Protecting minors online: what the G7 of data protection authorities agreed upon in Paris
There online protection of minors has just reached an international milestone. On June 25 and 26, 2026, at the invitation of the CNIL and within the framework of the French presidency of the G7, the authorities of data protection The seven major powers met in Paris. There, they adopted two texts that will influence how companies handle children's data: a declaration on the age verification and a document on connected home devices. For any manager who collects data from minors, even indirectly, these guidelines deserve serious consideration.
Key takeaways
- Meeting of G7 of data protection authorities in Paris on June 25-26, 2026, under French presidency (CNIL).
- Two texts adopted: one age verification statement and a document on the connected objects respecting the privacy of children.
- The CNIL was represented by its president Marie-Laure Denis and Commissioner Bertrand du Marais.
- The common thread: reconciling online protection of minors And protection of personal data, without over-collection.
- The next edition will be in 2027 in the United States, under the chairmanship of the FTC.
The G7 data protection summit meets in Paris
Before delving into the substance, a word about the event itself, as it sheds light on the significance of the adopted texts. This is not just another conference, but a coordinated effort between the world's leading data regulators.
Who was around the table?
The G7 is bringing together the authorities of data protection from Germany, Canada, the United States, France, Italy, Japan and the United Kingdom, alongside the two European authorities, the European Committee of the data protection and the European Controller. The CNIL, host of this edition, was represented by its president Marie-Laure Denis and by Bertrand du Marais, commissioner in charge of international affairs.
The discussions also involved the committee of Convention 108 of the Council of Europe and the OECD, a sign that cooperation extends beyond the G7 alone. This convergence is important: when seven major regulators agree on principles, they shape the doctrine that will inspire national controls in the future.
An agenda focused on emerging technologies
On the agenda: the online protection of minorsEmerging technologies, the free flow of data, and law enforcement cooperation. Smart glasses were the subject of a comparative review led by the CNILand agentic artificial intelligence has fueled debates about automated decision-making processes that reduce human intervention.
The day before, the CNIL had organized its Privacy Research Day, where Inria researchers presented their reflections on the technical and ethical challenges of AI. The message is clear: regulation should keep pace with technology, not lag behind it.
This edition primarily confirms a fundamental trend: the online protection of minors The issue is no longer addressed on a country-by-country basis. The same platforms, the same connected devices, and the same AI models are circulating everywhere, which is pushing regulators to speak with one voice. For a French company, this means that a standard emerging at the G7 level will, sooner or later, become the norm in its daily operations.
Protecting minors online: the two adopted texts
Let's get to the heart of the matter. Two key documents have been adopted, and they are aimed at platforms as well as manufacturers and, essentially, any organization that processes children's personal data.
A statement on age verification
The first text deals with the mechanisms of age verification respectful of privacy. It sets out key principles to be respected when developing and using these devices, which are now required for access to many online services.
The challenge is well-known: verifying that a user is of the required age without turning this check into a massive collection of personal data. age verification A poorly designed system can expose the child more than it protects them. It is precisely this tension that the declaration seeks to address.
A document on connected home devices
The second text targets connected devices in the home—connected toys, voice assistants, watches, and various other devices—used by minors or likely to process their data. It specifies the best practices expected of manufacturers regarding privacy from the design stage.
The stakes are high. A toy that records a child's voice or a watch that tracks their location handles particularly sensitive data. Regulators are demanding that data protection be built into the product, not added as an afterthought.
Why these texts matter to businesses
These documents are not directly binding regulations. But underestimating them would be a mistake: they foreshadow how the authorities will interpret them during their next inspections. The doctrine is established here; implementation will follow.
In other words, a company that processes data from minors has every interest in aligning itself with these principles now, rather than waiting for a formal notice to discover that it was out of compliance.
Age verification and privacy: a delicate balance
There age verification It alone encapsulates the entire difficulty of the subject. It presents two legitimate demands that must be reconciled.
Verify age without over-collecting data
On the one hand, protecting minors requires knowing who is a minor. On the other hand, the GDPR It mandates data minimization: collecting only the data that is strictly necessary. Requiring identification to access a simple service would be tantamount to creating a sensitive file to solve a simple problem.
