Navigated to blog › childrens-data-csv-coppa-gdpr
Back to Blog
csv-guides

Children's Data in CSV Files: COPPA, GDPR Article 8, and CCPA 2026

March 16, 2026
12
By SplitForge Team

Quick Answer

Four overlapping regulations govern children's data in CSV files, each with its own age thresholds and requirements. COPPA (US, under 13), GDPR Article 8 (EU, under 16 for digital services), FERPA (US education records, no age limit), and CCPA as amended effective 2026 (under 16 as sensitive personal information) may all apply simultaneously to the same CSV file. The most protective regulation in scope applies. Processing children's data in any cloud-based CSV tool without appropriate agreements and safeguards is a high-risk compliance exposure.

TL;DR: Children's data has the most restrictive privacy requirements of any category. EdTech companies face COPPA, GDPR Article 8, FERPA, and CCPA 2026 simultaneously. Each sets different age thresholds and obligations. Minimize what you process, mask before sharing, and avoid uploading to server-side tools without appropriate agreements.

An EdTech company's data team exports a CSV of student learning progress records for analysis. The file contains student IDs, grade levels, assessment scores, login timestamps, and school district codes. Most students are between 8 and 14 years old. The team uploads it to a data visualization tool to generate reports.

Four regulatory frameworks have just been potentially implicated simultaneously: COPPA (under-13 students, US), GDPR Article 8 (EU students under 16), FERPA (education records, all ages), and CCPA 2026 (under-16 consumers, California). Each has different obligations. None was satisfied by uploading the file to a data visualization tool without appropriate agreements and de-identification.

This guide was developed by reviewing COPPA (15 USC §§6501-6506), GDPR Article 8 and Recital 38, FERPA (20 USC §1232g), and California Privacy Rights Act amendments effective January 1, 2026. It is not legal advice.

📋 Table of Contents

This guide is for: EdTech compliance teams, DPOs handling children's data, legal counsel assessing multi-jurisdiction exposure, and data analysts responsible for student or minor data processing.

Regulation Decision Tree

Use this tree before processing any CSV that may contain data from individuals under 18. Follow each branch in order — multiple regulations can apply simultaneously, and the tree identifies all that do, not just the first match.

START: Does the CSV contain data about individuals who may be under 18?
│
├─ No → No children's data regulations triggered. Proceed with standard GDPR/CCPA analysis.
│
└─ Yes ↓
   ┌─────────────────────────────────────────────────────┐
   │ Is this an education record (grades, attendance,    │
   │ test scores, disciplinary records) from a federally │
   │ funded US institution?                              │
   └─────────────────────────────────────────────────────┘
   │
   ├─ Yes → FERPA ALWAYS APPLIES (all ages, all US ed records)
   │         → Sign Data Sharing Agreement with school
   │         → Confirm legitimate educational interest
   │         → Continue checking other frameworks below ↓
   │
   └─ No → Continue ↓
   
   ┌─────────────────────────────────────────────────────┐
   │ Is the individual under 13, and is the data from   │
   │ a US online service they used?                     │
   └─────────────────────────────────────────────────────┘
   │
   ├─ Yes → COPPA APPLIES
   │         → Verifiable parental consent required
   │         → School exception may apply for EdTech
   │         → Continue checking other frameworks below ↓
   │
   └─ No → Continue ↓
   
   ┌─────────────────────────────────────────────────────┐
   │ Is the individual an EU/EEA resident under 16?     │
   └─────────────────────────────────────────────────────┘
   │
   ├─ Yes → GDPR ARTICLE 8 APPLIES
   │         → Consent of parent/guardian required
   │           (or lower member state threshold: 13–15)
   │         → Full GDPR compliance required
   │         → Continue checking other frameworks below ↓
   │
   └─ No → Continue ↓
   
   ┌─────────────────────────────────────────────────────┐
   │ Is the individual a California consumer under 16?  │
   └─────────────────────────────────────────────────────┘
   │
   ├─ Yes → CCPA/CPRA 2026 SENSITIVE PI APPLIES
   │         → Opt-in required for sale/sharing
   │         → Under 13: verifiable parental authorization
   │         → Retain data minimization policy
   │
   └─ No → No children's-specific regulation triggered for this record.
           Apply general GDPR/CCPA based on data subject jurisdiction.

RESULT: Each "Yes" branch above is an independent obligation.
A 12-year-old EU student using a US EdTech app:
→ FERPA (if education records) + COPPA (under 13, US online service)
  + GDPR Article 8 (EU resident under 16). All three apply simultaneously.

How to apply this to a CSV: Run the tree for each distinct population segment in your file, not the file as a whole. A single CSV with students aged 10–17 from the US and EU will have different regulatory obligations per age band and jurisdiction. Segment before processing.

