European Data Protection Board announced guidelines on the processing of children’s data

The European Data Protection Board has confirmed that it is preparing guidelines on the processing of children’s personal data, as part of its broader work on data protection and children’s rights online. The announcement was made in the context of Data Protection Day 2026 and highlights children’s data as a priority area for EU regulators.

The forthcoming guidelines are intended to clarify how existing EU data protection rules, in particular the General Data Protection Regulation, apply when organisations process data relating to children. Children are considered especially vulnerable online, as they may not fully understand how their data is collected, shared, or reused, and the effects of this data processing can follow them into adulthood.

The EDPB has already taken several steps in this area. In 2024, it issued a statement on proposed EU legislation to prevent and combat child sexual abuse, focusing on the data protection implications. In 2025, it adopted a statement on age assurance, setting out principles for determining a person’s age in a way that respects privacy and minimises data collection. That statement outlined ten principles, including data minimisation, proportionality, and privacy by default.

Building on this work, the upcoming guidelines on children’s data are expected to provide more detailed guidance for organisations that offer digital services used by children. The aim is to support consistent application of data protection rules across the EU, while addressing practical questions such as consent, transparency, and the use of children’s data in online platforms and apps.

The EDPB has indicated that this work fits within its 2024–2027 strategy, which places particular emphasis on protecting children in digital environments. The guidelines are expected to contribute to clearer expectations for organisations and stronger safeguards for children’s personal data in everyday online services.