The G7 authorities are therefore pushing for solutions that prove age without revealing full identity or creating reusable databases. This is a design principle, not just a legal requirement.
What the GDPR already says about minors' data
The frame is not blank. Article 8 of the GDPR The law already regulates the consent of minors for online services. In France, the Data Protection Act sets the age threshold below which parental consent is required at 15.
Children's data thus benefits from enhanced protection, which the work of the G7 extends to the realm of emerging technologies. Understanding this foundation is the starting point for any serious compliance efforts on this subject.
What online child protection changes for your GDPR compliance
The question that interests every leader remains: in concrete terms, what can be done? Even without being a platform for teenagers, many organizations process data of minors without always having formalized it.
Mapping the treatments that affect minors
The first step is to identify where, within your business, data from minors enters your system: registration forms, contests, apps, community spaces, loyalty programs. A structured assessment often reveals unsuspected data processing activities. Our A complete guide to GDPR compliance audits details this mapping process.
Without this visibility, it's impossible to implement the enhanced precautions required to protect children's personal data. You can't protect what you haven't identified.
The useful reflex is to ask a simple question at each data collection point: could a minor legitimately end up in this file? If the answer is yes, or even "maybe," the processing warrants special attention—proportionate age verification, appropriate information, and parental consent where applicable. This discipline is better than a general policy that ignores specific cases.
Document, govern, and prove
Once the processing activities have been identified, they must be registered, the legal basis defined, the data secured, and evidence retained. This is the role of structured governance. the GDPR governance module Viqtor® organizes this traceability, and you can see for yourself by browsing the sovereign Viqtor® platform.
THE GDPR It requires demonstrating compliance, not just asserting it. With regard to data concerning minors, this level of proof will be scrutinized even more closely given the sensitivity of the subject.
Do you process data from minors and want to ensure your compliance?
AI and connected devices: the next frontiers in children's privacy
The G7 didn't just talk about miners. The same regulators laid down milestones on artificial intelligence, and the two topics often overlap.
Agentic AI in the crosshairs
The discussions focused on agent-based AI and the challenges of its development, particularly the use of automated decision-making processes that reduce the role of humans. When these systems process data from minors, vigilance is heightened even further.
For a company, this means that an AI tool integrated into a consumer service cannot be deployed without considering its effects on the most vulnerable audiences.
Anticipate rather than react
International doctrine is being built right now. Organizations that integrate it early turn a constraint into an advantage: they reassure their clients, secure their markets and avoid emergency corrections.
This is the philosophy we uphold at Viqtor®: to make the GDPR compliance a continuous reflex rather than a panic reaction after a check. This head start will be invaluable when it comes to protecting minors online.
FAQ — Protecting minors online and G7
What is the G7 of data protection authorities?
This is a roundtable bringing together data regulators from Germany, Canada, the United States, France, Italy, Japan, and the United Kingdom, along with European authorities. Its aim is to harmonize approaches to major digital challenges. The 2026 edition was held in Paris, and the next will take place in the United States in 2027.
Is the age verification declaration binding?
No, these are common principles, not directly applicable regulations. But these texts foreshadow how the authorities will interpret the rules during their inspections. Ignoring them risks falling out of step with the gradually emerging doctrine.
From what age can a minor give consent alone in France?
In France, the threshold is set at 15 years for online services, in accordance with Article 8 of the GDPR and the French Data Protection Act. Below this age, consent must be given or authorized by those holding parental authority. Minors' data benefits from enhanced protection.
Is my company unknowingly processing data from minors?
This is common. Sweepstakes, newsletters, open forms, apps, and loyalty programs can collect data from minors without prior notice. An audit of your data processing activities allows you to verify this and, if necessary, implement the expected enhanced precautions.
How to prepare for future rules on the protection of minors online?
By mapping the processing activities involved, documenting the legal bases and security measures, and keeping evidence up to date, a compliance platform that centralizes the register, governance, and evidence makes this preparation sustainable over time rather than just on the eve of an audit.
Take stock of the miners' data that you process.
To learn more, find all our resources on the data governance and GDPR compliance on the Viqtor platform.