Children's Privacy at WiFi Hotspots: COPPA and Under-13 Consent

Why Children's Privacy Is a WiFi Marketing Risk

Family-friendly venues — family restaurants, theme parks, leisure centres, family hotels, children's entertainment venues — face a regulatory compliance challenge that adult-only venues do not: a significant portion of their WiFi users may be under 16 (GDPR) or under 13 (COPPA).

The default WiFi marketing portal setup is not children-safe. It collects email addresses and marketing consent from anyone who completes the form, without age verification. A child completing the portal form and consenting to marketing creates a data processing record that is not legally valid under GDPR Article 8 (EU) or COPPA (US).

This is not a theoretical risk. GDPR Article 8 violations related to online services and children's consent have resulted in significant fines across the EU. Venue operators who serve families need to understand their obligations and configure their portals accordingly.

COPPA: US Requirements for Under-13

The Children's Online Privacy Protection Act (COPPA) applies to US operators (or non-US operators knowingly serving US children) who collect personal information from children under 13 via online services.

COPPA obligations: - Provide clear privacy notices specifically targeted at parents - Obtain verifiable parental consent before collecting any personal information from under-13 users - Give parents the right to review, delete, and restrict ongoing collection of their child's data - Implement reasonable data security measures

For WiFi portals, COPPA means: if you have reason to believe under-13 users may complete your portal form (e.g., the venue is a family entertainment centre), you must implement a mechanism to obtain verified parental consent before the form is processed.

GDPR Article 8: EU Requirements for Under-16

GDPR Article 8 provides that for "information society services" offered directly to children, processing of personal data is only lawful where the child is at least 16 years old. Member states may lower this to 13, but not below.

Current age thresholds by country (selected): - UK: 13 years (post-Brexit, UK GDPR aligned with the lower threshold) - Germany: 16 years - France: 15 years - Netherlands: 16 years - Ireland: 16 years - Spain: 14 years

A family venue operating in Germany with German guests must ensure no under-16 user is added to a marketing list without parental consent. This is a more demanding threshold than COPPA's 13.

Implementing an Age Gate on Your WiFi Portal

An age gate is a pre-portal step that collects a self-reported date of birth and checks it against the applicable age threshold before presenting the opt-in form.

Simple implementation (date of birth entry): Before the main portal form, display: "Please enter your date of birth to continue." If the entered age is below the threshold, display: "Marketing opt-in is not available for users under [age] — please connect without marketing opt-in." Provide a "Connect without signing up" option.

Limitation: Self-reported age is not verified. A determined under-13 user can enter a false date of birth. Courts and regulators have generally accepted that reasonable good-faith efforts to implement age gating are sufficient compliance, provided the mechanism is genuine and the broader portal design does not actively target children.

Age-appropriate default settings: For users who indicate they are under the applicable threshold: - Present a connect-without-marketing option only (no opt-in checkbox) - Do not add to any marketing list - Do not send any marketing communications

Documentation: Record the age gate implementation in your ROPA and privacy policy. Note the age threshold applied and the jurisdiction basis for that threshold.

Venue Types Most at Risk

Venues where children's privacy compliance should be prioritised:

• Family restaurants and casual dining chains with children's menus
• Soft play centres and family entertainment venues
• Theme parks and leisure parks
• Family hotels and resorts
• After-school clubs, sports venues, and youth centres
• Libraries and public wifi deployments

For these venues, the age gate is not optional — it is a compliance requirement. The configuration investment is small (2–4 hours of setup) relative to the regulatory exposure of operating without it.