Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
Article 414 of the French Civil Code states that the age of majority is set at eighteen years and at this age, everyone can exercise the rights they possess.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC was published in the Official Journal of the French Republic under Decree No. 90-917 of October 8, 1990.
Furthermore, French courts have recognized the direct applicability of two important articles of the UNCRC: Article 3, which concerns the best interests of the child (QPC, March 21, 2019, No. 2018-768; CE, September 22, 1997, No. 161364), and Article 16, which addresses the right to privacy of the child (CE, March 10, 1995, No. 141083).
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Défenseur des droits is responsible for safeguarding children's rights and interests in France.
The Commission nationale consultative des droits de l’Homme regularly issues recommendations to ensure that France fully complies with the UNCRC.
Regarding regulations specific to audiovisual media, and in accordance with Law No. 86-1067 of September 30, 1986 on freedom of communication, the Conseil supérieur de l’audiovisuel, now known as ARCOM, is responsible for protecting children and adolescents in programmes provided by audiovisual communication services.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The Défenseur des droits is responsible for promoting children's rights and welfare, as well as raising awareness about the rights and principles of the UNCRC, among other duties.
However, as an independent administrative authority, it acts as an intermediary between individuals and the state. Therefore, its jurisdiction is limited to investigating complaints against public bodies when such complaints concern the mistreatment of a child. It does not have the authority to investigate complaints against private entities.
In the scope of their power of sanction, French authorities will be responsible notably for protecting children.
As an example,
- the SREN law, enacted in May 2024, which aims to secure and regulate the digital space, granted ARCOM, Audiovisual and Digital Communication Regulatory Authority, a new power. This power allows it to issue formal notices to websites that permit minors to access pornographic content. If the issue is not resolved within 15 days, ARCOM can refer the matter to the Paris Judicial Court to request that the site be blocked. ARCOM's authority focuses on restricting minors' access to such content, rather than regulating the content itself. Ongoing legal proceedings are currently targeting several websites. To limit access to pornographic content, two key requirements must be met: the reliability of age verification systems (1), and the protection of personal rights, ensuring that users' data is secure and protected from hacking (2).
- the CNIL, the French Data Protection Authority, also has a complaint mechanism to initiate investigations regarding the protection of personal data. The CNIL encourages allowing minors to directly exercise their digital rights to address the risks of cyberbullying.
- the DGCCRF, the French authority for competition and consumer protection, may impose sanctions on vendors, platforms, and influencers who fail to comply with the Consumer Code, particularly regarding minors in the presentation of their offers, advertisements, or websites.
- the ANJ, the French gambling authority, may take action against illegal offers and operators that do not adhere to gambling prohibition concerning minors and regulated advertising.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
For minors under 15: in every case, parental authorisation will be required; but note as below there are specific instances where minor consent will also be required.
In detail:
Article 45 of the French Data Protection Act (Informatique et Libertés) stipulates that for online services when data processing relies on the user's non-contractual consent, the parental authority holders must jointly agree with their child to the processing if the child is under the legal age of consent of 15 years.
As explained by the French Data Protection Authority (CNIL) in its recommendations, this means that consent for additional features, such as choosing a public or private profile on a social network or activating optional geolocation on an app, must theoretically be agreed upon by both the child and the parents. In other words, parents cannot override the child’s will, and the child cannot bypass their parents' opposition.
However, for data processing resulting from contracts concluded online (e.g. creating an account on a social network), when the child is under 15 years of age, the parental authority holders must exclusively conclude it on the child’s behalf.
This understanding was confirmed by the recently adopted Act n° 2003-566 of 7 July 2023 aiming to establish a “digital age of majority” and combating online hate. This Act prohibits, as per Article 4, providers of social network services providing services in France from accepting the creation of an account by a minor of under 15 years of age, except if parental authorisation is collected. The law has been published but is not yet in force as it is currently waiting for the EU Commission’s approval.
In addition, under French contractual law, while minors under 18 are generally not allowed to enter into contracts (Article 1146 of the French Civil Code), French case law takes a flexible approach. Contracts involving minor purchases of goods or services for small amounts are often accepted. Additionally, minors can engage in "routine acts" (Article 1148 of the French Civil Code) under normal conditions, which could include activities like registering on social media. Nonetheless, this is subject to further case-by-case analysis. Therefore, a minor aged 15 or older may be allowed to subscribe to online platforms independently when using their free services.
