B
Boring DSAR

Children's Data and DSARs: Parental Access Requests and Age-Appropriate Compliance

How to handle DSARs involving children's personal data. Parental access rights, age of consent, competency assessments, and compliance under GDPR, CCPA, and COPPA.

Last updated: 2026-04-17

Children's Data Deserves Extra Protection

Children are not small adults. Privacy laws around the world recognise this, and they impose additional obligations on organisations that process children's personal data. When a parent submits a data subject access request on behalf of their child — or when a teenager submits one themselves — the rules are different from a standard DSAR, and getting them wrong can have serious consequences.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.

This guide covers who counts as a "child" under different privacy laws, who can make a DSAR on a child's behalf, how to assess a child's competence to exercise their own rights, and the practical steps your business should take to handle these requests properly. If you need the fundamentals of DSARs first, start with our DSAR overview.

Who Counts as a "Child"?

There is no single global definition. Every major privacy framework sets its own age thresholds, and some leave the decision to individual countries or states.

| Jurisdiction | Law | Age Threshold | Notes | |---|---|---|---| | EU | GDPR (Article 8) | 13–16 (varies by member state) | Each EU member state can set the age between 13 and 16 for consent to information society services. Most countries set it at 16. | | UK | UK GDPR / DPA 2018 | 13 | The UK sets the age at 13 for information society services. | | France | GDPR (national implementation) | 15 | France sets the age at 15. | | Germany, Netherlands, Ireland | GDPR (national implementation) | 16 | These countries use the GDPR default of 16. | | United States | COPPA | Under 13 | The Children's Online Privacy Protection Act applies to children under 13. Requires verifiable parental consent. | | United States (California) | CCPA | Under 16 | Opt-in consent required for sale of personal information of consumers under 16. Under 13 requires parental consent. | | Canada | PIPEDA | No fixed age | PIPEDA does not specify a precise age. Instead, it requires "meaningful consent" and assesses whether the individual has the capacity to provide it. | | Australia | Privacy Act 1988 | No fixed age | Similar to Canada — no specific age, but considers capacity to consent. |

The key takeaway: you cannot apply a single age threshold globally. If your business operates across jurisdictions, you need to know which law applies to each child and apply the correct standard.

GDPR Article 8: Consent for Information Society Services

GDPR Article 8 addresses a specific situation: when a child's personal data is processed based on consent for "information society services" (essentially online services, websites, and apps). In these cases, consent is only valid if the child has reached the age set by their member state (between 13 and 16). Below that age, consent must be given or authorised by the holder of parental responsibility.

This does not mean children below the threshold have no data protection rights. They do. Article 8 governs the validity of consent as a legal basis — it does not remove or limit a child's right of access, right to erasure, or other data subject rights.

COPPA: The US Standard for Under-13s

The Children's Online Privacy Protection Act (COPPA) applies to websites, apps, and online services that are directed at children under 13, or that have actual knowledge they are collecting data from children under 13. COPPA requires:

  1. Verifiable parental consent before collecting, using, or disclosing a child's personal information
  2. Direct notice to parents about data collection practices
  3. Strict data minimisation — you may only collect data reasonably necessary for the child's participation in the activity
  4. Parental access — parents have the right to review the personal information collected from their child
  5. Parental deletion rights — parents can request deletion of the child's personal information
  6. Confidentiality and security measures appropriate to the data

The FTC enforces COPPA and has taken action against companies ranging from social media platforms to gaming apps. Penalties can exceed $50,000 per violation (the FTC adjusts the maximum annually for inflation — the 2025 figure is $53,088 per violation).

CCPA: California's Under-16 Requirement

The CCPA adds a separate layer for California residents under 16. Businesses cannot sell or share the personal information of a consumer they know to be under 16 unless:

  • Ages 13–15: The child has affirmatively opted in to the sale or sharing
  • Under 13: A parent or guardian has affirmatively opted in

This is distinct from COPPA. COPPA governs collection of data from children under 13. The CCPA governs the sale and sharing of personal information of anyone under 16. Both can apply simultaneously.

Parental Access Requests: Who Can Make a DSAR on Behalf of a Child?

Under most privacy laws, a parent or legal guardian can submit a DSAR on behalf of their child. But this right is not absolute, and it does not automatically override the child's own rights.

The Parent's Right

A parent or person with parental responsibility can generally exercise data subject rights on behalf of a child who is too young to understand and exercise those rights independently. Under GDPR, this is implied by Recital 38 ("children merit specific protection") and supported by ICO guidance. Under COPPA, it is explicit — parents have a statutory right to review their child's data.

When a parent submits a DSAR, you should:

  1. Verify the parent's identity and their relationship to the child (for detailed guidance on identity verification, see our DSAR identity verification guide)
  2. Verify they have parental responsibility — not all adults related to a child have legal parental responsibility
  3. Assess the child's competence to determine whether the parent should be the one receiving the response (more on this below)
  4. Consider the child's best interests when deciding what to disclose

The Child's Own Right

Here is where it becomes nuanced: the child is the data subject, not the parent. The right of access belongs to the child. A parent exercises that right on the child's behalf only when the child cannot exercise it independently.