Regulation Stack Matrix

Use this matrix to identify which regulations apply to your specific dataset. Multiple may apply simultaneously.

Dataset TypeCOPPAGDPR Art. 8FERPACCPA 2026
US school student data (K-12) Under 13 EU students under 16 All ages Under 16 (CA)
Gaming/app user data, under 13 Yes EU users N/A Under 16 (CA)
EdTech platform, no parental consent School exception may apply Must meet Art. 8 standard Yes Under 16 (CA)
Healthcare data, minors If online service, under 13 EU minors Separate rules Under 16 (CA)
Survey data from students Under 13 EU under 16 If linked to records Under 16 (CA)
Employment data (minors 14-17) Employment context EU minors under 16 N/A Under 16 (CA)
Consumer data (under 16, non-education) If online service, under 13 EU under 16 N/A Under 16 (CA)

COPPA: Children's Online Privacy Protection Act

Scope: COPPA (15 USC §§6501-6506) applies to online services directed to children under 13, and to general-audience online services that have actual knowledge they are collecting personal information from children under 13.

Key requirements for data teams:

  • Parental consent is required before collecting, using, or disclosing personal information from children under 13
  • The consent must be verifiable — not just a checkbox
  • Data must be retained only as long as necessary for the purpose for which it was collected
  • Parents have the right to review and delete collected information

COPPA and the school exception: Schools can authorize collection of student data on behalf of parents — but the data use must be for the school's educational purpose only. If your tool is used by a school, verify that the data use falls within the school exception before processing.

The FTC enforcement record: COPPA violations have resulted in significant FTC settlements. YouTube/Google paid $170 million in 2019 for COPPA violations. Musical.ly (now TikTok) paid $5.7 million in 2019. Operators who "knew or should have known" they were collecting data from children under 13 without verifiable parental consent face civil penalties up to $51,744 per violation.

What this means for CSV processing: If a CSV file contains data from users under 13 from a COPPA-covered service, every disclosure — including uploading to an analysis tool — must be within the scope of the original consent and purpose.

GDPR Article 8: Age of Digital Consent

Scope: GDPR Article 8 applies the conditions for consent of child data subjects in the context of information society services (online services). Member states can lower the minimum age to 13, but 16 is the default for EU-wide services.

Age thresholds by member state (the lower limit is 13, upper is 16):

  • 13: Belgium, Denmark, Estonia, Finland, Latvia, Lithuania, Malta, Sweden
  • 14: Austria, Bulgaria, Cyprus, Italy, Spain (provisional)
  • 15: Czech Republic, France, Greece, Hungary, Slovakia
  • 16: Croatia, Germany, Ireland, Luxembourg, Netherlands, Poland, Portugal, Romania, Slovenia

Practical implication for data teams: If you cannot determine the age of EU data subjects in a CSV, apply the most conservative threshold (16) unless you have jurisdiction-specific age data.

GDPR Recital 38 specifically notes that children's personal data "merit specific protection, in particular when used for commercial purposes or to create personality profiles." Data protection authorities have shown willingness to impose higher penalties for children's data violations.

FERPA: Student Education Records

Scope: FERPA (20 USC §1232g) protects the privacy of student education records at institutions receiving federal funding. It applies to all students regardless of age. It covers "education records" — records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational institution or party acting for the institution.

What FERPA covers in CSV context:

  • Student names, IDs, grades, GPA, course enrollment
  • Assessment scores and test results
  • Disciplinary records
  • Financial aid records
  • Attendance records

FERPA consent exceptions: FERPA permits disclosure without consent to school officials with legitimate educational interest, to other schools in transfer situations, in response to certain judicial orders, and in some audit and evaluation contexts. CSV exports to analytics vendors may qualify under the "school officials" exception if the vendor has a legitimate educational interest and is designated as a school official in an appropriate agreement (typically a Data Sharing Agreement).

Directory information: FERPA allows schools to designate certain information as "directory information" (name, address, phone) and disclose it without consent, unless a student has opted out. However, the directory exception does not apply to grades, test scores, or other education records — only to the specifically designated directory fields.

CCPA 2026: Minors as Sensitive Personal Information

Scope: The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023), established that personal information of consumers under 16 constitutes sensitive personal information. The CPRA framework and associated California Privacy Protection Agency (CPPA) regulations effective in 2026 have clarified enforcement expectations and risk assessment requirements for businesses processing minors' data at scale. This is not a brand-new law — it is an evolution of existing CPRA obligations with updated regulatory guidance.

