How should consent be collected for minors?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If your service reaches anyone under 18, you're in one of the most legally complex corners of email compliance. Here's what you actually need to do, not just the regulatory overview.

Step 1: Know your age thresholds. In the US, COPPA (Children's Online Privacy Protection Act, enforced by the FTC) prohibits collecting personal data including email addresses from children under 13 without verifiable parental consent. Under GDPR, member states set their own thresholds: the minimum age ranges from 13 to 16 depending on country. A 14-year-old who can legally sign up in Germany may not be able to in Ireland or France. Know which laws cover your audience geography.

Step 2: Add an age gate to your signup flow. A birthday field or age confirmation checkbox blocks underage signups before collection happens. A checkbox alone won't satisfy regulators if challenged, but it documents intent. Full identity verification (ID upload, credit card check) is the safest option but drives away most users. Most publishers land somewhere in the middle: a date-of-birth field, a clear privacy policy, and a parental flow triggered below your age threshold.

Step 3: Build a parental consent flow. If you knowingly allow signups from under-16s, you need a parent's email address and a verification step before the account goes active. The parent's opt-in is what makes collection legal, not the child's. Send a verification email to the parent, require a click, then activate. This needs to run before you send any marketing to that address.

Step 4: Document everything. Capture who signed up, when, what age verification ran, and what consent language was shown. This is your consent record and it's what protects you if a regulator ever asks. Store it for as long as you maintain the subscriber relationship.

Many organizations simply avoid targeting minors given the compliance overhead. That's a legitimate choice. If you're not sure whether your service reaches under-18s and what that means for your setup, this is worth a real conversation. The Review My Emails SOS call is free and we don't upsell complex situations.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me figure out if my signup flow is compliant for minor audiences.

I read this on the Email Almanac about collecting consent for minors. I need to figure out if my service has a minor consent problem and what to do about it. My situation: - Does my service intentionally target minors? yes / no / not intentionally but they may sign up - What age gate do I currently have, if any? describe or say 'none' - What's my geographic audience? US only / EU only / global / specific countries - Do I have a parental consent flow? yes / no / partial - What laws do I think apply to me? COPPA / GDPR / both / unsure --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, HubSpot, custom - Type of service: newsletter / app / e-commerce / educational / other - Business location: country - How subscribers currently sign up: describe flow - What verification I run at signup: none / birthday field / checkbox / ID verification - Privacy policy in place: yes / no / in progress

Edit the yellow boxes, then send to the AI of your choice.