Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
Under Article 2 of the Italian Civil Code, the legal age of adulthood is 18 years old.
Persons below this age are considered minors.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC has been incorporated into Italian law with Law 27 May 1991, no. 176 “Ratifica ed esecuzione della convenzione sui diritti del fanciullo, fatta a New York il 20 novembre 1989”.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Italian Ombudsperson for Children and Adolescents (Autorità Garante per l’infanzia e l’adolescenza - AGIA) was established by Law 12 July 2011, no. 112.
The AGIA ensures the fulfillment and protection of the rights and interests of children and adolescents and promotes the implementation in Italy of the UNCRC and of other international instruments on the promotion and protection of the rights of children and adolescents.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
Article 3.10 of Law 112/2011 provides that “the Authority shall examine, also ex officio, general and particular situations of which it has become aware in any way, in which a violation, or the risk of violation, of the rights of persons under the age of 18 can be identified, including those relating to the media, possibly reporting them to the bodies vested with the power of control or sanction”. Since “media” could be also the Internet, the AGIA can examine possible violations in the digital world too.
Article 3.11 of Law 112/2011 also provides that the Authority may make observations and proposals for preventing and combating “the abuse of children and adolescents in relation to…child pornography, including by means of the Internet”.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; the GDPR applies in this context. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Additionally, see more information on the EU-level requirements here.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 2-quinquies of Legislative Decree 196/2003 (the Italian Data Protection Code), pursuant to Article 8 of the GDPR, provides that a child aged above 14 years may give his or her consent to the processing of his or her personal data in relation to the offer of information society services directly to him or her. For children aged below 14, parental consent is required.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; the GDPR applies in this context. However, Article 8(2) GDPR requires the controller to make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology. For further information, see the response to this question.
Additionally, see more information on the EU-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children. Further, Article 2-quinquies (2) of the Legislative Decree 196/2003 (the Italian Data Protection Code) reinforces the GDPR requirement by introducing further detail in this regard, requiring that information notices to be provided to children be drafted “in particularly clear and simple language, concise and exhaustive, easily accessible and understandable by the child, in order to make the consent given by the child meaningful”.
See more here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR.
Nevertheless, under the local legal framework on legal capacity of minors and article 2-quinquies (2) of the Legislative Decree 196/2003 (the Italian Data Protection Code), minors aged 14 or more are entitled to exercise their rights by themselves. Conversely, the data protection rights of minors under 14 can be exercised only by their parents.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
For further information, see the response to this question. Additionally, while generally children are represented by a parent or an expert when making a complaint to the Italian Data Protection Authority (Garante), under certain circumstances minors are allowed to file a complaint on their own. Article 144-bis of the Legislative Decree 196/2003 (the Italian Data Protection Code) provides that “anyone, including minors over the age of 14, who has well-founded reason to believe that images or videos with sexually explicit content concerning him or her, intended to remain private, may be sent, delivered, transferred, published, or disseminated without his or her consent in violation of Article 612-ter of the Criminal Code, may apply, by report or complaint, to the Garante.”
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
a) processing specific types of children’s personal data
There are no national specific laws in this regard.
b) carrying out specific processing activities involving children’s personal data;
There are no national specific laws in this regard. See more detail in relation to GDPR requirements here. However, over the years, the Italian Data Protection Authority (Garante) has taken restrictive positions with respect to the processing of minors’ personal data in context other than the provision of services, and especially in relation to use of minors’ data for profiling and targeting. This was initially raised very softly in guidelines on marketing and profiling targeting in 2013. Over the years the Garante issued, for instance, also the Decision no. 20, 22 January 2021[doc. web. 9524194] by means of which it imposed an immediate limitation on the processing performed by as social media company, one of the main aspects raised by the authority was that due to lack of efficient age verification system, targeted advertisement might have reached minors.
c) using children’s personal data for specific purposes
No national specific laws in this regard. However, the Garante has listed the processing of minors’ personal data within the mandatory list of processing activities subject to a data protection impact assessment (DPIA).
Additionally, see more information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Italian Data Protection Authority (Garante) has recently been quite active in the enforcement of processing activities regarding children’s data. Specifically, the Garante has focused in particular on age verification mechanisms, stressing the importance of implementing appropriate and strong verification measures by the controllers although no specific guidance has been offered as to what extent certain verifications would be more effective than others in the Garante’s view or acceptable.
