top of page

Tracing The Internet’s “Under 13” Age Requirement

By Digvijay S. Chaudhary*



This article examines the “grundnorm(ing)” of the Internet’s “under 13” age requirement – tracing the history behind the age thresholds in COPPA, GDPR, and India’s different draft data protection law(s). It highlights a common thread and the lack of empirical research in all three jurisdictions. Concluding, it puts out suggestions that India may look into for determining the age of child under its new data protection law.


The difficulty in establishing a precise age threshold is seen in multiple, discrete areas of law and regulation. This includes, criminal law, marriage and the age to contract, eligibility to vote, gambling laws, liquor and tobacco consumption and – in more recent times – data protection law. Enacted in 1998, the United States’ Children’s Online Privacy Protection Act (“COPPA”) was the first privacy protection law aimed at children. It imposed certain requirements on operators of websites or online services directed to children under 13 years of age. As major social media giants were headquartered in the US, 13 became the internet’s age of adulthood, but there is little information on how it has come to be so. This article studies US and EU law and policies to understand how they helped shape a standard age of adulthood online to analyse how India is viewing the age of online adulthood in its data protection law.

From CARU to COPPA – Advertising And The Age of Online Adulthood

The age requirement of 13 years has much to do with advertising. In the 1970s, owing to the aggressive and deceptive advertising directed towards children (primarily for toys and sugary breakfast cereals), the arguments against adverse effect of “host selling” (endorsement of a product by a TV character) on children’s physical and psychological health began to take shape and called for government oversight (see here). The Federal Communications Commission (“FCC”) took note and commissioned research into the effects of advertising on children. A major takeaway from this research was that a significant percentage of the children studied could not consistently discriminate between television programs and commercial content and that the ability to discriminate between these two types did not develop until at least 5 years of age. On the question whether children can identify persuasive intent (the attempt to influence consumers’ behaviour by changing their mental states, for instance, their attitudes and cognitions about a product), the researchers concluded that it typically develops at about 7 to 8 years of age (see here).

Fearing the burdening compliance requirements of government regulations, the Association of National Advertisers (“ANA”) soon came out with the Children’s Advertising Guidelines in 1972 (see here). Thereafter, in 1974, the National Advertising Review Council (“NARC”) established the Children’s Advertising Review Unit (“CARU”) to implement the Children’s Advertising Guidelines issued by ANA. In 1996, CARU revised its guidelines and expanded them to accommodate online content and the internet and it was here that an age requirement for online services first appeared – of “under 12 years” (the 1996 children’s privacy guidelines section formed part of CARU’s advertising guidelines until 2022 when CARU updated its guidelines and moved the children’s privacy guidelines section to a separate document). Two years later, in 1998, these guidelines formed the basis of COPPA (see here) which imposed certain requirements on operators of websites or online services directed to children “under 13 years” of age.

However, this was not the original intent of the Federal Trade Commission (“FTC”). In their 1998 report, the FTC proposed a graded approach – different level of protection for children of different ages – parental consent model for children under 12 years and a notice and opt-out model for over 13 year olds. As we see here, an age threshold of below 12 and above 13 came to the fore. Initially, COPPA had provisions that specifically addressed online safety of those in the 12-17 age-group (see here, and here). However, extending the protection to this age-group was opposed by all stakeholders involved – corporates opposed it on the ground that there was a huge market for teenage products which would be affected by such an age limit, and civil liberties groups argued that the requirement for parental consent for reproductive choices would be a hurdle for safe, accessible healthcare or for getting resources to get help in abusive situations. The provisions for 12-17 year olds were finally dropped and the age limit was brought in line with CARU’s provisions; a compromise that had to be established between the marketing and online industries, the FTC and privacy groups (see here) to ensure successful adoption of the law.

Why 12 and 13?

The question that arises is what made CARU and COPPA arrive at the age numbers of 12 years and 13 years respectively? There is a lack of policy and legal proof demonstrating why 12 years was chosen as the threshold age by CARU. This is also backed by the statements made by CARU’s Director in 2005. In 2005, at an FTC conference on marketing, self-regulation and childhood obesity the President and CEO of the American Advertising Federation (“AAF”), stated that the advertisement requirement standards had always been “under 12 years”, and one which was “embedded in (American) culture” and as far as age restrictions go, “12 and under are really workable”. Adding to it, Elizabeth Lascoutx, (the then Director of CARU) indicated that when CARU was established, the wisdom of that time was that “12 was when one stopped being a kid” and “started being a teenager” which meant that “one could understand”. These statements indicate the lack of a policy-based approach to determine the exact age threshold (either 12 or 13). However, since then, following in the footsteps of the research commissioned by the FCC, new research has been published that support CARU’s age-cut off – pointing to the fact that children begin to differentiate between commercials and content, and understand persuasive intent only after age 12 (see here). As we see, an age threshold was first introduced by CARU (in the form of “under 12 years”) based on an understanding of existing FCC research and the wisdom of that time.

