Empirical data show that increasingly younger children are engaging in online activities. Many children lack experience and knowledge of the implications and practices related to personal data management. However, under the current Euro- pean data protection regime, children become data subjects on the same legal basis as adults, with consent being the most popular method of obtaining personal data. The proposed EU Data Protection Regulation tackles this problem by introducing a requirement for data controllers providing information society services directed at children: the controllers should obtain parental consent in cases where the personal data of a child under the age of 13 are being processed in the online environment. In the view of the European Commission, this requirement will reduce online risks for children and prevent them from making ‘youthful’ indiscretions.