See for instance:
(i) Decision no. 20, 22 January 2021[doc. web. 9524194] by means of which the Garante imposed an immediate limitation on the processing performed by a social media company regarding the data of users whose age could not be established with certainty; (ii) Decision no. 39 of 2 February 2023 [doc. web. 9852214], through which the Garante issued an urgent order blocking an AI-powered chatbot from processing the personal data of Italian users because it poses risks to minors and vulnerable people and is not in compliance with Article 13 GDPR. A further final decision was issued against the data controller of the chatbot on 10 April 2025 [doc. web 10127930] in which various infringements were found, corrective orders made directing the company to bring processing into compliance concerning its privacy policy and age verification system and its non-compliance with Articles 5 and 6 GDPR and issuing a fine of €5 million against it; and (iii) Decision no. 114 of 11 April 2023 [doc. web. 9874702], through which the Garante ordered an AI company to immediately implement an age gating system for the purpose of signing up to the service and to implement an age verification system to filter out users aged below 13 (to be read as 14, in Italy as well as users aged 13 to 18 for whom no consent is available by the holders of parental authority). A further decision was issued on 20 December 2024 with various corrective powers issued including a €15 million fine. The decision included the Garante’s finding that the company had not provided mechanisms for age verification which created risks for under 13s. That decision is currently under suspension by the Italian court.
Are there specific rules concerning electronic direct marketing to children?
No.
There are no national-specific rules on direct marketing addressed to children, but parental consent shall be generally required for minors under 18 as marketing activities are not encompassed in the notion of “information society services” covered by Article 8(1) GDPR and Article 2-quinquies of the Legislative Decree 196/2003 (the Italian Data Protection Code).
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
1) Data Protection rules
In general, from a data protection point of view, there are no specific rules on profiling and targeted advertisement addressed to children, but parental consent shall be generally required for minors of 18 as targeted advertisement is not encompassed in the notion of “information society services” covered by Article 8(1), GDPR and Article 2-quinquies of the Legislative Decree 196/2003 (the Italian Data Protection Code).
Article 13(6) of Law Decree 15 September 2023, no.123 which includes rules for the safeguarding of minors in the digital ecosystem, introduced an obligation for device manufacturers and electronic service providers to embed parental control solutions and also set a prohibition on the use of data collected or originated in the context of the setup of parental control applications for profiling and marketing purposes.
Further, the Italian Data Protection Authority (Garante) has recently recalled that particular attention should be paid to the use of minors’ personal data in the context of automated decision-making processes, including profiling, from which minors - in general and not only those under the age of 14 - should be generally excluded especially where such processing - which certainly include targeted marketing - are likely to produce significant effects on them (see Decision 22 February 2024 Doc. web no. 10027096).
2) Advertising rules
Under Article 11 of the Code of Marketing Communication Self-Regulation of the Italian Advertising Standard Authority (IAP), that applies also to online advertising, marketing communications addressed to children (i.e., less than 12 years of age) and young people or to which the latter may be exposed, “should avoid material that could cause psychological, moral or physical harm, and should not exploit the credulity, inexperience or sense of loyalty of children or young people”.
In particular, such advertising must not suggest:
- violating generally accepted rules of social behaviour;
- acting dangerously or seeking exposure to dangerous situations;
- that failure to possess the promoted product means either their own inferiority or their parents’ failure to fulfil their duties;
- that the role of parents and educators is inadequate in supplying healthy nutritional advice; or
- adopting poor eating habits or neglecting the need for a healthy lifestyle.
Moreover:
- marketing communications must not include a direct exhortation to children to buy the promoted product or to persuade other people to purchase it;
- the portrayal of children and young people in marketing communications must avoid playing on the natural sentiments of adults towards the young; and
- visual depictions of children, or persons resembling children, engaged in or seeming to engage in sexually explicit conduct are forbidden.
Additionally, see more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
There are no national-specific rules on contextual advertising to children.
See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
1) Data protection rules
There has been no enforcement concerning specifically advertising to children by the Italian Data Protection Authority (Garante).
2) Advertising rules
Some decisions implementing Article 11 of the Code of Marketing Communication Self-Regulation have been issued by the bodies of the Italian Advertising Standard Authority.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Under Italian law, legal capacity (“capacità di agire”) – i.e., the capacity to perform legal acts affecting one's own legal sphere – is acquired automatically upon reaching the age of 18 (see Article 2 of the Italian Civil Code).
However, the Italian Civil Code also provides for exceptions to this general rule.
Do consumer protection rules apply to children?
Yes.
