Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Age of Majority Act 1985, as amended, provides that a person under the age of 18 is a minor for the purposes of Irish law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
While, strictly speaking, the rights set out in the UNCRC cannot be directly relied upon by children before domestic courts the UNCRC provisions may be applied by domestic courts in their interpretation of children’s rights.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children is established by the Ombudsman for Children Act, 2002.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The Ombudsman for Children is responsible for the promotion of the rights and welfare of children and promoting awareness of the UNCRC rights and principles, amongst other things. Its competence extends only to investigations of complaints taken against public bodies as such complaints relate to adverse treatment of a child. As such, currently it does not have competence as regards the investigation of such complaints against private entities.
In this regard, the Ombudsman for Children also accepts complaints from children under the age of 18 in accordance with the right of the child to be heard, in accordance with their age and level of understanding.
The Ombudsman for Children’s Office has been designated by the Irish Government as a national public authority for supervising and enforcing fundamental rights in relation to high risk AI systems under the EU AI Act (Article 77). This applies from 2 August 2026.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; the GDPR applies in this context. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
See more information on GDPR level requirements here.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8(1) of the GDPR provides that the age of digital consent may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted. In Ireland, this is 16 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; however the GDPR applies in this context. Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent; however, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. See more information on GDPR level requirements here.
No specific method has been endorsed by the Irish Data Protection Commission (DPC), however in its guidance on processing children’s data (Fundamentals for a Child-Oriented Approach to Data Processing) it emphasises that methods used should not be overly intrusive, should be proportionate and risk-based, with greater levels of stringency and certainty required where the processing of a child’s data poses higher risks. (The DPC also sets out a non-exhaustive criteria to help assess risks in this regard).
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; the GDPR applies in this context. See more information on GDPR level requirements here.
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children. This requirement is interpreted by the Irish Data Protection Commission (DPC), in its guidance on processing children’s data (Fundamentals for a Child-Oriented Approach to Data Processing) as meaning that children are entitled to receive information about the processing of their own personal data even if consent to the processing was given by a parent. The information should be provided in a child-friendly manner and be capable of being understood by children.
The DPC has applied a very high threshold to this requirement in its decisions concerning processing of children’s data; this relates to both how the information was provided to child users, as well as the content of the transparency information.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR. The Irish Data Protection Commission (DPC), in its guidance on processing children’s data (Fundamentals for a Child-Oriented Approach to Data Processing) states that it does not consider it appropriate to set a general age threshold at which children should be able to exercise their rights on their own behalf.
The DPC further considers that a child may exercise these rights at any time, as long as they have the capacity to do so and it is in their best interests. The DPC provides a non-exhaustive list of factors which should be taken into consider by an organisation in determining whether a child should be able to exercise their data subject rights. These include age and maturity, the type of data subject request, the service provided, the type of data involved, whether it is in the best interests of the child to exercise their rights themselves, and whether the parent is involved in the child’s exercise of their data subject rights.
The DPC position is that children should also be able to be represented by an adult (e.g. either an expert in the field, advocate or a parent / guardian) when exercising their data subject rights.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
The Irish Data Protection Commission (DPC), in its guidance on processing children’s data (Fundamentals for a Child-Oriented Approach to Data Processing) considers that a child may exercise their data protection rights at any time, so long as it is in their best interests and they have capacity to do so. The DPC position is that children should also be able to be represented by an adult (e.g. either an expert in the field, advocate or a parent / guardian) when making a complaint to the DPC.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard but requirements arise from decisions of the Irish Data Protection Commission (DPC) and its guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing (Fundamentals) are relevant here. The following are non-exhaustive examples of such requirements.
a) processing specific types of children’s personal data
There have been several decisions issued by the DPC as the lead supervisory authority under the GDPR concerning processing of children’s personal data. These decisions reflect the outcome of the Article 60 GDPR co-decision making process involving all of the members of the European Data Protection Board (EDPB) and indicate that making children’s online accounts and/or contact details public-by-default should be avoided. The DPC has also emphasised the importance of: appropriate transparency information for children concerning their use of specific features of a service where it may have privacy consequences for them, as well as adhering to the data protection by design and default principle and the controller obligation to take account of the varying likelihood and severity of risks to data subjects (child users of a service).
