Beyond COPPA: Evaluating the Legal, Ethical, and Global Gaps in Children's Online Privacy Protection

I. Introduction

In the last hundred years or so, people have begun to see how important it is to protect their children through laws and regulations. Child labor laws have been passed, along with countless other laws to protect children from abuse, kidnapping, and many other evils. During this time, however, regulations have had to try to keep up with advancing technology. In the last thirty years, childhood has changed completely, in large part due to the internet and all it offers. While those of us born in the 90s remember being told not to talk to strangers or to not give any personal information to people on the internet, these precautions are not enough in today's constantly connected world.

The new world created by the internet has introduced risks to children that could not have been predicted when the internet first became available for mass use. Children are susceptible to many tricks employed by manipulative companies and nefarious actors all over the internet. We have seen a rise in dark patterns and other manipulative designs on child-facing platforms. Dark patterns, also referred to as deceptive patterns, are "tricks used in websites and apps that make you do things that you didn't mean to" (Brignull, 2010). Children are more likely to fall for dark patterns, leading them to make purchases that they were unaware of or sign up for services without fully understanding what is happening.

Another issue on the rise are the legal gray areas around parental consent. Most governing entities require websites and social media platforms to acquire parental consent when children are using them, but enforcing this is harder than one may think. There are a few ways to guarantee that parental consent is being gained, as websites rarely ask for verifiable consent. It is just as likely that a child is signing the form in their parent's place as the parent is.

Another issue often seen is a lack of regulatory attention to new trends and platforms. One example of this is "sharenting," where parents are said to exploit their kids on social media for better engagement. It is often questioned if regulatory bodies can keep up with the fast-changing world of the internet. There are also questions of who is responsible for regulations. Every country or governing body has different ways of approaching child safety and privacy on the internet. The US follows COPPA (Children's Online Privacy Protection) laws, whereas the EU has the GDPR-K (General Data Protection Regulations - Kids). While there is often overlap between regulations, companies need to consider the regulations of all areas where they are providing their services, often leading to confusing outcomes.

This paper strives to outline legal and ethical frameworks relating to the protection of children online. It will look at patterns emerging across major corporate violations and recommend methods to mitigate these patterns. Lastly, we will look at how new technologies and trends, such as "sharenting," complicate traditional frameworks of consent and privacy protection.

II. Literature and Framework Overview

A. Legal and Ethical Frameworks on Children's Privacy

Children's online privacy protection lies at the intersection of legal mandates, ethical norms, and evolving digital design practices. This section surveys the core legal and ethical frameworks that shape current approaches to regulating and understanding children's data privacy.

COPPA (U.S. Law)

The Children's Online Privacy Protection Act (COPPA), enacted in 1998 and enforced by the Federal Trade Commission (FTC), is the cornerstone of U.S. federal regulation of children's online data. COPPA applies to operators of websites and online services directed to children under 13, requiring them to provide notice of their data practices, obtain verifiable parental consent before collecting personal information, allow parents access to their children's data, and implement security procedures to safeguard it (FTC, 1998).

However, COPPA has been widely critiqued for its limitations. It does not apply to platforms that claim a general audience—even when children are de facto users—and enforcement relies heavily on complaints or high-profile investigations rather than proactive monitoring. Additionally, the definition of "personal information" has struggled to keep pace with the realities of today's digital ecosystem, where biometric and behavioral data collection is ubiquitous but not always covered under COPPA's scope.

GDPR-K (EU Law)

The European Union's General Data Protection Regulation (GDPR) includes a provision specific to children, often referred to as GDPR-K. Unlike COPPA, GDPR does not set a fixed lower age limit but allows EU member states to determine the age at which children can consent to data processing—typically ranging between 13 and 16. Article 8 of the GDPR requires parental consent for processing the personal data of children below the designated age when offering "information society services" directly to them ("Children's Data and Parental Consent under the GDPR.").

GDPR-K goes beyond COPPA in recognizing children's developmental limitations, explicitly acknowledging that children may be less aware of the risks associated with sharing personal information online. It places a stronger emphasis on data minimization, fairness, and transparency. There is also a growing emphasis on designing systems with children in mind, and on cross-border enforcement mechanisms that challenge global platforms to maintain uniform compliance across jurisdictions.

While GDPR offers a more expansive view of children's rights, it remains unevenly enforced, and its cross-border application to U.S.-based companies is often contested. This friction underscores the need for stronger regulatory harmonization and shared ethical norms around children's digital agency.