The Italian Consumer Code (adopted with Legislative Decree of 6 September 2005, No 206, as subsequently amended) (Consumer Code), among its provisions, contains rules that are intended to provide protection for particularly weak and vulnerable consumers, including minors.
By way of example, Articles 135-octies ff. of the Consumer Code on contracts for the supply of digital content and services apply, inter alia, to all cases of digital games (including those offered in the context of cloud computing) that do not fall within the scope of gambling. Some Italian scholars have clarified that the protection provided by such rules derives from the need to protect a large number of vulnerable persons (in particular, minors) who normally make use of these digital services.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
Among the provisions of the Italian Consumer Code (adopted with Legislative Decree of 6 September 2005, No 206, as subsequently amended) (Consumer Code) that prohibit unfair commercial practices, Article 21(4) of the Consumer Code provides that a commercial practice which, insofar as it is likely to reach children and adolescents, may directly (or even indirectly) threaten their safety, is unfair and, therefore, prohibited. The assessment on the violation of this Article must be conducted on a case-by-case basis.
Please note that, in assessing the likelihood of a message to reach minors, the Italian Competition Authority (ICA) considers relevant the specific ways in which the message is spread, considering – among other things – the following to be decisive:
(i) the time slot of television or radio programming close to programmes for children or adolescents; (ii) publication in specialised periodicals for teenagers; (iii) dissemination of the message in places attended by a young public; and (iv) general dissemination of the message, in places open to all or by means accessible to anyone, allowing the presumption that minors may also become aware of the message (e.g. billboards on the streets or in the underground).
Article 26(1)(e) of the Consumer Code provides that the commercial practice of including in an advertisement a direct exhortation to children to buy (or persuade their parents or other adults to buy them) the advertised products is an aggressive commercial practice (as children are considered to be particularly vulnerable) and, as such, prohibited.
Moreover, Article 31 of the Consumer Code, entitled “Protection of minors”, provides for that TV sales must not (i) encourage minors to enter into contracts to buy or rent products and services; or (ii) cause moral or physical harm to minors and must comply with specific criteria (set out in this provision) for their protection.
Specific provisions for the protection of minors are also contained in special laws, such as: (i) Italian Legislative Decree No 177/2005, i.e. Consolidated Law on Radio and Television; (ii) TV and minors self-regulation code approved on 29 November 2002; and in some resolutions of the Italian Regulatory Authority for Communications (AGCOM) that, among its tasks, has the assessment of compliance with the rules on the protection of minors in the broadcasting sector.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
At national level, among the measures adopted following investigations opened by the Italian Competition Authority (ICA) for alleged violation of the provisions of the Italian Consumer Code (adopted with Legislative Decree of 6 September 2005, No 206, as subsequently amended), the ICA imposed a fine of €10 million on a social media company for unfair commercial practice with reference to -inter alia- the following profiles:
- Inadequacy of the control and supervision measures adopted by the social media company on the content published by users, with particular reference to the protection of vulnerable persons;
- dissemination of content capable of threatening the psycho-physical safety of children and adolescents; and
- undue conditioning of users through the re-suggesting of content that may be detrimental for minors and vulnerable persons.
Please note that a trader engaging in an unfair commercial practice may be sanctioned by the ICA, among other things, with a fine of up to €10 million, based on several criteria (including the seriousness and duration of the violation). Moreover, the ICA can order the trader to cease the unfair commercial practice and may also order publication (in whole or in part) of its decision.
In addition, with resolution No 9/23/CONS, the Italian Regulatory Authority for Communications (AGCOM) – implementing Article 7-bis of Law Decree No 28/2020 – adopted guidelines on the provision by Internet Service Providers (ISPs) of (free of charge) parental control systems or filtering systems of inappropriate content for minors and blocking systems of content reserved for an audience over the age of eighteen.
In the event of violation by ISPs of the obligations set forth in these guidelines, AGCOM can order the operator to cease the contested conduct and to refund any sums unjustifiably charged to users, indicating in each case a period of not less than 60 days to comply.
With resolution No 31/24/CONS, AGCOM warned Italian telecommunications operator Iliad S.p.A. to comply with the obligations provided for by the above guidelines to pre-activate parental control systems on SIM cards in the name of or reserved for minors for which parental control service had not been activated at the time of the AGCOM measure.
As far as we know, to date no other companies have been warned by AGCOM for non-compliance with the above-mentioned guidelines.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are national-specific laws in Italy which implement age-related restrictions on the ages at which children can legally access specific goods and services. The following is a non-exhaustive list of goods and services to which such restrictions apply:
- gambling
- alcohol, cigarettes, vaping; and
- pornography.