b) carrying out specific processing activities involving children’s personal data;
Decisions from the DPC referred to above indicate the view of the EDPB and DPC that, amongst other things, data protection assessments should be carried out in relation to: the use of age assurance/ age verification mechanisms; the use by the service of under 18 users; and the potential risks posed to underage users of the service (i.e. those not permitted by the terms of service to use the service). The EDPB has indicated as part of the decision-making process in one case that it does not consider neutral age gates to be effective forms of age verification.
c) using children’s personal data for specific purposes
It is the DPC’s position in the Fundamentals that organisations should not profile children, engage in automated decision-making concerning children, or otherwise use their personal data, for advertising/marketing purposes, unless they can clearly demonstrate how and why it is in the best interests of children to do so. In the Fundamentals, the DPC makes clear that this principle should be at the core of all decisions relating to the processing of children’s personal data.
According to the DPC, the best interests of the child should at all times take precedence over the rights and interests of the organisation processing that child’s personal data for commercial purposes. In practice, according to the DPC this means that there is a high burden of proof on digital service providers to show how it is in the best interests of the child to process their personal data for the purposes of profiling and/ or automated decision making, or otherwise, in order to advertise or market to them. It also means that where a digital service provider is relying on its legitimate interests to pursue specific children’s processing activities for commercial purposes, they must ensure that those interests do not in any way interfere with, conflict with or negatively impact the best interests of the child.
See information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
See the information here concerning decisions issued by the Irish Data Protection Commission (DPC) as the lead supervisory authority under the GDPR concerning the processing of children’s personal data. These reflect the outcome of the Article 60 GDPR co-decision making process which involves the members of the European Data Protection Board.
Sanctions imposed by the DPC in these cases have involved the issuing of reprimands, orders to bring processing into compliance and fines in the hundreds of millions of Euro.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Where unsolicited direct marketing to any person is carried out through the sending of electronic mail (i.e. any text, voice, sound or image message including SMS text message) the Irish ePrivacy Regulations (S.I. 336/2011) will apply to such communications. These Regulations transpose the ePrivacy Directive into Irish law. These Regulations are not specifically directed at communications made to children but regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required (which must be GDPR-standard consent) although there are certain strictly applied exemptions which can be relied upon in limited circumstances.
The Irish Data Protection Commission (DPC) in its guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing (Fundamentals)) has expressed the view that it is likely that the age of digital consent, per Article 8 of the GDPR, applies to electronic direct marketing communications which are sent by SMS and email and therefore consent to the receipt of electronic direct marketing services can only be provided by a parent/ guardian for a child aged under 16 years, in line with the provisions of Article 8.
Irrespective of reliance upon consent (or an applicable exemption), the DPC has confirmed that the best interests of the child are paramount. Therefore, if an organisation engages in direct marketing towards children, it must show that doing so is in the best interests of the child, regardless of its own commercial interests in sending the direct marketing communications in question.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard but requirements arise from the Irish Data Protection Commission’s (DPC) guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing (Fundamentals)). It is the DPC’s position that organisations should not profile children, engage in automated decision-making concerning children, or otherwise use their personal data, for advertising/marketing purposes, unless they can clearly demonstrate how and why it is in the best interests of children to do so.
There is a high burden of proof on an organisation to show how it is in the best interests of children to process their personal data for the purposes of profiling and/ or automated decision making, or otherwise, in order to advertise or market to them.
The DPC therefore considers that there will be a very limited range of circumstances where the profiling of children and/or the use of automated decision-making concerning children are legitimate and lawful activities under the GDPR. Such exceptions to this may include, for example, the protection of the child’s welfare.
Additionally, under the Consumer Rights Act 2022, (“CRA 2022”), there are specific provisions prohibiting misleading advertising and its use. The CRA 2022 requires traders to inform consumers if a price has been personalised using automated decision-making, which may involve profiling. In particular, traders must disclose where applicable, the price of the goods, digital content, digital service or service which was personalised on the basis of automated decision making. The CRA 2022 also sets out rules for commercial guarantees, and prohibits misleading or undisclosed promotional practices. Although not specifically targeted at children, the legislation refers to individuals in an age-neutral sense.