The ICO is clear on this point: if a child is mature enough to understand their rights, you should respond to the child directly — even if the parent submitted the request. A parent does not have an unconditional right to access their child's data.

This matters most for older children and teenagers. A 14-year-old who submitted personal information to a counselling service has a privacy interest that may outweigh their parent's desire to see that information.

Assessing Competence: The Gillick Test

In the UK and many common law jurisdictions, the question of whether a child can exercise their own rights is assessed using the concept of "Gillick competence," named after the landmark case Gillick v West Norfolk and Wisbech Area Health Authority [1986].

What Is Gillick Competence?

Gillick competence is not a fixed age. It is a test of the individual child's maturity and understanding. A child is Gillick competent if they have sufficient understanding and intelligence to fully understand what is being proposed — in this context, what a DSAR is, what personal data they hold, and what the consequences of disclosure would be.

Practical Age Guidance

While there is no fixed age, the ICO and most privacy practitioners use these general guidelines:

| Age Group | General Approach | |---|---| | Under 12 | Generally respond to the parent or guardian. Most children under 12 will not be Gillick competent for data protection purposes. | | 12–15 | Assess on a case-by-case basis. Some children in this range will be competent; others will not. Consider the complexity of the data, the child's maturity, and the context. | | 16 and over | Treat as an adult unless there is a specific reason not to (such as a learning disability or other factor affecting capacity). The GDPR itself uses 16 as the default age for consent. |

How to Assess Competence in Practice

When you receive a DSAR from a parent for a child in the grey area (roughly ages 12–15), consider:

  1. The nature of the data. Simple account information is less sensitive than counselling records or health data.
  2. The child's age and maturity. A 15-year-old is more likely to be competent than a 12-year-old, but age alone is not determinative.
  3. The context of the relationship. Is there any reason to believe disclosure to the parent could harm the child? For example, in cases involving family disputes, safeguarding concerns, or confidential counselling.
  4. Whether the child has expressed a view. If the child has told you they do not want their parent to see certain information, that view should carry weight — particularly for older children.
  5. What type of service you provide. Schools, healthcare providers, and counselling services will encounter this more frequently and should have established procedures.

If you assess the child as competent, respond to the child. If not, respond to the parent. Document your reasoning either way.

What to Include — and What to Withhold

Responding to a DSAR for a child requires the same thoroughness as any other DSAR (see our guide on what to include in a SAR response), but with additional considerations:

Include

  • All personal data you hold about the child, subject to applicable exemptions
  • Data provided by the child themselves
  • Data provided about the child by parents, teachers, healthcare providers, or other third parties (subject to redaction rules)
  • Any profiling or automated decision-making applied to the child's data

Consider Withholding or Redacting

  • Information that could harm the child. If disclosing data to a parent could put the child at risk — for example, in cases of domestic violence, abuse, or family breakdown — you may withhold it under the exemption for prejudice to the rights and freedoms of the data subject.
  • Confidential disclosures. If a child shared information in confidence (with a school counsellor, healthcare provider, or helpline), disclosing it to a parent may breach that confidence and could be exempt.
  • Third-party data. The same third-party redaction rules apply. If other children's data appears alongside the subject child's data (common in school records), redact appropriately.
  • Information that reveals the child's views about the parent. Where a child has expressed opinions about a parent in a confidential context, consider whether disclosure is appropriate.

The overriding principle is the best interests of the child. This is explicitly stated in the UNCRC (UN Convention on the Rights of the Child) and reflected in ICO guidance. When in doubt, prioritise the child's welfare.

Specific Contexts: Schools, Healthcare, and Social Services

Schools

Schools are among the most frequent recipients of DSARs involving children's data. Parents routinely request access to their child's educational records, behavioural notes, emails between teachers, SEN (Special Educational Needs) documentation, and safeguarding records.

Key considerations for schools:

  • Education records are subject to separate legislation in the UK (the Education (Pupil Information) (England) Regulations 2005), which gives parents a right to access their child's educational record — separate from the DSAR process. The timeline is shorter: 15 school days.
  • Safeguarding records may be exempt from disclosure if release could prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
  • SEN records frequently contain third-party professional opinions. Redact the identity of third parties unless they consent or it is reasonable to disclose.

Healthcare

Children's health data is highly sensitive. Parental DSARs for health records arise in custody disputes, insurance claims, and concerns about treatment.

  • A competent child (Gillick competent) can consent to or refuse medical treatment. By extension, they can control access to their own health records.
  • Healthcare providers should be particularly cautious about disclosing information that a child shared in confidence during a consultation.
  • Under GDPR, health data is a special category requiring explicit consent or another Article 9 basis for processing.

Social Services

DSARs to social services are among the most complex. Files often contain sensitive information about multiple family members, professional assessments, and information from police, schools, and healthcare providers.

  • Third-party information is pervasive and must be carefully redacted.
  • Safeguarding exemptions may apply to protect the child or other individuals.
  • The volume of data can be substantial — case files spanning years.

