PI of consumers under 16 not sold without opt-in consent

Why it matters

CCPA § 1798.120(c) and (d) impose heightened protections for minors: consumers aged 13–15 must affirmatively opt in before their PI is sold or shared (reversing the adult default of opt-out); those under 13 require parental opt-in. An application with social features, gaming mechanics, or educational content that applies the adult opt-out default to all users — because it has no age gate — is violating these provisions for every minor user. Unlike adult violations where the consumer must take action to trigger an investigation, minor PI violations can be initiated by the California AG or CPPA without a consumer complaint.

Remediation

Implement an age gate at signup or add age-differentiated consent logic in the data-sharing flow. The simplest compliant path for most applications is an 18+ gate that eliminates the need for age-differentiated consent entirely.

// Simplest path: 18+ age gate at signup
<form onSubmit={handleSignup}>
  <label>
    <input type="checkbox" required name="ageConfirm" />
    I confirm I am 18 years of age or older
  </label>
  <button type="submit">Create Account</button>
</form>

// If you must allow under-16 users, require opt-in for data sharing:
function DataSharingConsent({ userAge }: { userAge: number | null }) {
  if (userAge !== null && userAge < 16) {
    return (
      <label>
        <input type="checkbox" name="shareConsent" />
        I consent to sharing my information for personalized advertising
        {/* Must be affirmative opt-in, not pre-checked */}
      </label>
    )
  }
  return <a href="/do-not-sell">Opt out of data sharing</a>
}

Document the age gate approach in your privacy policy: "Our service is restricted to users 18 years of age or older." If the 18+ gate is your approach, CCPA § 1798.120(c) minor consent requirements do not apply.

Detection

ID: ccpa-readiness.data-handling.minor-consent
Severity: info
What to look for: CCPA includes heightened protections for minors: consumers aged 13-15 must affirmatively opt-in to the sale of their PI (rather than the opt-out default that applies to adults). Consumers under 13 require a parent or guardian to opt-in on their behalf. Check whether the application has any mechanism to detect or verify consumer age. If the application could reasonably attract minor users (gaming, education, social features), check whether an age gate exists and whether the opt-in logic for minors is implemented. Look for age verification at signup (date of birth field, age confirmation checkbox) and conditional logic that applies stricter opt-in requirements for users who indicate they are under 16. Also check whether the privacy policy discloses the minor opt-in requirement. Count all instances found and enumerate each.
Pass criteria: Application either (1) has an effective age gate confirming users are 16+ before any sale/sharing occurs, or (2) implements age-differentiated opt-in logic where users under 16 must affirmatively opt-in (and under-13s require parent opt-in) before any PI is sold or shared.
Fail criteria: Application could have minor users but applies the adult opt-out default to all users. No age verification at signup and no minor-specific opt-in for data sale/sharing.
Skip (N/A) when: Application is explicitly limited to users 18+ with an effective age gate and the age gate is confirmed in the privacy policy as restricting the service to adults.
Detail on fail: Example: "Signup form has no age verification. Application includes gaming features likely to attract users under 16. All users subject to opt-out default for data sharing — minors should require opt-in.".

Remediation: Implement age-appropriate consent for data sale/sharing:

// If you allow users under 16, add age-appropriate opt-in
// during the data sharing consent flow:

function DataSharingConsent({ userAge }: { userAge: number | null }) {
  // Under 16: opt-in required (not default opt-out)
  const requiresOptIn = userAge !== null && userAge < 16

  if (requiresOptIn) {
    return (
      <div>
        <p>Because you are under 16, we need your explicit permission before
        sharing your information with advertising partners.</p>
        <label>
          <input type="checkbox" name="shareConsent" />
          I consent to sharing my information for personalized advertising
        </label>
      </div>
    )
  }

  // Adults: opt-out default (link to Do Not Sell page)
  return (
    <p>
      We share your information with advertising partners.
      <a href="/do-not-sell">Opt out here</a>.
    </p>
  )
}

The simplest compliant path for most applications: implement a strict 18+ age gate at signup. This eliminates the need for age-differentiated consent logic entirely.

