Minors and Age Restriction

What it is

AI21's services are not for users under 16 years old, and AI21 says it will delete any data it discovers was collected from a child under 16 without parental permission.

Why it matters (compliance & governance perspective)

The age threshold of 16 is higher than the 13-year COPPA threshold used by many US services, which may reflect GDPR Article 8 compliance for EU users, but the policy does not describe what age verification mechanisms are in place.

Consumer impact (what this means for users)

AI21 sets its minimum age at 16, which exceeds the COPPA threshold of 13 for US services. However, the policy does not describe any age verification mechanism, which means enforcement relies primarily on self-reporting. Parents who discover a child under 16 has used AI21 can contact privacy@ai21.com to request data deletion.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages COPPA (Children's Online Privacy Protection Act), which applies to US services collecting data from children under 13, and GDPR Article 8, which sets the age of digital consent at 16 by default (with member states able to lower this to 13). The policy's 16-year threshold aligns with GDPR's default rather than COPPA's lower threshold. The FTC enforces COPPA in the US. EU data protection authorities enforce GDPR Article 8 requirements. GOVERNANCE EXPOSURE: Medium. The absence of a described age verification mechanism is a common limitation of online services and is noted by regulators as a structural challenge. For an AI service that could be used for educational or research purposes, the risk of underage users self-registering is non-trivial. The policy's reliance on reactive deletion rather than preventive verification is standard but may face increasing regulatory scrutiny as jurisdictions implement stronger age assurance requirements (including the UK's Age Appropriate Design Code and proposed US legislation). JURISDICTION FLAGS: EU member states that have lowered the GDPR Article 8 age of consent below 16 (including the UK at 13, Germany at 16, and others at various thresholds) create a patchwork compliance environment. The UK's Age Appropriate Design Code (Children's Code) imposes additional obligations on services likely to be accessed by children. California's Age-Appropriate Design Code Act may apply to AI21 if the service is likely to be accessed by minors. Illinois and other states may impose analogous requirements. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers deploying AI21 in educational or youth-oriented contexts should confirm that their use case is consistent with the 16-year age minimum and assess whether additional contractual protections are required. Organizations subject to FERPA or COPPA should evaluate whether AI21's services are appropriate for their user populations. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether AI21's age restriction policy is supported by adequate technical or operational controls, particularly given increasing regulatory focus on age verification for AI services. If AI21 products are deployed in contexts where minors may be users, additional safeguards should be contractually required. The policy's reactive approach to underage data should be evaluated against emerging age assurance standards in the UK, EU, and applicable US states.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Prompt and Interaction Data Collection and Model Training Use medium
• Third-Party Advertising and Analytics Data Sharing medium
• International Data Transfers medium
• Data Subject Rights (GDPR and CCPA) medium
• Enterprise API Data Processing Agreement medium
• Data Retention low