Cisco states that Duo's products are not meant for children under 16 and that it will delete any personal data collected from children under 16 if discovered.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The age threshold is set at 16 rather than 13, which is more protective than the US federal minimum under COPPA, and aligns with GDPR Article 8 requirements for children's data in EU member states that have adopted the 16-year threshold.
Parents and guardians should be aware that if a child under 16 uses a Duo-protected service, Cisco's policy states it will delete that data, but the practical enforcement of this commitment depends on Cisco being notified.
How other platforms handle this
Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under the age of 13 without parental consent. If we become aware that we have collected personal information from a child under the age of 13 without parental consent, we wil...
Our online services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible.
Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete such information. In some juris...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our products and services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: The Children's Online Privacy Protection Act in the US sets the minimum age threshold at 13 for online services. GDPR Article 8 permits member states to set the consent age for information society services between 13 and 16; several EU member states have adopted 16. By using 16 as the threshold in this policy, Cisco's statement is consistent with GDPR maximum-protection states but more restrictive than COPPA's US minimum. The FTC enforces COPPA compliance for US services. GOVERNANCE EXPOSURE: Low. Duo Security is primarily a B2B enterprise authentication product, making incidental collection of children's data unlikely in most deployment contexts. However, deployments in K-12 educational environments create heightened risk and may implicate COPPA, FERPA, and state student privacy laws. JURISDICTION FLAGS: K-12 educational institutions deploying Duo should evaluate whether COPPA and FERPA obligations apply to authentication data of students under 13, and whether a separate agreement with Cisco is required to address those obligations. Illinois, New York, and California have additional student privacy protections. CONTRACT AND VENDOR IMPLICATIONS: Educational institutions using Duo should verify whether Cisco's agreements with educational customers address COPPA and FERPA compliance specifically, rather than relying on this general privacy statement's age restriction. COMPLIANCE CONSIDERATIONS: Organizations deploying Duo in educational or consumer-facing contexts where minors may interact with the service should conduct a COPPA compliance assessment and confirm with Cisco whether any additional contractual protections for student data are available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The age threshold is set at 16 rather than 13, which is more protective than the US federal minimum under COPPA, and aligns with GDPR Article 8 requirements for children's data in EU member states that have adopted the 16-year threshold.
Parents and guardians should be aware that if a child under 16 uses a Duo-protected service, Cisco's policy states it will delete that data, but the practical enforcement of this commitment depends on Cisco being notified.
ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.