Cisco states that Duo's products are not meant for children under 16 and that it will delete any personal data collected from children under 16 if discovered.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The age threshold is set at 16 rather than 13, which is more protective than the US federal minimum under COPPA, and aligns with GDPR Article 8 requirements for children's data in EU member states that have adopted the 16-year threshold.
Parents and guardians should be aware that if a child under 16 uses a Duo-protected service, Cisco's policy states it will delete that data, but the practical enforcement of this commitment depends on Cisco being notified.
How other platforms handle this
The Service is intended for general audiences and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information without your cons...
enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }
We process Global Privacy Control signals as opt-out requests for the sale or sharing of personal information.
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Our products and services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: The Children's Online Privacy Protection Act in the US sets the minimum age threshold at 13 for online services. GDPR Article 8 permits member states to set the consent age for information society services between 13 and 16; several EU member states have adopted 16. By using 16 as the threshold in this policy, Cisco's statement is consistent with GDPR maximum-protection states but more restrictive than COPPA's US minimum. The FTC enforces COPPA compliance for US services. GOVERNANCE EXPOSURE: Low. Duo Security is primarily a B2B enterprise authentication product, making incidental collection of children's data unlikely in most deployment contexts. However, deployments in K-12 educational environments create heightened risk and may implicate COPPA, FERPA, and state student privacy laws. JURISDICTION FLAGS: K-12 educational institutions deploying Duo should evaluate whether COPPA and FERPA obligations apply to authentication data of students under 13, and whether a separate agreement with Cisco is required to address those obligations. Illinois, New York, and California have additional student privacy protections. CONTRACT AND VENDOR IMPLICATIONS: Educational institutions using Duo should verify whether Cisco's agreements with educational customers address COPPA and FERPA compliance specifically, rather than relying on this general privacy statement's age restriction. COMPLIANCE CONSIDERATIONS: Organizations deploying Duo in educational or consumer-facing contexts where minors may interact with the service should conduct a COPPA compliance assessment and confirm with Cisco whether any additional contractual protections for student data are available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The age threshold is set at 16 rather than 13, which is more protective than the US federal minimum under COPPA, and aligns with GDPR Article 8 requirements for children's data in EU member states that have adopted the 16-year threshold.
Parents and guardians should be aware that if a child under 16 uses a Duo-protected service, Cisco's policy states it will delete that data, but the practical enforcement of this commitment depends on Cisco being notified.
ConductAtlas has identified this type of provision across 26 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.