The Belmont Report

Published in 1979, the Belmont Report remains a foundational ethical document in U.S. human subjects research. Its principles of respect for persons, beneficence, and justice provide an ethical lens through which to view children's digital privacy. Importantly, the report acknowledges diminished autonomy in minors, arguing that special protections must be in place when individuals are not fully capable of informed consent (The Belmont Report)

While originally intended for biomedical research, the Belmont principles are increasingly invoked in data ethics discourse. In the digital context, this means that data collection practices involving children must prioritize clear explanations, meaningful consent, and safeguards against harm—even when legal requirements are met. The Belmont Report reinforces the notion that legal compliance does not automatically imply ethical sufficiency, particularly when power asymmetries and vulnerability are pronounced.

In addition to the core legal structures, several interdisciplinary frameworks provide analytical depth to understanding children's privacy in a digital age.

• Mulligan et al.'s Multi-Dimensional Analytic emphasizes that privacy is not a monolith but consists of multiple overlapping dimensions, including freedom from intrusion, informational control, dignity, and justice. This framework is particularly useful in assessing harms that go beyond legal violation—such as psychological harms or long-term identity shaping (Mulligan et al.).
• Solove's Taxonomy of Privacy categorizes privacy violations into four broad types: information collection, information processing, information dissemination, and invasion (Solove, "Taxonomy of Privacy"). This taxonomy offers a granular breakdown of privacy harms that appear across our case studies, such as the passive collection of data (surveillance), failure to provide consent options (exclusion), and the dissemination of children's data to third parties (disclosure).
• Nissenbaum's Contextual Integrity suggests that privacy is best understood as appropriate information flow based on context, actors, and transmission principles (Nissenbaum, "Contextual Integrity"). Violations occur not simply when data is shared, but when it is shared in ways that break social norms—such as matching children with unknown adults in online games or using data collected in educational settings for commercial gain.
• Project Safe Childhood, a U.S. Department of Justice initiative, is primarily aimed at combating online child sexual exploitation but also overlaps with privacy when platforms fail to adequately protect minors from predatory behavior (Project Safe Childhood).
• UNICEF and the UN's Child Online Protection (COP) initiatives provide a global child rights-based approach. These programs highlight digital platforms' responsibility to implement safety-by-design and to avoid enabling abuse, discrimination, or exposure to inappropriate content.
• The OECD Privacy Framework (2013) offers cross-jurisdictional guidance on data protection, including principles like purpose specification, use limitation, and accountability. It echoes GDPR's emphasis on data minimization and aligns with calls for global standards on child data ethics.
• Scholars such as Danielle Keats Citron argue for technological due process, where meaningful consent, transparency, and the ability to challenge decisions made by algorithms are necessary for fairness in automated systems (Citron). Her work is particularly relevant in evaluating the ethical implications of dark patterns and automated data collection practices that affect minors.
• Lastly, Tad Hirsch et al.'s concept of "designing for contestability" emphasizes the importance of enabling users to challenge algorithmic decisions. This is especially critical in child-facing platforms, where users often lack the tools or literacy to understand or push back against invasive design features.

B. Key Definitions and Conceptual Clarifications

To support the rest of our analysis, it is important to define several recurring concepts:

• Personal Information: COPPA defines this broadly, including names, contact information, photos, geolocation data, and any persistent identifier (FTC). However, in practice, platforms often collect behavioral and biometric data that may fall outside narrow legal definitions.
• Verifiable Parental Consent: A core legal requirement under COPPA and GDPR-K, yet difficult to implement meaningfully online. Loopholes and weak verification mechanisms allow children to bypass protections or result in parents unknowingly authorizing harmful data practices.
• Dark Patterns: Design tactics that nudge users toward actions they would not otherwise take. These are often manipulative by design—such as making the opt-out button hard to find or misleading users into making in-app purchases—and disproportionately affect children's autonomy (Brignull).
• Sharenting: A growing phenomenon in which parents share their children's data or images online, often for social or financial gain. While not always malicious, sharenting raises profound questions about agency, identity, and intergenerational data rights in contexts where the child has no say.
• Child as Data Subject vs. Parent as Data Gatekeeper: This tension underscores the complexity of consent frameworks. Children are the primary subjects of data collection, but their parents—or in some cases, platforms—act as decision-makers on their behalf, often without truly reflecting the child's best interests.
• Data Minimization: A core principle in GDPR and the OECD Privacy Guidelines, data minimization requires that only the minimal amount of personal information necessary for a given purpose be collected. In child-focused services, this principle is critical in reducing unnecessary risk, especially when platforms over-collect data for marketing or personalization purposes.
• Best Interests of the Child: Rooted in international human rights law (e.g., UN Convention on the Rights of the Child, Article 3), this principle mandates that all decisions affecting children should prioritize their health, safety, and overall well-being. It's a useful ethical standard for assessing whether platforms and policymakers are truly protecting children or deferring to commercial interests.
• Algorithmic Profiling: The use of data analytics to infer attributes or predict behaviors of users. When applied to children, profiling can shape what content they see, how they're targeted, and even their emotional or psychological responses. It also complicates consent, as inferences can be made even when direct data collection is limited.
• Informed Consent vs. Meaningful Consent: While informed consent may technically satisfy legal requirements, scholars such as Danielle Citron have argued that meaningful consent requires users to actually understand and have control over what they are agreeing to (Citron). For children (and often their parents), consent flows are rarely meaningful—raising both legal and ethical concerns.