However, for minors under 18 in relation to paid services: Parental consent is required both for processing minor’s data and for contracting the paid services.
See also information on the GDPR-level requirements here.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
In France, the age of digital consent is 15 years old (Article 45 of the French Data Protection Act).
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
Article 4 of the Act n° 2003-566 of 7 July 2023 aiming to establish a “digital age of majority”, forbids providers of social network services providing services in France to accept the creation of an account by a minor of less than 15 years of age, except if parental authorization is collected. The law has been published but is not in force yet, waiting for the EU Commission’s approval.
Notably, it provides that, in order to verify the age of end users and the authorisation of one of the holders of parental authority, online social network service providers must use technical solutions that comply with a framework developed by the Audiovisual and Digital Regulatory Authority (ARCOM) for Communication, after consultation with the French Data Protection Authority (CNIL). To date, this framework has not yet been published.
In addition, the CNIL, after consulting with the Ministry of Justice, has indicated in its recommendations that, for online service providers processing personal data concerning minors under 15, obtaining the consent of only one of the holders of parental authority is sufficient and that the consent of the other holder, if he/she exists, is being presumed. However, the other holder of parental authority must be given the opportunity to express his/her opposition if he/she wishes.
See also further details in relation to the concept of “sharenting” here.
See also information on the GDPR-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
The French Data Protection Act has integrated the Article 12(1) of the GDPR through Articles 45 and 48. These provisions emphasise the particular importance of the requirement for clear and plain language when providing information to minors.
See more information on the GDPR-level requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
In France, parents (legal representatives) generally exercise the rights of a minor, including: the right of access, the right to rectification, the right to erasure and the right to object.
However, there are situations where minors can directly exercise their rights.
The French Data Protection Authority (CNIL) considers that minors can directly exercise their rights over their personal data when this action is considered a routine act, especially if it aligns with the child's best interests. Therefore, it deems that minors should be able to exercise their rights regarding personal data, notably on social networks.
This autonomy does not prevent parents from exercising their child's rights or supporting them in the process.
To ensure that these rights are effectively exercised, the French DPA recommends that online service providers take all necessary measures to clearly and comprehensibly explain the process and available appeal options.
Article 70 of the French Data Protection Act also provides for specific requirements regarding the processing of minors’ health data, particularly in the context of public health research, studies, and evaluations. If the minor is under 15 and if it is not possible to inform both parents in a timely manner about the processing, information may be provided to just one parent. However, both parents retain the right to exercise their legal rights later. If the minor is aged 15 or above, he/she can object to his/her parents accessing data collected about him/herself during the research or study. Further, minors can also prevent their parents from being informed about the data processing if revealing such participation would disclose sensitive health information (such as participation in prevention, diagnosis, or treatment) that the minor has chosen to keep private, or if family ties are broken and the minor benefits independently from health insurance. In such cases, the minor is the one who receives information and exercises his/her rights independently.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
In France, parents (legal representatives) generally exercise the rights of a minor.
However, the French Data Protection Authority’s (CNIL) online service to file a complaint does not check the age of the data subject. Therefore, it appears possible for a minor to make complaints.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
No national laws requirements. See information on the EU-level requirements here.
However, the CNIL had already recommended that online platform and service providers used by minors should ensure that profiling mechanisms for minors, particularly for advertising purposes, are deactivated by default.
In addition, the CNIL has strongly recommended such providers to refrain from reusing or transmitting minors' data to third parties for commercial or advertising purposes, unless they can demonstrate that they are acting for compelling reasons related to the child's best interests.
Further, "Sharenting"— the practice of parents sharing photos of their children on social media— has become a significant topic in France and was formally addressed in the French civil code in February 2024. Parents must both consent to the publication of their child's photos, and the child's consent should be obtained when feasible. The French Data Protection Authority (CNIL) also recommends blurring children's faces in photos to protect their privacy.