Separately under the EU Digital Services Act, organisations that fall under the definition of providers of online platforms are prohibited from advertising to children using personal data-based profiling (i.e. personalised/ targeted advertising).
See more information on EU level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
The Irish Data Protection Commission (DPC) in its guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing) states that the delivery of contextual advertising falls outside the scope of applicable data protection laws and guidance, on the basis that it does not rely on the use of personal data but rather delivers advertising based on on-screen context.
With that in mind, the DPC calls for such contextual advertising to be regulated through advertising standards rather than the GDPR. However, to the extent that contextual advertising relies even on minimal processing of children’s data, the GDPR rules and connected regulatory guidelines etc will apply to such activities.
For further information, see the responses in this section.
See more information on EU level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There has been no enforcement specifically concerning advertising to children by the Data Protection Commission.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
This is the age of capacity to enter into a contract in Ireland. However, there are also certain Irish common law exceptions to this general rule.
Do consumer protection rules apply to children?
Yes.
The Consumer Protection Acts 2007 to 2019, as amended (CPA), and the Consumer Rights Act 2022 (CRA) among other provisions of relevance, prohibits misleading advertising, which must be considered in the context of the ‘average consumer’ within the target group. Whether a commercial practice is misleading under the CPA or the CRA will depend on whether it includes the provision of false information, deceives or would be likely to deceive the average consumer regarding a number of matters listed in the relevant provision and such action causes or would be likely to cause the average consumer to make a transactional decision they would not otherwise make. In determining whether a commercial practice is misleading, the commercial practice has to be considered in its factual context, taking account of all its features and circumstances.
The concept of the ‘average consumer’ is also important in the context of the general prohibition on unfair commercial practices contained in the CPA and the CRA. As with the prohibition on misleading commercial practices outlined above, when determining whether a commercial practice is unfair, the commercial practice has to be considered in its factual context, taking account of all of its features and circumstances.
Any practice that deceives consumers or omits critical information such as withholding, omitting or concealing material information that the average consumer would need, in the context, to make an informed transactional decision, with such action causing or being likely to cause the average consumer to make a transactional decision they would not otherwise make, also constitutes a misleading commercial practice. Such practices might include false or incomplete claims on the characteristics and composition of goods, omitting details about pricing, delivery and contract terms, obscuring online rankings or fabricating consumer reviews and restricting or misrepresenting consumer rights beyond what the law permits.
In addition, the CPA set out the mandatory pre-sale information that must be provided to consumers. The CRA also explicitly requires traders to provide essential pre-sale information to consumers in a clear and comprehensible manner before they enter into on-premises, off -premises or distance contracts.
Additionally, see more information on the EU-level requirements
here.
Are there any consumer protection rules which are specific to children only?
Yes.
Section 55(3)(e) of the Consumer Protection Act 2007 to 2019, as amended, prohibits traders from including in advertisements a direct exhortation to children to (i) purchase a product or (ii) persuade a parent or adult to purchase the product for them.
Apart from this provision, neither the CPA nor the Consumer Rights Act 2022 (CRA) contain any other specific rules directed at children. However, as noted above, consumer protection provisions in Ireland must be considered in the context of the ‘average consumer’, so if advertisements are targeted toward children, or the provider is aware children make up a substantial part of their user base, compliance with the provisions of the CPA and the CRA also involves tailoring the advertisements bearing in mind the inexperience of children.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are national-specific laws in Ireland which implement age-related restrictions on the ages at which children can legally access specific goods and services. The following is a non-exhaustive list of goods and services to which such restrictions apply:
- gambling
- alcohol, cigarettes, vaping; and
- pornography.
To the extent such goods and services are accessed online by children, such restrictions will generally also apply.
In a gambling context, under Irish law, an individual must generally be over the age of 18 years to participate in gambling activities including those provided digitally. As a result, if a minor uses an online platform to engage in gambling activities, parental or legal guardian consent is required and should be obtained by the relevant platform. Additionally, platforms should emphasise age-verification processes to prevent underage gambling such as requesting confirmation of an individual’s age prior to an individual being permitted to access the platform
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Online Safety and Media Regulation Act 2022 (OSMRA) (which amends the Broadcasting Act 2009) sets out the framework for online safety codes to be established and enforced by the media services regulator, known in Ireland as Coimisiún na Meán (CnaM). The OSMRA also transposes the revised Audio Visual Media Services Directive (AVMSD) in Ireland.