III. Case Studies: Application of Frameworks

Even though there are many frameworks and regulations protecting the privacy of children online, it is still very common to find cases where companies put profit over the privacy and safety of users. The following case studies look at recent violations of legal frameworks such as COPPA and GDPR-K, as well as "sharenting," a new trend seen online in which parents share the lives of their children on social media. All of these case studies bring forth the question of whether current legal and ethical frameworks are enough when it comes to protecting the privacy of children online.

A. Weight Watchers App (2022)

In 2022, a complaint was filed on behalf of the Federal Trade Commission (FTC) against WW International, Inc (formerly known as Weight Watchers), stating that the company directly marketed their products to children and violated COPPA regulations by collecting their personal information without parental consent. The Chair of the FTC, Lina M. Khan, stated that WW "illegally harvested their [children under eight] personal and sensitive health information," utilizing their app, Kurbo, which was specifically designed for children and families. (FTC Takes Action against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data, 2022). Although Kurbo does require a birthday to be input to confirm that the users are over the age of thirteen, many users would enter an older birthdate and then later change their birthdays to their correct age. Had Kurbo followed COPPA regulations, their users would have lost access to the app; however, users were still allowed to access the app until the FTC contacted Kurbo and WW International directly. Revisions were made in an attempt to correct this oversight, but Kurbo failed to provide a method that ensured that parent consent was acquired. It was also noted that the privacy notice was not easily accessible, requiring parents to follow a string of links to locate the correct privacy information (FTC Takes Action against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data, 2022).

Lastly, WW International did not follow COPPA regulations in relation to the retention of children's data. Kurbo retained all information collected from users unless deletion was specifically requested by a parent or guardian. COPPA specifically states that the information of users under thirteen cannot be retained unless parental consent is obtained to specifically retain the data (FTC Takes Action against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data, 2022). In response to the finding, FTC Chair Khan said, "Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking" (FTC Takes Action against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data, 2022). WW International was fined $1.5 million dollars in addition to removing all information gained by their illegal activities.

In addition to breaking the law, there are ethical questions that arise from WW intentionally targeting children. Many question whether children should be allowed to access weight loss programs such as those offered by WW and Kurbo. When Kurbo was launched in 2020, social media was immediately flooded with concerns, including the concerns of researchers, dieticians, and mental health professionals. Many worried that putting children on specific diets and enforcing exercise interventions could lead to disordered eating, unhealthy relationships with food, and stigma against larger bodies (Sole-Smith, 2020).

Anna Sweeney, R.D., a dietitian in Massachusetts, tweeted shortly after the release of Kurbo: "The majority of eating disorder clients that I work with have had a history of dieting. For most, it started with Weight Watchers. Suggesting that @KurboHealth will promote health and not disease is missing EVERY MARK. #wakeupweightwatchers" (Sole-Smith, 2020). A professor of psychology in California stated that research shows that dieting can increase the risk of many eating disorders, including anorexia or binge eating, but that risk is especially seen in early childhood (Sole-Smith, 2020).

Even if dieting didn't have an impact on mental health, there is also the question of whether dieting is effective at improving physical health. In a study done by the University of Minnesota and Columbia University, researchers found that adolescents in middle school and high school that diet, skip meals, or use other weight control behaviors are nearly twice as likely to gain weight than their non-dieting peers (Sole-Smith, 2020).

Using Mulligan's Analytic Framework, the dimension of harm is extremely important in the case of WW and Kurbo. WW International not only violated children's privacy laws, but they actively took action to market to children, a group that most experts would agree should not strive for weight loss at all, and should instead focus on adding healthier foods to their meals and introducing joyful movement into their life. By pushing for children to use the app, WW knowingly pushed for a vulnerable group to use a service that may be both physically and mentally harmful to them. In a way, WW's actions also go against Mulligan's idea of the dimension of scope. Scope implies that there are socially acceptable areas or domains for data. As many would agree that children should not be dieting, WW went against the accepted domain of dieting apps and violated that societal expectation (Mulligan et al, 2016).

