A grounded guide for online platforms assessing how the EU Digital Services Act protects minors through privacy, safety, security, targeted-ad restrictions, and platform design controls.
Use it to separate binding Article 28 duties from voluntary Commission guideline recommendations and to avoid inventing age-verification obligations that the DSA text does not impose.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 28 of the EU Digital Services Act is about online platforms accessible to minors. It requires appropriate and proportionate measures for a high level of privacy, safety, and security, restricts profiling-based advertising to minors when the platform is aware with reasonable certainty that a recipient is a minor, and says compliance does not require extra personal-data processing to determine age.
Start with the service, not the child-safety control. Article 28 applies to providers of online platforms accessible to minors; the DSA recitals describe this as including services whose terms permit minors, services directed at or predominantly used by minors, or services where the provider is otherwise aware that some recipients are minors.
The core obligation is risk-based. The platform should be able to explain why each measure is appropriate and proportionate for the way minors actually use the service, rather than treating every age assurance, recommender, ad, reporting, or parental-control feature as mandatory in every product.
Article 28 prohibits online platforms from presenting advertisements based on profiling using a recipient's personal data when the provider is aware with reasonable certainty that the recipient is a minor. This is narrower than a blanket ban on all advertising to minors: contextual ads, house messages, or ads that are not based on profiling need a separate assessment under the DSA and other applicable law.
The same article also prevents a common overreach. Compliance with Article 28 does not require platforms to process additional personal data just to assess whether a recipient is a minor. Evidence should therefore show both the ad-delivery restriction and the data-minimisation boundary.
The Commission's 2025 Article 28 guidelines are non-binding, but the Commission says it will use them as a reference point when assessing Article 28(1) compliance. Treat them as a structured control catalogue, then select measures that fit the service's risk profile.
The grounded recommendations cover privacy-by-default, safer recommender systems, user controls, limits on unwanted sharing of minors' content, safeguards against excessive-use features, harmful commercial-practice controls, and improved moderation, reporting, feedback, and parental-control tools.
Article 28 does not stand alone. Article 27 requires online platforms using recommender systems to explain the main parameters in plain and intelligible language and provide options to modify or influence them. For VLOPs and VLOSEs, Article 38 adds at least one recommender option that is not based on profiling.
For very large services, minors protection can also appear inside systemic-risk work. The DSA risk-assessment and mitigation provisions refer to children's rights, protection of minors, physical and mental well-being, recommender systems, advertising systems, interface design, content moderation, and internal documentation.
A useful Article 28 file should show what the platform knew about minors, which risks it identified, which controls it selected, why those controls are proportionate, and what it deliberately did not do because the DSA does not require additional age-data processing.
Keep the record product-facing enough for design, advertising, trust and safety, data science, policy, legal, privacy, and compliance teams to test the same claims.
No. Article 28 requires appropriate and proportionate minors-protection measures and restricts profiling-based ads to minors when the platform is aware with reasonable certainty that the recipient is a minor. It also says compliance does not oblige platforms to process additional personal data to assess whether a recipient is a minor.
The Commission guidelines recommend effective age assurance when it is accurate, reliable, robust, non-intrusive, and non-discriminatory. They specifically discuss age verification for adult content such as pornography and gambling, or where national rules set a minimum age for certain services, and age estimation in other lower-age or risk-based cases.
Sorena can help structure Article 28 scope, targeted-ad restrictions, recommender controls, guideline recommendations, and age-assurance rationale into a reusable evidence record.
Ask source-linked questions about Article 28, targeted advertising to minors, recommender systems, and Commission guidance using the cited sources on this page.
Walk through your minors-protection controls, age-assurance rationale, ad-system evidence, and source gaps with Sorena.
"accurate, reliable, robust, non-intrusive"
"protection of minors"
"voluntary and does not automatically guarantee compliance"
"bans targeted advertisement to minors"
"not oblige providers"