What applies in 2026:

  • Data of California consumers under 16 is treated as sensitive personal information requiring heightened protections
  • Businesses cannot sell or share for cross-context behavioral advertising the personal information of consumers under 16 without affirmative authorization (opt-in, not opt-out)
  • Businesses must maintain a documented data retention policy for this category
  • Consumers under 13 must have verifiable parental authorization (aligns with COPPA)
  • CPPA's 2026 enforcement priorities include audit of businesses with large inventories of minors' data

For data teams: Any California resident under 16 in a CSV is a sensitive personal information data subject. Using a server-side tool to process this data adds a disclosure relationship that must be assessed against CCPA/CPRA obligations.

COPPA 2.0 and Teen Privacy: What's Emerging in 2026

The existing COPPA framework covers under-13 children for online services. As of early 2026, two significant developments affect how organizations should think about teen data in CSV files:

COPPA 2.0 proposal: The FTC's proposed COPPA 2.0 rule (under active discussion as of March 2026) would extend consent requirements to teens aged 13–17 for certain data uses, including targeted advertising and data sales. The proposal has not been finalized as of this writing — it remains a proposed rulemaking. Organizations that process teen CSV data (13–17 age range) should monitor this development closely, as the operational impact of extending COPPA-style consent to this age group would be substantial.

State-level teen privacy laws: Several states have enacted or are considering teen-specific privacy laws beyond COPPA. California's AADC (Age-Appropriate Design Code) requires privacy-by-default protections for users under 18. Similar frameworks are active or proposed in Virginia, Texas, and Florida as of 2026. For organizations with CSV data from US teen users, state-level analysis is increasingly required alongside federal COPPA analysis.

Practical guidance for data teams: Until COPPA 2.0 is finalized, apply the current COPPA standard (under-13) for federal compliance. For California users under 18, apply AADC-aligned data minimization. For any CSV data containing age fields showing 13–17 users, assess against applicable state laws and flag the records as requiring review if COPPA 2.0 advances.

Age Verification Technical Patterns in CSV Data

A common operational question is how to handle age data that arrives in different forms across different CSV exports. Here is how to assess each pattern:

Age Verification MethodData in CSVReliabilityCOPPA Implication
Age gate (birth year dropdown)Year of birth field, often 1900–2025 rangeLow — easily bypassed by entering false year"Should have known" standard may apply if content attracts children
Self-reported DOB at registrationFull DOB or birth yearMedium — verifiable if cross-checked against payment/IDMore defensible than age gate; still not verifiable parental consent
Third-party age verification serviceVerification status flag (true/false) or verification tierHigh — depends on service methodologySatisfies "reasonable efforts" standard more reliably
School-issued credentials (SSO)Institution code + grade level fieldHigh for enrolled studentsSchool exception may apply; FERPA interaction
Parental consent tokenConsent timestamp + parent email hashHigh — documented verifiable consentSatisfies COPPA verifiable parental consent requirement
Payment card verificationAge inferred from payment (18+ proxy)Medium — minors use family cardsDoes not confirm actual user age; not sufficient for COPPA compliance
No age data collectedAge field absentNoneIf service likely attracts under-13, COPPA applies to full user base

For data teams processing CSV exports: Identify which age verification method was used at the platform level before exporting and sharing data. The method determines how reliably you can segment under-13 or under-16 records, and therefore which regulatory obligations apply to which subset of the CSV.

Data Minimization for Children's CSV Data

Strip before sharing. For CSV files containing children's data, data minimization is the most effective risk reduction strategy:

  1. Remove direct identifiers. Names, emails, device IDs, and account numbers typically serve no analytical purpose — strip them first.
  2. Generalize ages and dates. Replace exact birthdates with age ranges or year of birth. Replace specific dates with month/year or quarter.
  3. Generalize geography. Replace precise school locations or addresses with district-level or state-level data.
  4. Replace student IDs with research IDs. Use a consistent research identifier that is not the operational student ID — maintain the mapping table separately with appropriate access controls.
  5. Assess remaining quasi-identifiers. Grade level + school + disability status can re-identify a student in a small class. Apply the same quasi-identifier analysis as for any GDPR pseudonymization assessment.

After applying these steps, assess whether re-identification is reasonably possible. If yes, the data remains personal data and all regulatory frameworks continue to apply.