External references

ccpa · §1798.120(c) — Minor opt-in — PI of consumers aged 13-15 requires affirmative opt-in for sale/sharing

ccpa · §1798.120(d) — Minor opt-in — PI of consumers under 13 requires parent/guardian affirmative authorization

coppa · §312.5 — COPPA — parental consent required before collection of personal information from children under 13

gdpr · Art. 8 — Conditions applicable to child's consent in information society services

Why it matters

Remediation

// Simplest path: 18+ age gate at signup
<form onSubmit={handleSignup}>
  <label>
    <input type="checkbox" required name="ageConfirm" />
    I confirm I am 18 years of age or older
  </label>
  <button type="submit">Create Account</button>
</form>

// If you must allow under-16 users, require opt-in for data sharing:
function DataSharingConsent({ userAge }: { userAge: number | null }) {
  if (userAge !== null && userAge < 16) {
    return (
      <label>
        <input type="checkbox" name="shareConsent" />
        I consent to sharing my information for personalized advertising
        {/* Must be affirmative opt-in, not pre-checked */}
      </label>
    )
  }
  return <a href="/do-not-sell">Opt out of data sharing</a>
}

Detection

ID: ccpa-readiness.data-handling.minor-consent
Severity: info
What to look for: CCPA includes heightened protections for minors: consumers aged 13-15 must affirmatively opt-in to the sale of their PI (rather than the opt-out default that applies to adults). Consumers under 13 require a parent or guardian to opt-in on their behalf. Check whether the application has any mechanism to detect or verify consumer age. If the application could reasonably attract minor users (gaming, education, social features), check whether an age gate exists and whether the opt-in logic for minors is implemented. Look for age verification at signup (date of birth field, age confirmation checkbox) and conditional logic that applies stricter opt-in requirements for users who indicate they are under 16. Also check whether the privacy policy discloses the minor opt-in requirement. Count all instances found and enumerate each.
Pass criteria: Application either (1) has an effective age gate confirming users are 16+ before any sale/sharing occurs, or (2) implements age-differentiated opt-in logic where users under 16 must affirmatively opt-in (and under-13s require parent opt-in) before any PI is sold or shared.
Fail criteria: Application could have minor users but applies the adult opt-out default to all users. No age verification at signup and no minor-specific opt-in for data sale/sharing.
Skip (N/A) when: Application is explicitly limited to users 18+ with an effective age gate and the age gate is confirmed in the privacy policy as restricting the service to adults.
Detail on fail: Example: "Signup form has no age verification. Application includes gaming features likely to attract users under 16. All users subject to opt-out default for data sharing — minors should require opt-in.".

Remediation: Implement age-appropriate consent for data sale/sharing:

// If you allow users under 16, add age-appropriate opt-in
// during the data sharing consent flow:

function DataSharingConsent({ userAge }: { userAge: number | null }) {
  // Under 16: opt-in required (not default opt-out)
  const requiresOptIn = userAge !== null && userAge < 16

  if (requiresOptIn) {
    return (
      <div>
        <p>Because you are under 16, we need your explicit permission before
        sharing your information with advertising partners.</p>
        <label>
          <input type="checkbox" name="shareConsent" />
          I consent to sharing my information for personalized advertising
        </label>
      </div>
    )
  }

  // Adults: opt-out default (link to Do Not Sell page)
  return (
    <p>
      We share your information with advertising partners.
      <a href="/do-not-sell">Opt out here</a>.
    </p>
  )
}

The simplest compliant path for most applications: implement a strict 18+ age gate at signup. This eliminates the need for age-differentiated consent logic entirely.

External references

ccpa · §1798.120(c) — Minor opt-in — PI of consumers aged 13-15 requires affirmative opt-in for sale/sharing

ccpa · §1798.120(d) — Minor opt-in — PI of consumers under 13 requires parent/guardian affirmative authorization

coppa · §312.5 — COPPA — parental consent required before collection of personal information from children under 13

gdpr · Art. 8 — Conditions applicable to child's consent in information society services

PI of consumers under 16 not sold without opt-in consent

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

PI of consumers under 16 not sold without opt-in consent

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History