WW claims to no longer be a diet company, focusing instead on "holistic wellness." They claim that by moving away from their infamous points system and instead focusing on whole, pre-approved foods and healthy movement, they have moved from a diet plan to a lifestyle brand. Many experts disagree with this, though, with one pediatric dietician, Anna Lutz, M.P.H., R.D., stating "Diets don't call themselves diets anymore — they're all wellness systems or lifestyle plans" (Sole-Smith, 2020).

Regardless of what WW and Kurbo call themselves, and even if their intentions are good, there is a strong debate about whether children should diet at all. Because of this, it is of immense concern that WW would market directly to children at all. Their push for children to use a potentially physically and mentally damaging app, as well as their blatant disregard for COPPA regulations, highlights the company's predatory behavior. While Kurbo is no longer available in the Android or Apple stores, WW is still available and may be utilized by children or their well-meaning but uninformed parents. WW International should be further monitored to ensure that they are legally and ethically responsible, especially when it comes to use by children.

B. Microsoft Xbox (2023)

In June 2023, Microsoft reached a $20 million settlement with the Federal Trade Commission (FTC) after being charged with violating the Children's Online Privacy Protection Act (COPPA) in its handling of Xbox user account sign-ups. The complaint alleged that Microsoft collected personal data—including full names, birth dates, phone numbers, and geolocation—from children under the age of 13 without obtaining verifiable parental consent (Federal Trade Commission, Complaint). In many cases, Microsoft retained this data for years, even when accounts were not fully created (FTC, FTC Will Require Microsoft). While the financial penalty was relatively modest for a company of Microsoft's scale, the case underscores serious limitations in both COPPA's regulatory scope and the company's ethical approach to platform design.

Microsoft's practices exemplify a recurring corporate pattern: collect first, fix later. Children were prompted to provide personal data before their age had been verified, allowing Microsoft to knowingly store the personal information of underage users (Federal Trade Commission, Complaint). The platform also failed to delete this information after incomplete sign-ups—a clear breach of COPPA's data minimization and retention standards. Although Microsoft eventually updated its policies, those changes were reactive rather than proactive. These defaults illustrate what our group identifies as a core regulatory blind spot: platforms are allowed to design around meaningful parental involvement until forced into compliance.

This case also exposes critical flaws in the existing consent infrastructure. Danielle Citron's framework of technological due process—which emphasizes meaningful consent—is especially useful here (Citron, "Technological Due Process"). While Microsoft technically presented a sign-up flow with consent prompts, the structure of that flow failed to ensure that either children or parents fully understood what data was being collected or why. In the absence of robust notice, accountability, or opt-out mechanisms, consent becomes a formality rather than a safeguard. This reflects a broader pattern across many enforcement cases, where compliance relies on outdated interpretations of consent rather than addressing how users actually experience privacy interactions on the ground.

Through Solove's Taxonomy of Privacy, multiple violations become visible. Microsoft's premature data collection constitutes a surveillance harm; its failure to delete data from incomplete accounts introduces a processing harm; and the lack of transparency introduces an exclusion harm, preventing children and parents from knowing or controlling how their data is handled (Solove). Even without an explicit data breach, the platform's opacity and default data retention practices undermined user agency and trust.

From a Contextual Integrity perspective, Microsoft's design choices broke established social norms around children's data. Parents and children likely expect that a general-use platform like Xbox would implement safeguards aligned with children's developmental needs. Instead, the system bypassed the context in which such data sharing would be considered appropriate—namely, with informed adult supervision. The result is a misalignment between the user's social expectations and the platform's actual data flows (Nissenbaum).

Mulligan et al.'s Multi-Dimensional Analytic further clarifies the stakes. Microsoft's retention of children's data infringes on informational autonomy, while its failure to offer meaningful consent options undermines dignity. The company's decision to prioritize frictionless onboarding over ethical design reflects a disregard for the justice dimension, which demands that vulnerable groups—especially children—receive heightened protection, not streamlined exposure (Mulligan et al.).

These issues also raise ethical concerns beyond what legal frameworks capture. The Belmont Report, a foundational document in research ethics, emphasizes the principles of respect for persons, beneficence, and justice—each of which was arguably compromised in Microsoft's practices. Children, as individuals with diminished autonomy, require heightened protections, especially in contexts where they may not fully understand the consequences of sharing data (National Commission). By collecting and retaining personal information from underage users without informed parental involvement, Microsoft disregarded both beneficence (minimizing risk) and justice (ensuring fair treatment). The system was designed to serve platform efficiency, not user dignity.

