with heightened scrutiny for children.

UK Age Appropriate Design Code (Children’s Code, AADC) takes a different approach: it applies to any service likely to be accessed by children under 18, not just services directed at them. The Code is design-led: it requires privacy by default, prohibits nudge techniques, mandates that geolocation be off by default, requires age-appropriate transparency, and explicitly addresses the design of AI systems that interact with children. It is the most demanding of the three in terms of product and UX design obligations.

AI-specific obligations beyond data collection

For AI products, the checklist extends beyond what data you collect to what the AI can do:

  • Content safety. What can the AI say to a child? Content filters and output guardrails are treated as first-class safety requirements, not optional add-ons.
  • Behavioural design. The AADC prohibits AI personalisation that could be damaging to a child’s physical or mental health. Recommendation systems, engagement mechanics, and notification designs that might be appropriate for adults require scrutiny when minors are in scope.
  • Profiling for advertising. COPPA prohibits targeted advertising to children under 13 without prior parental consent. The AADC bans profiling children for commercial purposes unless strictly necessary for the service’s core function.
  • Training on children’s data. Using children’s interaction data to train or fine-tune AI models is a significant compliance risk without a specific documented lawful basis and robust safeguards.

Tips and notes

  • Default to the strictest regime. If you serve the UK or EU as well as the US, the AADC’s high-privacy defaults and no-profiling rules are usually the binding constraint — build to those and the others tend to follow.
  • Guard the AI output, not just the input. A children’s product is judged on what the model can say to a child, not only on what data you collect. Content filtering and guardrails are a first-class requirement.
  • Document a DPIA early. A data protection impact assessment is expected for child-facing AI and is the artefact a regulator will ask for first.