The legislative history behind COPPA is wafer thin (see here and here) and while we do know why the initially proposed graded approach was dropped, what is unclear is why COPPA chose “under 13 years” as the standard instead of going with an already established standard of “under 12 years” by CARU’s 1996 guidelines. When the first draft of COPPA was introduced, it defined a child as an individual under the age of 16 years; mandated verifiable parental consent for processing of personal information of children under the age of 13 years; and mandated providing parents with notice for processing personal information of children over 12 years and under the age of 17 years. In the Congressional Committee’s hearings on COPPA, the FTC presented its statement on “Consumer Privacy on the World Wide Web” wherein it illustrated, among other privacy concerns, that most children websites targeted children aged 8 to 11 years and children in the age group of 4 to 12 years spent $24.4 billion themselves while also considerably influencing parents to spend much more. In its statement, the FTC proposed a legislation that would require commercial websites collecting personal information from children aged 12 years and under to obtain parental consent. Post the Congressional hearing, Vice President Al Gore called on the Congress to pass a legislation that gave “parents the right to say yes or no before information can be collected from children under the age of 13 (thirteen)”.

Thereafter, before the Senate Communications Subcommittee, the FTC Chairman, Robert Pitofsky presented his statement where the concern was again focused on children aged 12 years and under. Post these developments, the final version of COPPA was introduced and passed by the Senate. The final version of COPPA dropped the provision concerning notice requirement for 12-17 year olds and the age limit was decreased from “under 16 years” to “under 13 years”. As noticed above, this reduction was largely influenced by the pushback from various stakeholders, and as for the choice for the number 13 in defining a child, it probably had to do with the language of the earlier draft which had a provision for obtaining verifiable parental consent for processing personal information of children under the age of 13 years. It must be emphasised here that throughout the legislative history behind COPPA, no studies were commissioned to determine the exact age thresholds for children consuming online content, even the FTC’s statement before the Congressional hearings highlighted only the commercial aspect of children consuming online content not the psychological understanding behind a child’s understanding of online content.

GDPR And The Effects of COPPA

EU’s General Data Protection Regulation (“GDPR”) introduced the age of consent at 16 years but allowed member states to set a lower age that would not be below 13 years. The initial draft of the GDPR set the age of consent at 18 years, in line with the definition of a child under the UNCRC but before the draft was published, a last minute amendment was added to the GDPR to lower the age of consent to 13 years (see here). During the discussions on the draft GDPR, there were proposals to raise the age limit for parental consent to 15/16 or 18 years (see here). Consequently, the European Council (“EC”) raised the age limit from 13 to 16 years which led to a public outrage by companies, children’s rights activists and teenagers who saw it as banning kids from social media and violation of human rights (see here). The final GDPR draft, as a result, opted for a compromise by setting the age of consent at 16 years but allowed member states to set a lower threshold which could not go below 13 years.

The GDPR’s deliberations on the age of consent have been criticised for being opaque and inconsistent as no fresh empirical evidence was gathered by the EU while deciding the appropriate age threshold for parental consent. Experts saw the choice of 13 as the age threshold as being influenced by COPPA because the impact assessment at that time stated that the inspiration for the age limit came from COPPA. In its informal note on draft GDPR, US stated that it saw the definition of a child too broad due to “practical difficulties”. The EC also admitted[R28] that following the age limit of COPPA would be beneficial for online business.

The India Story So Far

In 2018, India introduced its first draft of the Personal Data Protection Bill, 2018 (the “2018 Bill”), the result of an extensive consultation process steered by the Justice Srikrishna Committee (the “Committee”) which was formed by the Ministry of Electronics and Information Technology (“MeitY”) in the background of the directions issued by the Supreme Court in KS Puttaswamy v. Union of India (2017) (Puttaswamy (I)). In its report titled, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, the Committee considered the age of child under existing data protection laws in EU and US and other countries and proposed three factors that should determine the cut-off age in India’s data protection law – (i) principled considerations; (ii) the maximum and minimum age in various data protection laws; and (iii) the need to prescribe a single threshold to ensure practical implementation. Keeping in view the above, the Committee recommended 18 as the cut-off age for a child in the 2018 Bill. This choice was justified on the basis of the following reason – the provision of consent for data sharing is often intertwined with the consent to contract, therefore, there should be consistency with the existing legal framework regarding the age of consent to contract. As the contractual age under Indian Contract Act, 1872 is 18 years, therefore, 18 was chosen as the cut-off age for a child.