While the Microsoft case was prosecuted under COPPA, comparing it with GDPR-K reveals the shortcomings of the U.S. framework. COPPA applies only to children under 13 and requires "verifiable parental consent," but lacks strong enforcement mechanisms or developmentally appropriate consent standards. In contrast, GDPR-K treats children as vulnerable data subjects across a broader age range (typically under 16) and requires age-appropriate transparency and data minimization by design ("Children's Data and Parental Consent under the GDPR"). Crucially, GDPR carries far more severe penalties—up to €20 million or 4% of global annual turnover, whichever is higher—while COPPA caps per-violation penalties at under $50,000. Had this case occurred under GDPR jurisdiction, Microsoft could have faced a substantially larger financial consequence. This disparity reflects a deeper issue: U.S. law lacks both the normative and punitive strength to compel platforms to prioritize children's data rights without external pressure.

Ultimately, the Xbox case highlights the insufficiency of existing regulatory frameworks to prevent harms before they occur. Like other companies in our analysis, Microsoft exploited the ambiguity between product design and legal compliance, banking on the idea that users (and regulators) would accept subpar defaults until a violation drew attention. While the FTC's enforcement action led to modest improvements, it is clear that neither COPPA nor voluntary industry practices are currently enough to ensure that children's data is handled with care, clarity, or fairness.

C. Epic Games / Fortnite (2022)

Fortnite is a hugely popular, free-to-play online video game produced by Epic Games and first released in 2017. The game exists within the 'battle royale' subgenre, with 100 players competing to be the last survivor on an island, while gathering weapons and building structures in an ever-shrinking playable area. Beyond the core gameplay, Fortnite features custom maps and limited-time events that frequently collaborate with popular franchises and celebrities (Fortnite – A Free-to-Play Battle Royale Game and More, n.d.). While Fortnite is free to download and play, it has a monetization strategy centered around microtransactions. The game's primary revenue source is its Battle Pass system and in-game store, where players can purchase cosmetic items like character skins and emotes. The game has had enormous success, with hundreds of millions of users generating revenues of $3.5 billion in 2023 alone (Fortnite Usage and Revenue Statistics (2025), n.d.).

In December 2022, the Federal Trade Commission (FTC) secured a historic settlement with Epic Games totalling $520 million over widespread privacy violations and deceptive practices within Fortnite (FTC, 2022). This settlement, which remains the largest fine ever paid to the FTC for violation of children's privacy (Direnfield et al., 2023), consisted of two separate components. Epic agreed to pay $275 million for violations of the Children's Online Privacy Protection Act (COPPA) and committed an additional $245 million to consumer refunds for employing manipulative "dark patterns" designed to facilitate unwanted purchases. This case study examines the legal violations, ethical implications, and future implications of Epic's practices.

Epic Games violated COPPA extensively and systematically. Despite abundant evidence that Fortnite attracted a significant number of players under 13—including targeted marketing materials, toys, and merchandise—Epic failed to provide adequate privacy notices to parents or obtain their verifiable consent before collecting children's personal information(FTC, 2022). When parents later attempted to request deletion of their children's data, the company deliberately created barriers to these requests, and in some instances, ignored them completely.

Perhaps most concerning was Epic's implementation of voice and text chat features as default settings, creating an environment where children could communicate with unknown adults without parental knowledge or consent (FTC, 2022). The FTC's judgment noted that as early as 2017, Epic's own employees had raised internal concerns about these practices, reporting that children had been "harassed, including sexually," and "bullied, threatened... exposed to dangerous and psychologically traumatizing issues." Despite these warnings, Epic maintained communication as the default setting for all users, including children (FTC, 2022).

Further compounding these violations, Epic employed what the FTC termed "illegal dark patterns"—design techniques coined by Brignull as being "crafted with great attention to detail, and a solid understanding of human psychology, to trick users into doing things they wouldn't otherwise have done" (Brignull, 2011). These manipulative designs affected all users but posed particular risks to children. Until 2018, Fortnite allowed children to purchase V-Bucks (the game's virtual currency) with just a few button presses, without any parental verification, resulting in unauthorized charges sometimes amounting to hundreds of dollars. When users complained about these charges, Epic not only ignored more than a million user complaints but deliberately obscured cancellation and refund options, making it increasingly difficult for users to seek redress (FTC, 2022).

From Fortnite's release until the 2022 judgment, Epic Games demonstrated a pattern of deliberately violating children's privacy, resulting in both psychological and financial harms, while actively impeding attempts by users and parents to address these issues. This case highlights a critical disconnect between legislation and enforcement in protecting children's privacy. COPPA emerged from bipartisan recognition that children represent a particularly vulnerable group deserving special protection online. This recognition extends beyond digital spaces—ethical frameworks such as the Belmont Report in biomedical research similarly identify children as requiring enhanced safeguards due to their vulnerability (DHEW, 1978).