Finally, the CNIL has also issued 8 recommendations to enhance the protection of children online with best privacy practices.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Several sanctions have been issued by the French Data Protection Authority (CNIL) to date:
A provider of electricity was fined €600,000 in November 2022 for several infringements, including failure to comply with the exercise of the right to object concerning the personal data of a minor: The father of a minor had objected to the company’s processing of his son’s personal data for the purpose of marketing.
The data controller had nonetheless contacted the minor again after the request.
A provider of a communication app intended for minors was fined €800,000 in November 2022 for several infringements, including failure to carry out a data protection impact assessment (DPIA) when the data controller processed massive amounts of personal data of vulnerable persons (in this case, minors). The company took action during the procedure by carrying out two DPIAs which concluded that the processing was not likely to result in a high risk to individuals' rights and freedoms.
- “RECTORAT” (“National Education Services Unit”) received a call to order from the CNIL for having shared a file containing personal data from 11856 students who were minors, with information concerning their results in the French national exam (“Bac”), to a deputy who represents the department. The latter made posts on social media and sent emails to congratulate students who had succeeded.
Are there specific rules concerning electronic direct marketing to children?
No.
There are no specific provisions for children in French law.
According to Article L32 of the French Postal and Electronic Communications Code, electronic communications are defined as the emission, transmission, or reception of signs, signals, writings, images, or sounds via electromagnetic means.
Article L34-5 of the same Code prohibits direct marketing through automated electronic communication systems, fax, or email using the contact details of a natural person, subscriber, or user, unless they have given prior consent to receive such communications.
Consent is understood as any freely given, specific and informed indication of a person’s will, allowing their personal data to be used for direct marketing purposes.
This applies to children too, meaning that, from a data protection perspective, parental consent from minors aged under 15 should also be collected in order to send electronic direct marketing.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard; see more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
Article 7 of Decree n°92-280 prohibits advertising that causes moral or physical harm to children, including (i) directly encouraging minors to buy products by exploiting their inexperience, (ii) encouraging them to persuade parents to buy products, (iii) exploiting minors’ trust in authority figures, or (iv) portraying minors in dangerous situations with no reason.
The Child Advertising Guidelines published by the French Advertising Regulatory Authority require that ads must be clearly identifiable, avoid promoting antisocial or dangerous behaviors, and be appropriate for children’s maturity levels. Advertisements should not place children in situations that could harm their dignity or well-being, such as creating discomfort or anxiety.
They must also avoid implying that owning a product gives a child an advantage over others or creates an urgent need to purchase. Finally, ads must respect children’s levels of maturity and experience by not misleading them about product features, size, value, or performance.
Furthermore, the advertising of certain goods and services is regulated or even prohibited. For example, in accordance with Article L.2133-1 of the Public Health Code, advertisements for beverages containing added sugars, salt, or synthetic sweeteners, as well as for manufactured food products, must include health information (such as “Eat 5 fruits and vegetables a day”). These requirements apply to advertisements broadcast on television, on the radio, in print media, and in periodic publications issued by the producers or distributors of these products.
Additionally, certain advertisements are prohibited to protect minors. Thus, in accordance with Article L. 324-12 of the Internal Security Code (CSI), advertising for gambling and games of chance is banned in audiovisual programs directed at minors, as well as in publications and websites targeting them, and in cinemas during screenings of works accessible to this audience. Law n° 2023-451 of June 9, 2023, aimed at regulating commercial influence and combating the excesses of influencers on social media, also prohibits advertising for certain financial products and services, notably cryptocurrencies, nicotine pouches, therapeutic abstentions, cosmetic surgery, and subscriptions for betting advice and sports predictions.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The French Data Protection Authority (CNIL) has the authority to sanction companies whose marketing practices fail to comply with regulations protecting minors. For instance, in its decision of 24 November 2022, the CNIL fined an electric utility company €600,000 notably for disregarding a complainant's refusal to allow the processing of their child's personal data for marketing purposes.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Between
Following the transposition of the Omnibus Directive into French law, the introductory article of the Consumer Code defines a digital service as any service that allows a consumer to create, process, or store data in digital form, access that data, or share or interact with data uploaded or created by the consumer or other users of the service.
