As digital technologies become integral to children’s lives, the question of how to obtain valid consent for processing their personal data has become a central issue for lawmakers and regulators. The APAC region’s approaches are diverse, shaped by international influences, domestic legal traditions, and cultural attitudes towards childhood and privacy. This article explores these factors, recent legal developments, and practical guidance for organizations handling children’s personal data in APAC.
Comparative analysis of APAC jurisdictions
A review of APAC jurisdictions shows a regional trend towards stronger protection of children’s personal data, influenced by digital risks and international standards. Consent regimes vary widely, with some countries enforcing strict parental control and others recognizing children’s autonomy, often through age-differentiated consent. Enforcement also differs, ranging from robust regulatory oversight and penalties to reliance on self-regulation or industry codes. This diversity creates significant challenges for cross-border digital services, which must manage a complex array of legal requirements.
Contrasting approaches: Australia and China
Australia is moving towards international best practice, recently amending its Privacy Act 1988 (Cth) (Privacy Act) to require a dedicated Children’s Online Privacy Code (Code) by December 2026.1 The Code will focus on age-appropriate design and the evolving capacity of children to consent, mirroring the UK’s Age Appropriate Code published by the UK’s information commissioner.
China, by contrast, has adopted a state-driven approach. China’s Personal Information Protection Law 2021 (PIPL) and related regulations require strict parental consent for children under 142, mandatory identity verification, and classify children’s personal data as ‘sensitive.’. Service providers face significant obligations and penalties for non-compliance. While this model offers strong theoretical protection, it raises concerns about overreach and potential impacts on children’s rights to expression and participation.
Traditional approaches: parental responsibility
In many APAC countries, parental responsibility remains central. Malaysia3, India, and Indonesia4 require or are moving towards requiring parental consent for processing data of individuals under 18. Hong Kong5 allows a “relevant person” (such as a parent or guardian) to provide consent for minors. India’s draft Digital Personal Data Protection Rules 2025 require verifiable parental consent and technical measures to ensure compliance, reflecting the cultural emphasis on family as the primary protector.
South Korea sets a lower threshold, requiring parental consent for children under 14. Recent amendments to South Korea’s Personal Information Protection Act require policies to help children understand data processing and their rights.6
Nuanced approaches: Vietnam, Taiwan, and Thailand
Vietnam, Taiwan, and Thailand have introduced more nuanced consent regimes. Vietnam’s law requires parental consent for children under seven, and dual consent from both child and parent for those aged seven or older.7 Taiwan’s Civil Code stipulates that children under seven cannot consent, while those over seven need parental approval for their consent to be valid.8
Thailand’s model is particularly distinctive, requiring dual consent from both child and guardian for those aged 10 to 20, and parental consent alone for those under 10. This approach balances children’s growing agency with the need for adult oversight. 9
Evolving capacity: flexible approaches
Some jurisdictions, such as Singapore, Japan, and the Philippines10, have moved beyond rigid age-based consent, recognizing the evolving capacity of children. These countries provide regulatory guidance rather than strict statutory rules, allowing older minors to consent if deemed sufficiently mature. For example, Singapore’s guidelines encourage organizations to assess a child’s maturity on a case-by-case basis, generally recommending parental consent for those under 13.11 Japan’s guidelines similarly require businesses to obtain parental consent if a minor lacks capacity, with ongoing discussions about clarifying these requirements.12
These flexible frameworks may better reflect the realities of digital engagement but place greater responsibility on organizations to make nuanced, context-specific assessments.
Best practices for organizations
Given the diversity of approaches, organizations processing children’s personal data in APAC should:
- Map legal requirements: Identify minimum ages for consent, parental authorization, and sector-specific rules in each jurisdiction, and monitor for updates.
- Establish age assurance: Implement reliable processes to determine users’ ages, using self-declaration, technical measures, or parental confirmation as appropriate.
- Obtain verifiable parental consent: Design user-friendly, culturally appropriate processes for obtaining and documenting parental consent.
- Provide clear, age-appropriate notices: Use simple language, local languages, and visual aids to ensure children and parents understand privacy notices and consent forms.
- Privacy by design and default settings: Ensure privacy protections are embedded into the design and development of systems, services, and processes from the outset and default settings are used to reflect the best interests of children.
- Limit data collection: Collect only data necessary for the specified purpose and regularly review processing activities for compliance.
- Train staff: Ensure staff understand the specific requirements for handling children’s personal data.
- Enable consent management: Allow parents and children to review, manage, and withdraw consent easily, and ensure prompt deletion or anonymization of data as required.
Conclusion
Approaches to obtaining children’s consent for data processing in the APAC region are highly varied and continue to evolve, reflecting each country’s unique legal, cultural, and social context. While there is a general movement towards stronger protections and greater recognition of children’s autonomy, no unified model exists. The key challenge is to ensure these frameworks keep pace with technological change and emerging risks, always prioritizing the best interests of the child. Protecting children’s personal data is ultimately a matter of fundamental rights and social responsibility, requiring ongoing collaboration and vigilance from all stakeholders to ensure children’s privacy and safety in the digital age.
Footnotes
1. Privacy and Other Legislation Amendment Act 2024 (Cth) (amending section 26GC of the Privacy Act).
2. PIPL, Article 31.
3. Malaysia’s Personal Data Protection Regulations 2013, Regulation 3(3).
4. India and Indonesia are currently introducing such requirements upon finalization of the Digital Personal Data Protection Act 2023 and the Implementing Regulation of Law No. 27 of 2022 respectively.
5. Hong Kong’s Personal Data (Privacy) Ordinance.
6. South Korea’s Personal Information Protection Act 2011 Article 5(3).
7. Vietnam’s Decree on Personal Data Protection (Decree No. 13/2023/ND-CP).
8. Taiwan’s Personal Data Protection Act 2015.
9. Thailand’s Personal Data Protection Act 2019.
10. On December 17, 2024, the National Privacy Commissioner of the Philippines published Guidelines on Child-Oriented Transparency which emphasized its adoption of the ‘best interests’ approach, while noting ‘children’ generally includes individuals under 18.
11. Singapore’s Personal Data Protection Commission’s Selected Topics Advisory Guidelines on Singapore’s Personal Data Protection Act 2012, dated May 23, 2024, Guideline 8.9.
12. Japan’s Commissioner’s General Guidelines on the Act on the Protection of Personal Information 2003, dated April 1, 2005.