Analyzing Epic's practices through Nissenbaum's contextual integrity framework reveals fundamental violations of appropriate information flows (Nissenbaum, 2011). Society maintains strong expectations that children's communications with strangers should occur only with parental knowledge and consent. Epic's decision to default children into environments where they could freely communicate with unknown adults directly violated these norms of appropriateness. Such breaches of contextual integrity exposed children to numerous privacy harms by creating information flows that circumvented established social norms designed to protect vulnerable populations.

Solove's taxonomy provides additional insight into specific harms as they relate to privacy (Solove, 2005). First, Epic's collection of in-game data without parental consent constituted surveillance harms against children. Second, by failing to provide proper notice and consent mechanisms, Epic created exclusionary harms affecting both children and their parents, denying them participation in decisions about their information. Third, the communication features facilitated information dissemination harms, including breach of confidentiality, disclosure, and potential blackmail (Solove, 2005). These dissemination harms are especially concerning for children due to the significant power differential between them and adult players in the Fortnite ecosystem.

Together, these theoretical frameworks emphasize why protecting children's privacy requires not just well-crafted legislation but robust enforcement mechanisms that hold companies accountable for violations, particularly when those companies prioritize profit over the well-being of vulnerable users.

The FTC's unanimous 4-0 decision against Epic Games resulted in substantial financial penalties and mandated changes to Fortnite's privacy practices. This landmark case carries several important implications for the gaming industry and digital privacy regulation more broadly. Several legal firms have provided excellent commentary in regard to the case (Direnfield et al., 2023; Thiess & Dimov, 2023).

First, the judgment sends a clear message to gaming companies that COPPA compliance is not optional, regardless of how they characterize their target audience. Arguments that game policies are not specifically directed at children will no longer suffice as arguments against COPPA requirements. Second, the FTC order extended protections to all minors (including teenagers up to 17 years old), suggesting regulatory interest in safeguarding children beyond COPPA's original scope focused on those under 13.

The case also has significant international implications. The European Union's Digital Services Act (DSA), which became fully applicable in February 2024, explicitly prohibits "dark patterns" that "materially distort or impair the ability of recipients of the service to make free and informed decisions." This regulatory convergence across jurisdictions indicates a growing global consensus against manipulative design practices like those employed by Epic (Thiess & Dimov, 2023).

This precedent-setting judgment represents an important step toward better protecting children's privacy in digital environments. By imposing substantial penalties and mandating specific changes to business practices, regulators have signaled that violations of children's privacy carry significant consequences. The hope is that this case will motivate gaming companies and other digital platforms to prioritize children's privacy and safety by design, rather than treating privacy protections as optional features to be circumvented in pursuit of profit.

D. Sharenting / Sharenthood

Sharenting – "share" and "parenting" – refers to the growing trend of parents posting or sharing content (photographs, stories, information) about their children on social media platforms, such as Facebook, Instagram, and TikTok. This content can range from occasional photo posts to a dedicated and detailed account of a child's daily life and activities. Sharenting creates a digital identity for children before they can consent or fully understand the consequences of their private information being shared publicly (Kidday, 2023). On one hand, sharenting allows parents to celebrate milestones and share memories with family and friends. On the other hand, it raised serious concerns about the use, manipulation, and potential exploitation of children's digital presence, especially when such content is monetized. Regardless of the extent of sharing, it is never entirely harmless when it exposes children to lasting privacy risks.

This analysis applies legal and ethical frameworks to explore the privacy challenges and long-term consequences children face in today's social media landscape. It also examines the impact of sharenting on children's privacy, mental health, and personal identity, considering how these effects may extend into adulthood.

While public discourse often focuses on how social media harms children online and how young people may create or harm their own digital identities, far less attention has been paid to the intersection of parental decisions in the digital space and their long-term impact on children. In many ways, parents act as gatekeepers of their children's online presence. They are expected to protect their children's privacy and often require schools, organizations, and other entities to obtain explicit permission before sharing images or information about their kids. However, when it comes to their own social media activity, many parents share photographs, stories, and intimate details about their children without seeking the child's consent or anticipating future consequences. These disclosures inadvertently expose children to harm, giving them little protection as their online identity develops because they have no meaningful consent or autonomy in what is being narrated and shared by their parents.