Such online safety codes have statutory effect and create specific obligations for prescribed types of digital service providers, depending on the code in question. These online safety codes may cover a wide range of issues, including prescribing obligations for service providers to take measures to protect users in relation to “harmful online content” and commercial communications, as well as requiring service providers to take measures that are appropriate for providing the protections set out under the AVMSD.
In October 2024 CnaM published its first online safety code (Code) which specifically applies to video-sharing platform services; a range of such service providers have been designated as specifically falling within the scope of the Code. Part A of the Code sets out the general obligations flowing from the AVMSD, which apply where appropriate depending on the size and nature of the service (effective from 19 November 2024), while Part B provides more prescriptive obligations (effective from 21 July 2025).
Other similar online safety codes may follow.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Currently there are no explicit statutory provisions under Irish law that establish requirements of general application to implement age assurance/ age verification measures in connection with digital services.
However, from a data protection regulatory perspective, the Irish Data Protection Commission (DPC) in its guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing (Fundamentals) states that while the GDPR does not contain an explicit requirement for age verification, this is the practical implication in most cases of relying on parental consent under Article 8 as the legal basis for processing children’s data when under the age of digital consent. However, in the Fundamentals, the DPC also notes that age verification may be deployed in other circumstances, such as when providing children with a child-friendly version of a website or where users under a certain age are prohibited by that service provider from accessing the online service or prohibited by law from accessing certain types of goods and services.
In its Annual Report 2024, the DPC specifically called out its “focus and dedication to the complex issue of age assurance in the digital environment.”
Separately, under the regime established by the Online Safety and Media Regulation Act 2022 (OSMRA), (see more information here), online safety codes may provide for a requirement directed at relevant categories of digital service providers to implement age verification measures. In this regard, the first online safety code, which is addressed only to video-sharing platform services and providers of those services, requires, amongst other things, age verification measures to be put in place “with respect to content which may impair the physical, mental or moral development of minors” and a further requirement that such organisations include in their terms and conditions a requirement that users comply with and do not attempt to circumvent age assurance measures.
More specifically, the Code also provides that a video-sharing platform service provider which does not prohibit the uploading/ sharing of adult only video content must implement effective age assurance measures to ensure that such content cannot normally be seen by children. Self-declaration of age is specifically stated not to be an effective measure for these purposes. Age assurance is also mentioned as a measure which may be taken to satisfy the obligation to ensure that audio visual commercial communications for alcohol cannot be seen by children.
Additionally, see more information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
There are no generally applicable national laws in this regard for digital services as a whole. However, the Irish Data Protection Commission (DPC) in its guidance on processing children’s data (the Fundamentals for a Child-Oriented Approach to Data Processing) has indicated that parental controls may be an aspect of the measures by which a digital services provider complies with its data protection by design and default obligations and implements the higher level of protection which applies under the GDPR with regard to the processing of children’s personal data.
Separately, certain obligations in this respect arise under the first Online Safety Code implemented by the Irish media services regulator, Coimisiún na Meán, (see more information here). This Code is addressed to video-sharing platform service providers. It requires such service providers to generally provide for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors. There is also a more specific obligation to implement effective parental control systems to protect users aged under 16 years, for service providers whose terms of service allow this age group, with respect to video content and audiovisual commercial communications which may impair the physical, mental or moral development of children. Parental controls are also mentioned as a measure which may be taken to satisfy the obligation to ensure that audio visual commercial communications for alcohol cannot be seen by children.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No decisions have yet been taken by the Irish media services regulator, Coimisiún na Meán (CnaM) in relation to compliance with the obligations arising from the regime established under the Online Safety and Media Regulation Act 2022 and the first Online Safety Code (see more information here).
However CnaM has recently used its statutory powers in relation to information gathering under the regime.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Note, however, that the Ombudsman for Children’s Office has been designated by the Irish Government as a national public authority for supervising and enforcing fundamental rights in relation to high risk AI systems under the EU AI Act (Article 77). This applies from 2 August 2026.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
N/A at national level; however, see information on the upcoming EU-level requirements here.
