Children's apps: what is the consent threshold?

Under Art. 8 GDPR, children below 16 cannot give valid consent for information-society services without parental authorisation. Member States may lower this to 13 (e.g. Belgium, Denmark, Sweden). Germany applies the 16-year limit. App stores treat this as a designated category — verifiable parental consent is required, not a simple check-box.

GDPR for Mobile Apps: 6 Practical Obligations 2026

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

TDDDG Section 25 (German ePrivacy implementation) requires consent before any storage or read on the user's device — applies to apps as well as websites
Apple ATT is a parallel platform requirement, not a substitute for GDPR consent
Marketing push notifications require consent; transactional push (e.g. order confirmation) does not
Children under 16 trigger Art. 8 GDPR — parental consent and stricter design
Third-party SDKs (Facebook, Firebase, Mixpanel) require per-SDK privacy review and DPA

1. TDDDG Section 25 applies to apps

The Telecommunications-Telemedia Data Protection Act applies the EU ePrivacy rule to mobile apps as well as websites. Any storage or reading of information on the user's device requires prior consent unless strictly necessary for the requested service.

2. Apple App Tracking Transparency

iOS requires the ATT prompt before any cross-app tracking via IDFA. The default user response is "denied" and remarketing impact is large. ATT is a platform rule from Apple — it does not replace GDPR consent obligations and runs in parallel with TDDDG Section 25.

3. Push notifications

Marketing pushes (newsletter-style notifications, promotional content) require explicit consent. Transactional pushes tied to a service the user requested (order confirmation, delivery update) do not. Document the distinction in your records of processing.

4. In-app advertising

Personalized advertising requires consent under Art. 6(1)(a) GDPR. Generic, non-personalized advertising can rely on legitimate interest (Art. 6(1)(f)) provided you complete a balancing test and disclose it in the privacy notice.

5. Children's apps (under 16)

Art. 8 GDPR sets the digital-consent threshold at 16, with member-state discretion down to 13. Germany kept the threshold at 16. Below the threshold, parental consent is required. Apply data minimization, prohibit behavioral advertising, and use plain language in the privacy notice.

6. Third-party SDK audit

Every embedded SDK is a privacy-relevant component. For each SDK (Firebase, Facebook, Mixpanel, ad networks): document the purpose, the data sent, the recipient, the legal basis, and the contract type (DPA or controller-to-controller). Remove any SDK without a clear purpose.

Summary

Mobile apps add platform-level layers (ATT, App Store privacy labels) on top of GDPR and TDDDG. Plan around three constraints: consent before any device read, per-SDK governance, and stricter handling for children. SDK inventory is the single highest-leverage starting point.

View GDPR Kit →

Frequently Asked Questions

ATT vs. GDPR?

ATT is an Apple obligation. The GDPR is an EU obligation. Both apply in parallel.

Children's apps: threshold?

<16 years under the GDPR. Member states may lower the threshold to 13 (Germany: 16).

Sources

Regulation (EU) 2016/679 — GDPR (As of: 2026-05-02)
German Federal Data Protection Act (BDSG) (as of: ongoing)
European Commission — Data Protection (as of: ongoing)

Tools & self-assessments

GDPR Checklist 30 check points for data protection compliance in SMEs. Fining Calculator Estimate the potential fine exposure for your organisation. GDPR Self-Assessment Structured self-test with maturity score and remediation roadmap. Cookie Banner Audit TDDDG/GDPR review of your cookie banner with concrete remediation hints.