One of the most pressing concerns is early exposure to social media and its role in shaping a child's long-term digital identity. A child's digital footprint begins when their first photo is posted online, sometimes as early as infancy. These digital traces can persist indefinitely, and as children grow, they may have to contend with an online identity created without their involvement or approval. This can affect their sense of agency, relationships, and even their professional lives in the future. A powerful example of this comes from Cam Barrett, who remembered the exact date of her first menstrual period, not because she documented herself but because her mother posted about it on Facebook. "I was in fourth grade. I was 9 years old. The date was September 9, 2009. And my mom posted… something like, 'Oh my God, my baby girl's a woman today. She got her first period,'" Barrett told CNN. This personal moment, along with other private details, including medical diagnoses, tantrums, and the fact that she was adopted, were shared publicly by her mother throughout her childhood. Although the posts brought social media attention and perks like front-row celebrity concert tickets, Barrett said the oversharing led to bullying, anxiety, and long-term mental health struggles. "I didn't confide in adults during my teenage years because I feared my secrets would end up on social media," she said (Karimi, 2024).

In Cam Barret's case, the psychological and emotional impacts of sharenting were significant and long-lasting. However, she is far from alone. These effects extend well beyond her experience, as parents around the world engage in sharenting, unaware of the potential harm it can cause to their children's well-being. A 2023 Guardian article reported that social media exposure contributes to body dissatisfaction and self-esteem issues in children when their appearances or behaviors are judged publicly (Hill, 2023). Much of the exposure children face on social media is often linked to their own usage; however, it frequently starts with content shared by their parents. These posts can present children in ways they cannot control. As a result, "sharenting" can become an early trigger for online scrutiny, leading to embarrassment, objectification, and pressure to perform. These experiences can contribute to mental health issues and confusion about self-worth.

Perhaps the most troubling case of sharenting is its potential for exploitation and manipulation when children's lives are turned into content for public consumption and profit. The rise of family vlogging channels illustrates this risk. A 2025 Guardian article reported on the documentary An Update on Our Family, which exposed the high-profile case of Myka and Jamse Stauffer, YouTubers who shared intimate details about their adopted son Huxley, only to later "rehome" him after years of online exposure (Simonpillai, 2025). The child, who had autism, was featured in countless monetized videos, turning his personal challenges into entertainment and financial gain. This case showed how sharenting can damage ethical boundaries when parents, intentionally or not, prioritize content creation and audience engagement over their children's dignity and well-being.

In addition, photos and personal details shared online can be collected, repurposed, or exploited by third parties. In extreme cases, public content has been used in facial recognition training datasets or by individuals with malicious intent. The lack of regulation around how children's content is collected, accessed, and used through sharenting raises significant legal and ethical concerns. Under frameworks such as COPPA and GDPR-K, which aim to protect children's data, they often fall short in private and informal contexts like this. While sharenting may be viewed as a form of love and celebration, it carries unintended consequences that affect children's privacy, mental health, identity, and autonomy well into adulthood. Children may not consent or agree with the information shared about them on their parents' newsfeeds, whether positive or negative. Therefore, parents must consider both the intent behind these digital disclosures and their lasting impact on the children featured.

As parents increasingly share personal details about their children online, legal and regulatory frameworks struggle to keep up with the digital landscape. Current regulations fail to address the implications for children's privacy and autonomy in an environment where parental behavior and corporate data collection intersect. The Children's Online Privacy Protection Act (COPPA) is the primary U.S. federal law aimed at protecting the personal information of children under 13 on commercial websites and digital platforms. As digital privacy expert Leah Plunkett explained in an interview with Harvard Law Today, COPPA requires verifiable parental consent before collecting personal information from children and grants parents the right to access and delete that data. However, Plunkett argues that COPPA is insufficient in sharenting and today's evolving digital privacy landscape. Even with safeguards in place, tech platforms can exploit loopholes. For example, while companies may avoid collecting data from children's own accounts, they can still gather data indirectly, such as through parents' posts that discuss or feature their children. This becomes problematic in the context of sharenting. Children's personal information is voluntarily shared by their legal guardians, bypassing the need for corporate surveillance altogether.

The U.S. Senate recently passed a proposal called "COPPA 2.0", marking the most significant overhaul of the law since its inception. If passed by the House and signed into law, COPPA 2.0 would expand protections to include children up to age 16 (rather than just under 13), prohibit targeted advertising to minors, and introduce stricter data minimization and transparency standards. While it has not yet become law, its initiative would help revise the U.S. privacy framework to better address the complexities of today's online environment, where platforms and content creators, including parents, frequently share and monetize children's data.

In August 2024, the Federal Trade Commission (FTC) sued TikTok for violating the terms of a 2019 court order and COPPA, alleging "massive-scale invasions of children's privacy." According to the DOJ, TikTok continued to collect and maintain data about children under 13, including versions of the app explicitly marketed for young users. This case and others like it that involved Google, YouTube, and Epic Games reflect a broader push by federal agencies to hold social media platforms accountable. Yet these efforts still have gaps when the primary source of data exposure is the child's own parents or caregivers. Sharenting raises important ethical concerns grounded in the Belmont Report's principle of Respect for Persons, which emphasizes protecting individuals with diminished autonomy like children, who cannot meaningfully consent to the involuntary creation of their digital identity. In this context, parents and guardians hold dual roles where they are both responsible for protecting their child's privacy and, simultaneously, among the most likely to compromise it. As Plunkett notes in her book "Sharenthood," parents often "inadvertently compromise our children's privacy" through enthusiastic sharing of school photos, personal milestones, or medical details, without considering the long-term consequences.

