Substack prohibits users under 16 from registering or sharing personal information. If Substack discovers it has collected data from someone under 16, it will delete that data.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The minimum age threshold of 16 is higher than COPPA's 13-year statutory minimum, which means Substack has adopted a stricter standard that also captures 13 to 15-year-olds who might otherwise legally use other platforms.
Users aged 13 to 15 are expressly prohibited from using Substack, a threshold higher than what COPPA strictly requires. Parents who believe their child under 16 has registered should contact tos@substackinc.com to request data deletion.
How other platforms handle this
To access and use the Services, you must be at least the age of majority in the state, province, or territory where you live or at least 18 years of age. If you are under the age of 13, you may not use the Services and you should not be visiting the Sites or using the Services.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"The Children's Online Privacy Protection Act ("COPPA") requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children. We do not knowingly collect or solicit personally identifiable information from children under 16; if you are a child under 16, please do not attempt to register for Substack or send any personal information about yourself to us. If we learn we have collected personal information from a child under 16, we will delete that information as quickly as possible.— Excerpt from Substack's Substack Terms of Use
REGULATORY LANDSCAPE: COPPA, enforced by the FTC, requires verifiable parental consent before collecting personal information from children under 13. Substack's adoption of a 16-year age threshold exceeds this statutory minimum, which may also engage state-level minors' privacy statutes including the California Age-Appropriate Design Code (AADC, AB 2273) which imposes obligations for services likely to be accessed by users under 18. The EU's GDPR sets a digital consent age of 16 by default (with member states permitted to lower it to 13), making Substack's 16-year threshold consistent with GDPR's default standard. The UK Children's Code (Age Appropriate Design Code) similarly covers users under 18. GOVERNANCE EXPOSURE: Medium. The contractual commitment to delete data collected from under-16 users 'as quickly as possible' is an operational commitment that requires effective age verification or age assurance mechanisms to implement meaningfully. The Terms rely on self-declaration and contractual prohibition rather than technical age verification, which is increasingly scrutinized by regulators, particularly under the California AADC and the UK Children's Code. JURISDICTION FLAGS: California's Age-Appropriate Design Code creates heightened obligations for platforms likely to be accessed by minors under 18, including default privacy settings and data minimization requirements that go beyond the contractual prohibition in these Terms. UK and EU regulators have been active in enforcing Children's Code and GDPR age assurance requirements against platforms. The FTC's enforcement of COPPA has historically focused on actual knowledge and reasonable inference standards for minors' data collection. CONTRACT AND VENDOR IMPLICATIONS: Substack's reliance on contractual self-certification for age compliance (the user 'represents and warrants' legal age to contract) rather than technical age verification creates operational risk in jurisdictions where regulators expect affirmative age assurance. Procurement teams assessing Substack for institutional use in educational or youth-adjacent contexts should evaluate this gap. COMPLIANCE CONSIDERATIONS: Substack's operational implementation of the under-16 data deletion commitment should be documented and audited. The contact mechanism for reporting potential minor registrations (tos@substackinc.com) should be tested for responsiveness. Organizations using Substack in contexts where minor access is plausible should consider independent controls rather than relying solely on Substack's contractual prohibition.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The minimum age threshold of 16 is higher than COPPA's 13-year statutory minimum, which means Substack has adopted a stricter standard that also captures 13 to 15-year-olds who might otherwise legally use other platforms.
Users aged 13 to 15 are expressly prohibited from using Substack, a threshold higher than what COPPA strictly requires. Parents who believe their child under 16 has registered should contact tos@substackinc.com to request data deletion.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.