The UK Age Appropriate Design Code (Children's Code)

The UK's Age Appropriate Design Code, introduced by the ICO under section 123 of the DPA 2018, sets out 15 standards that online services likely to be accessed by children must follow. While the code is not directly about DSARs, it shapes how organisations should handle children's data generally — which in turn affects DSAR responses.

The 15 Standards at a Glance

  1. Best interests of the child — the child's best interests should be a primary consideration
  2. Data protection impact assessments — conduct DPIAs for services likely accessed by children
  3. Age-appropriate application — consider the ages of your users
  4. Transparency — privacy information must be clear for children
  5. Detrimental use of data — do not use children's data in ways detrimental to them
  6. Policies and community standards — uphold published standards and policies
  7. Default settings — settings must be "high privacy" by default
  8. Data minimisation — collect only the minimum data necessary
  9. Data sharing — do not disclose children's data unless you can demonstrate a compelling reason
  10. Geolocation — switch geolocation off by default
  11. Parental controls — if offered, provide age-appropriate information to the child
  12. Profiling — switch off profiling by default unless you can demonstrate a compelling reason
  13. Nudge techniques — do not use nudge techniques to encourage children to weaken their privacy settings
  14. Connected toys and devices — apply the standards to connected toys and smart devices
  15. Online tools — provide prominent and accessible tools to help children exercise their data protection rights

Standard 15 is directly relevant to DSARs: services must provide children with accessible tools to exercise their rights, including the right of access. If your service is likely accessed by children, you should make it easy for them (or their parents) to submit a DSAR and understand the response.

Right to Erasure: A Special Ground for Children's Data

GDPR Article 17(1)(f) provides a specific ground for erasure where the personal data was collected in relation to the offer of information society services to a child. This means:

  • An individual who gave consent as a child to an online service can later request erasure of that data, even as an adult.
  • The controller cannot rely on the original consent as a reason to retain the data if the data subject withdraws that consent later.
  • The ICO considers this a particularly strong ground for erasure — stronger than the general right to erasure in many cases.

This is important for businesses that collect data from children: the data may need to be deleted years later when the child grows up and decides they no longer want the service to hold it. For more on the right to erasure, see our right to erasure guide.

Practical Steps for Your Business

Whether you are a school, a healthcare provider, an app developer, or a retailer, these steps will help you handle children's DSARs properly:

1. Know Whether You Process Children's Data

Many businesses process children's data without realising it. If your service is accessible to children — even if not targeted at them — you may hold their data. Family accounts, gaming platforms, educational tools, social media, and e-commerce sites all commonly process children's data.

2. Implement Age Verification

Where relevant, use age verification or age estimation mechanisms to identify when you are processing a child's data. This does not need to be onerous — age gates, date-of-birth collection, or age estimation tools can all help.

3. Establish Separate Consent Flows

If you rely on consent as your legal basis, ensure you have a separate consent flow for children that:

  • Uses clear, age-appropriate language
  • Obtains parental consent where required (below the applicable age threshold)
  • Uses a verifiable parental consent mechanism under COPPA if you are subject to US law

4. Create a DSAR Procedure for Parental Requests

Your DSAR procedure should include specific steps for handling parental requests:

  • How to verify the parent's identity and parental responsibility
  • How to assess the child's competence
  • Decision tree for whether to respond to the parent or the child
  • What to do when a parent and child disagree about disclosure
  • How to handle safeguarding concerns that arise during the process

5. Train Your Staff

Staff who handle DSARs need to understand the additional considerations for children's data. This is particularly important for schools, healthcare providers, and any business with a young user base. Include children's DSARs in your DSAR training programme.

6. Document Everything

Document your competency assessments, your reasoning for disclosing or withholding data, and your communications with both parents and children. This is essential for demonstrating compliance if a complaint is made.

Common Mistakes to Avoid

  1. Assuming a parent always has the right to see their child's data. They do not. Competent children can exercise their own rights.
  2. Applying a single age threshold globally. The age varies by jurisdiction. Check which law applies.
  3. Ignoring the child's views. If a child has expressed a preference about disclosure, it should be considered.
  4. Treating all children the same. A 7-year-old and a 15-year-old require very different approaches.
  5. Failing to redact third-party data. School records, social services files, and healthcare records frequently contain other children's data. Redact it.
  6. Not having a procedure at all. Children's DSARs are more complex than adult DSARs. Ad hoc responses are a recipe for mistakes.

References

  • GDPR: Article 8 — conditions for child's consent; Article 17(1)(f) — right to erasure for data collected from children; Recital 38 — children merit specific protection. GDPR Article 8 | GDPR Article 17
  • COPPA: 15 U.S.C. §§ 6501–6506; 16 CFR Part 312 — Children's Online Privacy Protection Rule. FTC COPPA page
  • CCPA: Cal. Civ. Code § 1798.120(c) — opt-in for sale of minors' personal information. CCPA text
  • UK Data Protection Act 2018: Sections 9, 123; Schedule 2, Part 1. DPA 2018
  • ICO Age Appropriate Design Code. Children's Code
  • ICO guidance on children and the UK GDPR. ICO children's guidance
  • Gillick v West Norfolk and Wisbech Area Health Authority [1986] AC 112.

Last reviewed: April 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Related Articles