Almost 20 years ago, the first social networking site (“SNS”) was launched in the U.S. Whilst developers originally intended for SNSs to be used by adults—which they are—they have also become an integral communication platform in the lives of many children in EU Member States. Sharing personal information on SNSs is now a routine activity for many children and, whilst they are computer literate in a way that their parents are often not, a number of concerns have emerged. One of these concerns is that children are vulnerable since they lack the capacity to consent to the terms of SNS membership agreements regarding the processing of their personal data. A further concern is that children’s naïve confidence sometimes leads them to take risks—by sharing information about themselves—that adults would not take. This is particularly concerning as children may be ignorant about the fact that their profile and behavioural data is sold to data brokers who use that information to produce targeted adverts—and that these adverts may display age inappropriate content or even may not by recognised by the children as adverts. Directive 95/46/EC regulates the processing of the personal data of EU citizens, including personal data posted on SNSs. Problematically, it was drafted in a pre-SNS era and neither makes reference to children nor considers them vulnerable data subjects whose personal data should be subject to more stringent processing rules. The absence of specific legal protection for children’s data on SNSs sparked concerns that children were ignorantly disclosing personal data and being exposed to profiling and advertising without adequate privacy and data protection safeguards in place. In response to these concerns, provisions aimed at safeguarding children’s privacy and data protection rights have been included in Regulation (EU) 2016/679 (hereafter “GDPR”), which will come into force on 25 May 2018. This chapter provides a critical evaluation of the forthcoming measures to address a knowledge gap that exists because of the novelty of these provisions and the fact that scholarship in this area is currently underdeveloped. It begins by providing an overview of SNSs and the problems posed by underage children’s access to them. In this regard, it will illustrate that the biological and psychosocial developmental changes that children experience as they progress through their teenage years and develop their capacity for freedom of expression makes them vulnerable to impulsive personal information disclosures and privacy invasions. After this, an exploration of the current legal protections for children’s privacy on SNSs from the perspective of privacy as information control will highlight deficiencies in Directive 95/46/EC. This leads to an analysis of the measures in the GDPR to determine whether they will, when introduced, realise the twin goals of legitimising the processing of children’s personal data and, at the same time, protecting their fundamental privacy and data protection rights. The compatibility of measures in the GDPR with provisions in the United Nations Convention on the Rights of the Child (1989) (“the UNCRC”) and the Charter of Fundamental Rights of the European Union (2000) (“the EU Charter”) is considered as these provide a normative framework for evaluating children’s legal rights. To comply with both legal frameworks, data protection measures in the GDPR governing children’s activities on SNSs should recognise their evolving capacity for freedom of expression and privacy. This would allow them to express themselves with appropriate safeguards in place, ensuring that their best interests are protected and that they are not subject to economic exploitation through activities such as profiling and advertising without consent. Specifically, the analysis presents a critical evaluation of the introduction of an age threshold, below which children are deemed to lack capacity to consent to the processing of their personal data; the conceptual coherence of relying on parental consent for children under the threshold age; the practical implications of Member States being permitted to set the threshold age within a range of ages; and the practical challenges posed by relying on verified parental consent. The chapter concludes that measures in the GDPR are compatible with provisions in the UNCRC and the EU Charter but that a number of practical challenges remain unsolved. For instance, allowing Member States to set the threshold age means that the goal of simplifying and harmonising the regulatory environment for SNSs operating on a transnational basis will not be fully realised. Equally, reliance on parental consent and the consent of children over the threshold age is conceptually coherent, but it is dependent on the introduction of low-cost age-verification mechanisms being integrated into SNSs. It is also dependent on child data subjects (or their parents) being digitally literate enough to give unambiguous, specific consent to the processing of their personal data. Relatedly, whilst the GDPR includes measures to promote and increase the digital literacy of both parents and children, it remains to be seen how effective these will be in practice. For these reasons, the GDPR is an improvement on Directive 95/46/EC, but only a partial success