To the extent such goods and services are accessed online, such restrictions will also apply.
In any case, according to Article 2-quinquies of the Legislative Decree 196/2003 (the Italian Data Protection Code) children under the age of 14 need parental consent to access information society services.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Italian law against cyberbullying (Law 71/2017) enables children aged above 14 who are victim of cyberbullying to send a request of obscuration, deletion or restriction to the website or social media provider. The data controller shall process the request within 24 hours.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
There are no national – specific laws which set age verification requirements. See more information on the EU-level requirements here.
However, the Italian Data Protection Authority (Garante) has been very active in the enforcement in this area, stressing the importance of implementing appropriate age verification systems to ensure children protection when accessing information society’s services. (See details of examples of such decisions here).
In addition, a technical working group on the protection of minors in the context of social networks, online services and digital products has been activated. Its members are national independent authorities and Ministry of Justice components. The group has issued a final report providing guidance and recommendation on various aspects related to the use of social media by minors, including age verification mechanisms.
With specific regard to video sharing platforms the Italian Regulatory Authority for Communications (AGCOM) has adopted decision no. 61/24/CONS launching a public consultation aimed at defining the technical and process modalities for ascertaining the age of users by providers of websites and platforms of video sharing in case of access to pornographic content and services. The draft measure, approved by the AGCOM in May 2024 at the end of the consultation has been passed to the Garante to collect its opinion, and will subsequently be notified to the European Commission.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
With Resolution 9/23, the Italian Regulatory Authority for Communications adopted specific Guidelines for Internet Service Providers to correctly implement “parental control” systems. For further information, see the response to this question.
The Guidelines apply only in a B2C context and identify the categories of websites on which the operators must implement filters. The list includes sites with pornographic content or those that provide information or promote gambling, the sale of weapons, violence, hatred and discrimination, sects or practices harmful to health or, finally, sites that provide tools and ways to make online activity untraceable (so-called anonymizers).
See also the answer to this question concerning obligations for device manufacturers and electronic service providers concerning parental controls in the context of profiling and marketing.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We are not aware of specific regulatory enforcement actions in this area apart from decisions of the Italian Data Protection Authority (Garante) to date. For further information, see the response to this question.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
Article 4(4) of Law proposal no. 1146, which regulates the use of AI, provides that access to AI technologies by children aged below 14 requires the consent of the holder of parental responsibility. However, children aged between 14 and 18 may give consent for the processing of personal data related to the use of AI systems, provided that the information and communications regarding the processing of data related to the use of AI systems are easy to access and to understand.
Additionally, see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We are not aware of specific regulatory enforcement activity on this point.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
There are several legislative proposals regarding minors and the Internet, with reference to access to platforms and the use of the image of minors:
- law proposal no. 1217 is aimed at providing protections for minors online, raising by one year (from 14 to 15) the minimum age for digital consent, and by providing age restrictions for the access to electronic services which pose greater risks to physical and mental health, as well as safety and security of minors. In addition, it sets age verification obligations and related sanctions on service providers;
- law proposal no. 1771 extends labour protections to baby influencers, guaranteeing the deposit of earnings in accounts in the name of minors and managed by a special curator until they reach age of majority, as well as recognising the right to be forgotten for the removal from the Internet of their images posted when they were under the age of 14. The proposal also calls for requiring the consent of both parents for the publication of images of minors. In addition, it provides for the obligation for digital platforms to adopt a code of regulation for the dissemination of minors' content and promotes campaigns to raise awareness of the risks involved. Finally, it raises the age of digital consent from 14 to 16;
- law proposal no. 1800 regulates the phenomenon of sharenting and baby influencers, indicating that such activities must be communicated and authorised by the Italian Regulatory Authority for Communications. Again, provision is made for the deposit of the earnings of minors in a dedicated account. The text provides, like the previous one, the possibility, at the age of 14, to exercise the right to be forgotten. Finally, it provides for the updating of the TV and minors self-regulation code, which must also be respected by video sharing platforms;
- law proposal no. 1863 is aimed at introducing obligations on providers of information society services in order to protect minors from the risks of cyber space. These include verifying the age of their users and introducing a feature allowing minors under the age of 15 instant activation with the children's emergency number “114.” It also regulates the legal regime of contracts concluded between providers of information society services and minors, sanctioning the nullity of contracts concluded with minors under 15 years of age, and the dissemination of the image of minors under 15 years and the use of any proceeds.
Additionally, see more information on the EU-level requirements here