The Consumer Code does not differentiate between the regulation of digital services and other types of services. Since the Code does not include any provisions regarding minors, the Civil Code must be applied. According to Article 1148 of the Civil Code, children may only engage in routine transactions permitted by law or common practice, provided that these transactions are made under normal conditions.
There is very little case law in France concerning what constitutes routine transactions that would clarify what is or isn't permitted. For instance, however, purchasing a car or opening a bank account are not considered routine transactions and are therefore prohibited for minors under 18.
Ultimately, it is up to judges to assess whether an action can be classified as a routine transaction, taking into account factors such as its monetary value, the habits of the minor and their family, the associated risks, and the overall impact of the action on the child's best interests.
In conjunction with the data regulations outlined above, we anticipate that certain digital contracts will be permitted for minors between 15 and 18 without the parental consent, while others will be prohibited for minors under 18.
Do consumer protection rules apply to children?
Yes.
The provisions of the Consumer Code apply to all consumers, regardless of age, including regulations regarding deceptive commercial practices.
Additionally, see information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
The Consumer Code does not include specific provisions regarding the protection of children in consumer matters.
The SREN law, adopted in May 2024, aims to enhance the protection of minors by implementing measures to limit their exposure to inappropriate content, particularly pornographic material. Platforms are also required to verify the age of users and restrict access to adult content. This verification must be conducted rigorously to prevent any attempts to circumvent the rules.
In the event of non-compliance with age verification standards, the Audiovisual and Digital Communication Regulatory Authority (ARCOM), upon consultation with the president of the French Data Protection Authority (CNIL), can issue a formal notice within one month.
Failure to comply with this notice may result in financial administrative sanctions of up to €150,000 or 2% of the previous year's global revenue excluding VAT, with the higher amount being enforced (and potential increases in the fine for repeat offenses).
In addition, "Sharenting"— the practice of parents sharing photos of their children on social media— has become a significant topic in France and was formally addressed in the French civil code in February 2024. Parents must both consent to the publication of their child's photos, and the child's consent should be obtained when feasible. The French Data Protection Authority (CNIL) also recommends blurring children's faces in photos to protect their privacy. Finally, the CNIL has also issued 8 recommendations to enhance the protection of children online with best privacy practices.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To our knowledge, neither the French courts nor the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (DGCCRF) have to date taken action against companies for marketing practices specifically aimed at minors.
Are there any age-related restrictions on when children can legally access online/ digital services?
Not yet.
Apart from the Act n° 2003-566 of 7 July 2023 mentioned above on the digital age of majority at 15 and not in force yet, France has no specific laws that enforce age-related restrictions on the legal access of children to online / digital services.
However, the restriction applicable to minors for specific goods and services will also apply for online/ digital access of these goods and services. The following is a non-exhaustive list of goods and services subject to these restrictions also online for minors:
- Alcohol;
- Pornography;
- Cigarettes and vaping; and
- Gambling.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The SREN law establishes specific obligations for websites proposing pornographic content. They must implement age verification systems to prevent minors from accessing the content (notably through digital identity verification). Non-compliance with this regulation can result in fines of up to €150,000 or 2% of the previous year’s global turnover, excluding VAT.
The 2023 Influencer Law also regulates the work of minor children as follows:
- The work of an influencer aged between 16 and 18 must be governed by a contract.
- Paid appearances by children under 16 require individual authorisation or approval from the Regional Directorate of Economy, Employment, Labour, and Solidarity (DREETS). Failure to obtain authorisation may result in a 5-year prison sentence and a fine of €75,000.
- If videos are produced for profit and exceed the scope of leisure, the work of children under 16 must also be governed by a formal employment contract.
Additionally, see information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
From a data protection perspective, there are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The French Data Protection Authority (CNIL) highlights that while age and parental consent verification systems are required for certain applications and websites, it is essential to maintain the ability to browse freely online without mandatory identification.
Therefore, the CNIL promotes systems that respect principles of proportionality, data minimisation, simplicity, and standardisation.
