Children's Privacy and Age Restriction

What it is

Udemy's platform is not intended for users under 16, and Udemy states it will delete any data collected from children under that age if discovered.

Why it matters (compliance & governance perspective)

The age threshold of 16 (rather than 13, which COPPA requires) creates a more protective standard for minors in the U.S. and aligns with GDPR Article 8 requirements in the EU, but parents or guardians should be aware there is no verified age-gating mechanism described in the policy.

Consumer impact (what this means for users)

Users under 16 are not supposed to use Udemy, and data collected from such users should be deleted upon discovery; however, the policy does not describe technical age-verification measures, so the practical enforcement of this restriction depends on user self-reporting.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: In the U.S., COPPA (Children's Online Privacy Protection Act) applies to online services directed to children under 13; Udemy's stated age threshold of 16 exceeds COPPA's minimum and reflects GDPR Article 8's default age of consent for data processing in many EU member states (16, with member state flexibility down to 13). The FTC enforces COPPA; EU national DPAs enforce GDPR Article 8. The UK Age Appropriate Design Code (Children's Code) also applies to platforms accessible by under-18 users in the UK and imposes design and data minimization obligations beyond notice requirements. 2. GOVERNANCE EXPOSURE: Medium. The absence of described technical age-verification or age-gating mechanisms means the policy's age restriction is largely self-declaratory. Regulatory guidance, particularly from the UK ICO and the FTC's COPPA enforcement program, increasingly emphasizes that platforms must take affirmative technical steps, not merely post age-restriction notices. If Udemy's platform is accessible to and used by minors, the absence of robust gating could constitute a governance gap. 3. JURISDICTION FLAGS: The UK Children's Code creates the highest current regulatory exposure for platforms accessible to UK users under 18. California's Age-Appropriate Design Code Act (AB 2273), though its status has been subject to legal proceedings, creates additional state-level obligations. EU member states that have set the GDPR Article 8 age of consent at 13 or 14 would expect compliance at those lower thresholds for their residents. 4. CONTRACT AND VENDOR IMPLICATIONS: Schools or educational institutions procuring Udemy for student use should assess whether Udemy's age restriction and data practices comply with FERPA, COPPA, and any applicable state student privacy laws (e.g., SOPIPA in California). The policy's age restriction may not be sufficient standing alone for institutional educational deployments involving minors. 5. COMPLIANCE CONSIDERATIONS: Compliance teams at educational organizations should review whether deploying Udemy for any users under 16 (or 18 under the UK Code) requires additional safeguards, parental consent mechanisms, or vendor contractual commitments. Udemy's data deletion process for under-16 users should be assessed for operational effectiveness.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Udemy Business Employer Data Sharing high
• Third-Party Advertising and Analytics Data Sharing medium
• Data Sharing in Merger or Acquisition medium
• California CCPA/CPRA Rights low
• Cross-Border Data Transfers (EU-U.S. Data Privacy Framework) medium
• Data Retention medium