Safe Processing Workflow

StepActionFrameworks Addressed
1Identify all fields against each framework's definitionCOPPA, GDPR, FERPA, CCPA
2Apply data minimization — strip non-essential fieldsAll frameworks — minimization principle
3Apply pseudonymization to remaining identifiersGDPR Art. 5(1)(c); COPPA data minimization
4Assess residual re-identification riskGDPR Recital 26; COPPA
5Use client-side tool for processing step — no uploadAvoids disclosure trigger for all frameworks
6If upload required: verify tool has COPPA compliance, FERPA agreement, DPA, BAA if health dataCOPPA operator obligations; FERPA exception
7Document purpose limitation for the processingFERPA; GDPR Art. 5(1)(b)

Age Verification in CSV Data: Practical Considerations

A recurring practical challenge in children's data compliance is that age information in CSV exports is often incomplete, inconsistent, or absent entirely. Here is how to handle common scenarios.

Age field present and reliable: If the CSV contains a date of birth or age field populated at account registration and your registration flow requires age verification, use that field to classify records. Apply the most protective regulation for each age band (COPPA for under-13, GDPR Article 8 for EU under-16, CCPA 2026 for California under-16).

Age field absent or optional: If age was not collected at registration, or was collected as an optional field with significant gaps, you cannot confirm the ages of all users. For COPPA purposes, you should assess whether the service is "directed to children under 13" — if the content, features, or marketing appeal to children, COPPA applies to the full user base, not just confirmed under-13 users.

Age field self-reported and unverified: Many platforms collect age via a birth year dropdown with no verification. Self-reported ages skew older — users under 13 often inflate their age to access platforms. If COPPA applies to your service and self-reported age is the only verification mechanism, your legal team should assess whether COPPA's "actual knowledge" standard is triggered.

What to do in practice: When age data is absent or unreliable in a CSV intended for analysis:

  1. Treat the full dataset as potentially containing children's data if the service could attract users under 16.
  2. Apply data minimization before processing — reduce fields to the minimum needed for the analysis purpose.
  3. Use client-side processing to avoid upload exposure regardless of age composition uncertainty.
  4. Consult legal counsel before exporting or sharing datasets where age distribution is unknown.

For EdTech specifically, school-issued rosters typically do contain year-in-grade data that allows age inference — use this to segment and apply appropriate protection to under-13 records.

Additional Resources

COPPA:

GDPR:

FERPA:

CCPA:

FAQ

COPPA applies when an operator has "actual knowledge" that a user is under 13. If users disclose their age as under 13 during registration, or if the service's content is likely to attract children, COPPA requirements may apply. If your CSV data includes age fields showing under-13 users, your organization had knowledge and COPPA obligations apply.

It can, but requires that: (1) the vendor is designated as a "school official" in writing, (2) the vendor has a legitimate educational interest, (3) the vendor is under the direct control of the school regarding use of education records, and (4) the vendor does not re-disclose the data. A Data Sharing Agreement specifying these terms is typically required. Generic analytics tool terms of service do not satisfy FERPA.

COPPA does not apply (COPPA is under-13 only). GDPR Article 8 applies if the student is an EU resident (under-16 default, though some member states set 13 or 14). FERPA applies to their education records regardless of age. CCPA 2026 applies if the student is a California consumer under 16.

Under FERPA, disclosure to research organizations requires either student consent or meeting the research exception (45 CFR §99.31(a)(6)), which requires the research to be conducted for or on behalf of the educational institution, and that the institution enters a written agreement specifying terms. The CSV data used must be limited to what is necessary for the research. Consult your institution's IRB and FERPA officer.

Pseudonymization reduces re-identification risk but does not take data outside COPPA scope. COPPA applies to "personal information" which is broadly defined to include persistent identifiers (even pseudonymous ones that can be used to track a user over time). Full de-identification where re-identification is not reasonably possible may take data outside COPPA scope, but the threshold is demanding.

Process Student and Children's Data Without Upload Exposure

No upload — file stays in your browser, no disclosure trigger for COPPA, FERPA, or GDPR
Apply pseudonymization locally before any data sharing — reduce re-identification risk
No processor relationship created for client-side processing step
Mask student IDs, names, and age data before any downstream use

Continue Reading

More guides to help you work smarter with your data

ai-data-prep

AI-Ready Data Checklist: 10 Things to Verify Before Upload (2026)

Before uploading to ChatGPT, Claude, or a fine-tuning API, run through this 10-point checklist. UTF-8 encoding, clean headers, PII removed, size within limits.

Read More
ai-data-prep

Convert Excel to JSON for AI APIs and LLM Pipelines (2026)

AI APIs and LLM pipelines expect JSON, not spreadsheets. Fine-tuning needs JSONL; direct prompts take arrays. Convert locally — no upload, no conversion server.

Read More
ai-data-prep

Prepare Data for AI: The Complete Guide (Privacy-First, 2026)

How to prepare a CSV or Excel file for ChatGPT, Claude, or an AI API — encoding, PII, format, size, and privacy. The complete local-first prep workflow.

Read More