Children are among the most exposed — and least protected — people online. From the moment parents post a first photo on social media, a child's digital footprint begins to form without their knowledge or consent. Understanding the risks, knowing your legal rights, and taking concrete steps can make a real difference in keeping your children's personal information safe.
What the Law Says: COPPA and KOSA
Two major federal laws shape the landscape of children's online privacy in the United States.
The Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission, prohibits websites and apps from collecting personal information from children under 13 without verifiable parental consent. This is why platforms like YouTube, TikTok, and Instagram require users to be at least 13. If a service knowingly collects data on younger children without consent, it is in violation of federal law and subject to substantial fines.
More recently, the Kids Online Safety Act (KOSA) expanded protections for minors between 13 and 17. KOSA requires platforms to apply the highest available privacy settings by default for users under 17, restrict algorithmic recommendations that may cause harm, and give parents and children more control over data. While COPPA focused on data collection, KOSA targets platform design itself — placing a duty of care on companies to minimize risks to minors.
Despite these laws, enforcement is uneven and loopholes are common. Legal protections are a floor, not a ceiling — parents need to take active steps beyond what the law requires.
The Hidden Danger of Sharenting
Sharenting — the practice of regularly sharing photos, videos, and updates about your children on social media — creates a permanent digital record before children are old enough to understand what that means or consent to it.
Consider what a publicly visible photo reveals: a child's appearance, approximate age, school uniform, neighborhood, and daily routines. Aggregated over years of posts, this becomes a detailed profile accessible to anyone — advertisers, data brokers, and bad actors alike. Research suggests that by the time a child turns 13, their parents will have posted an average of over 1,300 images of them online.
Before posting, ask yourself whether your child would be comfortable with this image being visible to strangers when they are 18. If the answer is uncertain, consider keeping it private or sharing it only through encrypted messaging rather than public social media feeds.
Warning: Public Posts Can Be Scraped and Stored Permanently
Even after you delete a post, copies may have already been archived by third-party services, scraped by data brokers, or downloaded by followers. Once an image is public, you cannot reliably remove it from the internet. Privacy settings should be locked down before you post, not after.
Privacy Settings on Platforms Children Use
Many of the platforms popular with children have specific privacy controls worth knowing:
- YouTube Kids: Set up a supervised experience through your Google Family account to restrict content and prevent search. Turn off the "search" feature entirely for younger children to limit exposure to unreviewed content.
- TikTok: Accounts created by users under 16 are set to private by default, with direct messaging disabled. Users under 13 are placed in a restricted mode. Use TikTok's Family Pairing feature to link your account to your child's and control screen time and content filters.
- Roblox: Enable Account Restrictions to limit chat to pre-approved phrases and block communication with strangers. Turn on the privacy settings that prevent other users from finding your child's account by username. Require a PIN to change account settings so children cannot override your configurations.
- Minecraft: On the Bedrock edition, use a Microsoft Family account to control multiplayer access and chat. Set the account to only allow communication with friends, not all players.
- Fortnite: Epic Games accounts for minors support Parental Controls with a PIN. Enable filters for voice chat, auto-decline friend requests from strangers, and restrict spending.
Parental Controls and Monitoring Tools
Device-level controls add another layer of protection beyond individual app settings.
Apple Screen Time (built into iOS and macOS) lets you set content restrictions by age rating, block explicit websites, require approval before app downloads, and set daily screen time limits per app category. You can lock these settings with a separate PIN so children cannot modify them.
Google Family Link works across Android devices and Chromebooks. It allows parents to approve app installations, view app activity, set daily screen time limits, and remotely lock a device. For children under 13, all app downloads require parental approval.
Both tools also allow location sharing, which can be useful for safety — though it is worth having an open conversation with older children about what monitoring is in place, rather than using it covertly.
Teaching Children About Privacy
Technology controls are only part of the solution. Children who understand why privacy matters are far better equipped than those who simply have restrictions imposed on them.
Age-appropriate conversations should cover:
- What not to share online: Full name combined with school name, home address, phone number, daily schedule, or photos that reveal location details like street signs or landmarks.
- Why strangers online are different: People online can pretend to be someone they are not. A profile picture and a friendly chat history do not make someone trustworthy.
- The permanence of digital content: Anything posted, shared, or sent in a message can be screenshot and forwarded. Once something leaves their device, they lose control of it.
- How to respond to uncomfortable requests: If someone online asks for a photo, personal information, or to keep a conversation secret, children should know they can tell a trusted adult without fear of getting in trouble.
Start the Conversation Early
Privacy habits are easier to build before a child gets their first device than after. Even children as young as six can understand the concept of keeping some things private — like their address or the name of their school — just as they learn not to share certain things with strangers in person.
How Data Brokers Collect Information on Children
Most parents are surprised to learn that data brokers — companies that collect, aggregate, and sell personal information — build profiles on minors as well as adults.
Data on children enters broker databases through several channels:
- Household data: When a data broker has a profile on you, your children are often inferred from the same record. Household composition, children's approximate ages, and birth records from public filings all feed into these profiles.
- School-related records: While FERPA protects educational records, some data enters the market through school fundraising companies, extracurricular sign-ups, and contest registrations that sell or share participant data.
- Apps and games: Many free apps and games collect device identifiers, in-app behavior, and demographic data that flows into advertising networks and data exchanges.
- Social media: Public posts that tag or mention children — including posts from parents — are routinely scraped and indexed.
Identity Theft: Why Children Are High-Value Targets
Child identity theft is a serious and underreported crime. A child's Social Security number is particularly valuable to criminals precisely because fraud often goes undetected for years — sometimes not until the child applies for a student loan, a first credit card, or an apartment at 18 and discovers a damaged credit history they knew nothing about.
Because children have no credit history to monitor, fraudulent accounts can accumulate for a decade before anyone notices. The FTC estimates that children are roughly 50 times more likely to be victims of identity theft than adults.
The most effective protective measure is a credit freeze. By freezing your child's credit file at all three major bureaus — Equifax, Experian, and TransUnion — you prevent anyone from opening new credit accounts in their name. This should be done proactively, even before any fraud occurs. The process is free and can be reversed when your child reaches adulthood.
Steps to freeze a minor's credit:
- Gather documents proving your identity as the parent or guardian and the child's identity (birth certificate and Social Security card).
- Submit a written request to each of the three credit bureaus — Equifax, Experian, and TransUnion — along with copies of the required documents. Each bureau has its own process; check their websites for the most current instructions.
- Keep records of all submissions and confirmation numbers.
- Repeat annually to verify the freeze remains in place.
Opting Out of Data Brokers and Using Family Privacy Services
Beyond credit freezes, parents can reduce the data footprint of the entire household by opting out of data broker databases. Many of the major people-search sites — including Spokeo, Whitepages, BeenVerified, and Intelius — publish household information that can include inferred data about children living at your address.
Submitting opt-out requests manually is time-consuming. There are hundreds of brokers, each with a different process, and data tends to reappear as brokers refresh from public records and third-party sources. This is why automated services have become essential for families serious about protecting their household's privacy.
PrivacyOn offers family plans that cover every member of your household — not just individual adults. With continuous monitoring and automated opt-out submissions across 100+ data broker sites, PrivacyOn ensures that when your family's data resurfaces, it gets removed again without you having to track it manually. Protecting your children's privacy is no longer a one-time task — it requires ongoing vigilance, and the right tools make that sustainable.