Several revisions were made by the Indian government to the 2018 Bill before introducing it in the Lok Sabha as the Personal Data Protection Bill, 2019 (the “2019 Bill”). However, there were no changes made to the age of a child under the 2019 Bill. The Lok Sabha passed a motion to refer the 2019 Bill to a joint committee of both Houses of Parliament. In 2021, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (the “JPC”) came out with its report and recommendations to the 2019 Bill, known as the Data Protection Bill, 2021 (the “2021 Bill”). There were no changes made to the age of a child under the 2021 Bill too. However, the government withdrew the 2021 Bill citing the numerous changes made by the JPC, and that it would be easier to come out with a new version of the Bill rather than implementing the recommendations made by the JPC. In December 2022, MeitY came out with its draft of the Digital Personal Data Protection Bill, 2022 (the (“2022 Bill”). As with the previous iterations of the bills, the cut-off age for a child has been fixed at 18 years in the 2022 Bill too.

Since the 2018 Bill was introduced, India has observed some pushback (see here, here and here) from internet intermediaries, industry bodies, and civil society groups to lower the age threshold from 18 years. In their comments on the 2022 Bill, industry bodies such as the Asia Internet Coalition (“AIC”) and the Software Alliance (“BSA”) have urged MeitY to lower the age threshold from 18 years to 13 years to bring it in line with the existing age threshold standards in COPPA and GDPR. Similarly, various policy organisations (see here, and here) have urged the government to lower the age threshold by implementing a graded approach to child consent – that children have different understanding capacities at different ages which influence their decision making online, hence different age thresholds should be implemented for children at different levels of maturity (also read, the Gillick Test).

At the outset it’s important to note that India seems to be the only country which has tied the age to consent to data processing with the capacity to contract in arriving at a cut-off age for a child under its data protection bill(s). While different jurisdictions have an age to contract but privacy protection is fundamentally different from contractual protection. Privacy, in India has been recognised as a fundamental right and as this report notes, such reasoning reduces the fundamental right to privacy to a contractual protection. However, Puttaswamy (I) recognised that informational privacy extended beyond the contractual protection of information, and was a natural right. Therefore, the reasoning that, “the provision of consent for data sharing is often intertwined with the consent to contract, therefore, there should be consistency with the existing legal framework regarding the age of consent to contract” should be relooked at.

Throughout the four drafts of data protection that the Indian government has come out with till date, it has retained the provision of age of child at 18 years. Comparatively, Indian government has been surprisingly firm in not lowering the age of child below 18 years, despite the pushback received from various stakeholders. It isn’t the case that Indian laws don’t observe a graded approach when it comes to children. For instance, under the Indian Penal Code any act by a child under the age of 12 years is not considered an offence, and the maturity of children aged between 12–18 years is decided by the court. Similarly, child labour laws in India also allow children above the age of 14 years to work in non-hazardous industries. With the introduction of the 2022 Bill, the age debate in India’s data protection law might need to be revisited – post the introduction of the 2022 Bill, the government has shown a malleable stand towards concerns raised by the stakeholders – it has been reported that the government could review the definition one year after enactment of the bill.


At the outset, a grave concern must be raised for the lack of research (commissioned or relied upon) by the above three countries on the psychological understanding behind a child’s perception of online content, especially in the digital age. COPPA was, in part, motivated by the ease of doing business rather than policy; we saw how on introducing the age threshold of 16 years, COPPA faced extreme criticism both from companies and civil liberties groups. This was a rare occurrence which saw the interests of civil liberties groups and companies align. The criticism was so harsh that it impeded the adoption of the law. Similar incidents were seen in the EU during the adoption of GDPR. Since its enactment, COPPA has faced criticism regarding its ineffectiveness – critics have also urged to raise the age limit under COPPA from 13 to 16 years due to the emergence of social media platforms and Big Tech. While India has observed some pushback from Big Tech, internet intermediaries and industry bodies’ against the children’s privacy provisions in its data protection bills, these provisions have not seen the intense pushback and attention as observed in COPPA. Considering how important India’s data goldmine is for Big Tech and industry players, it’ll be interesting to see how the Indian government’s formulation of the age of child in its data protection law affect the contours of children's privacy online.


Digvijay S. Chaudhary is a part of the Fintech and FSR team at Spice Route Legal.



bottom of page