However, on 26 February 2025, a ministerial decree was adopted to provide a list of all adult-content websites submitted to the age verification restrictions under articles 10 to 10-2 of the Law on the Confidence in the Digital Economy, as modified by the SREN Law, enacted in May 2024, which aims to secure and regulate the digital space. The decree is available in French: Arrêté du 26 février 2025 désignant les services de communication au public en ligne et les services de plateforme de partage de vidéos établis dans un autre Etat membre de l'Union européenne soumis aux articles 10 et 10-1 de la loi n° 2004-575 du 21 juin 2004 pour la confiance dans l'économie numérique. For more details on the SREN law see here.
Additionally, see information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
Currently, French law does not impose specific obligations to implement age verification systems.
However, in April 2024, the Audiovisual and Digital Communication Regulatory Authority (ARCOM) introduced draft guidelines containing 16 recommendations for technical measures to verify the age of children accessing online services, particularly for pornographic websites. We have no visibility on the timeline of the adoption of these guidelines and the precise scope of these guidelines needs also to be clarified.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
Article L312-9 of the Code of Education requires that children be provided with awareness on the proper use of digital tools and artificial intelligence, of all types of content generated by them and of social networks, as well as of the dangers and risks associated with these tools and with content generated by artificial intelligence, and of the fight against misinformation.
Articles 226-8 and 226-8-1 of the French Criminal code prevent the use of deepfakes. The making of a deepfake by using an online public communication service is an aggravating factor.
The CNIL’s How-to-sheets on AI mention specific requirements for minors:
- Sheet 8 n° 2/2 on the legal basis of legitimate interests: Focus sheet on measures to implement in case of data collection by web scraping: some measures are mandatory under the principle of data minimization (Article 5(1)(c) of the GDPR). For instance, defining precise collection criteria and applying filters that make it possible to exclude the collection of categories of data when they are not necessary (for example, if they are not necessary, bank transaction data, geolocation data, data concerning vulnerable persons such as minors, sensitive data, etc.). The CNIL also recommends the implementation of measures aiming at excluding, by default, data collection from certain websites that contain particularly intrusive data given their sensitivity (such as websites or social media mainly used by minors).
- Sheet 9 on informing data subjects (available in French, as the English version is not updated): In the case of data processing involving the data of minors, particular attention should be paid to ensure that the information provided is sufficiently comprehensible by the children.
Sheet 10 on respecting and facilitating the exercise of data subjects’ rights (available in French, as the English version is not updated): where processing is based on legitimate interests or the performance of a task carried out in the public interest, data subjects may, at any time, object on grounds relating to their particular situation. The data controller must then comply, unless there are compelling legitimate grounds for continuing to process the data. For example, the right to object and the subsequent deletion of data are in principle automatic in the event of compromising photographs being stored in a data set, or nominative comments being made on the web when the person was a minor.
Additionally, the AI Act (Regulation 2024/1689) applies in this context; see EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
On 16 January 2025, the French Data Protection Authority, the CNIL, published its Strategic Plan for 2025-2028 (available in French here: Plan stratégique de la CNIL - 2025-2028):
- The promotion of an ethical and respectful AI is the first focus area identified by the CNIL over the next three years. The CNIL eventually plans to take enforcement actions to control the compliance of AI systems.
- The protection of minors is the second focus area identified by the CNIL for the next 3 years. In this regard, the CNIL plans to take enforcement actions against operators that offer online services to underage persons.
- The development of digital identity systems which respect privacy is the fourth area of focus identified by the CNIL. In this regard, the CNIL wants to help enhance and enforce age verification systems. Age verification solutions can encompass AI features such as face estimation.
Thus, the development of compliant AI systems and the protection of minors, including with age verification, can be intertwined and are currently a strong focus of the CNIL.
No other upcoming requirements on children and AI are identified. However, a draft law aimed at identifying images generated by artificial intelligence published on social media was filed on 3 December 2024. This draft law has not yet been discussed by the representatives and is not scheduled in the coming sessions whether at the Senate or the National Assembly. This draft law is available in French here: Proposition de loi, n 675 - 17e législature - Assemblée nationale.
Additionally, see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
There are no existing or upcoming requirements relevant to children’s use of digital services at national level. See more information on the upcoming EU-level requirements here.