Legal frameworks, including COPPA and GDPR-K, currently apply only to businesses, leaving parental behavior largely unregulated. However, some states are beginning to fill this gap. In 2023, Illinois passed a law that aims to protect and require parents to compensate their "kidfluencers" – children whose lives are monetized through social media by their parents. The law ensures that a portion of earnings from family vlogs or content featuring children must be held in trust for the child, offering at least some protection from financial exploitation. Yet, financial safeguards alone do not fully address the core issues of consent, autonomy, and mental well-being. Children deserve private spaces where their behaviors, identities, and development are not constantly being curated and broadcast. The desire for future anonymity, where children can grow up without a pre-written digital narrative, must also be acknowledged. Furthermore, as social interactions unfold in digital spaces, children may face bullying, emotional distress, or social exclusion as a direct result of what their parents have shared about them online.

A comprehensive solution is necessary to address these challenges. First, ethical education and digital literacy are needed for both children and parents. Promoting best practices for sharing includes asking children for permission before posting and avoiding personal or sensitive content. Also, parents should be mindful of the audience and the permanent nature of their digital posts. Adopting privacy-respecting provisions, such as password-protected albums or private messaging, can allow parents to share updates with close friends and family without compromising their child's online safety. Second, updated federal legislations like COPPA 2.0 and KOSPA (Kids Online Safety and Privacy Act) should be passed to expand privacy protections for minors, including those over age 13. KOSPA would not only update existing laws but also require platforms to implement age-appropriate design standards, increase transparency around data use, and provide more robust tools for reporting and controlling exposure. Protecting children online is a shared responsibility among parents, platforms, policymakers, and educators. As digital spaces become more deeply integrated into everyday life, the cultural norm around sharenting must evolve toward one that prioritizes the child's rights, safety, and autonomy.

IV. Synthesis and Comparative Analysis

Significant commonalities emerge across the cases involving Epic Games, WW International, Microsoft, and sharenting practices, demonstrating systemic failures to protect children's digital privacy and autonomy. By applying the frameworks proposed by Solove, Nissenbaum, and Mulligan et al., these analyses provide a deeper understanding of why these violations persist and the implications for future policy and ethical considerations.

A. Lack of meaningful consent mechanisms

Evidence across all the cases shows a failure to implement meaningful consent mechanisms. Epic Games allowed minors to engage with features like voice, text chat, and in-game purchases without verifiable parental consent. Similarly, WW International's Kurbo app inadequately verified users' ages and failed to obtain proper consent from guardians, resulting in the unauthorized collection of children's sensitive health data. Microsoft also exemplified this trend by collecting personal information during Xbox account registrations before verifying users' ages, often retaining the data even when accounts were incomplete. Moreover, sharenting excludes children from consent processes entirely, as parents decide unilaterally what content to share.

Through Solove's privacy taxonomy, these actions represent "information processing harms," including surveillance and exclusion, where users lack meaningful control or awareness over their data. According to Mulligan et al.'s multidimensional analysis, these failures undermine the protection and provision dimension, stripping children and parents of agency over critical decisions about personal information.

B. Exploitation of ambiguous legal boundaries

All cases illustrate how companies exploit vague or ambiguous legal frameworks around child privacy. COPPA regulates commercial entities but not parents, leaving sharenting unregulated despite its risks. Epic Games and Microsoft used uncertainty about whether their platforms were explicitly child-directed, even when there is substantial evidence of underage user bases. WW International similarly used the ambiguity between health promotion and dieting, marketing its app in a way that evaded regulatory scrutiny.

Using Nissenbaum's Contextual Integrity framework, these cases show significant breaches of contextual expectations and norms concerning children's privacy. In each example, data collection and usage violated socially recognized standards for how and when children's information should be handled. This misalignment of contexts resulted in problematic and inappropriate information flows that compromised children's safety and privacy. Mulligan et al. stress the importance of the scope dimension, emphasizing the need for special protections for vulnerable groups such as children, which were noticeably lacking in each case.

C. Systematic targeting of youth through UX/UI design

The deliberate design of user experiences and interfaces to attract, retain, and exploit young users was a consistent feature across these examples. Epic Games employed manipulative "dark patterns" to encourage impulsive in-game purchases and created a communication environment that exposed minors to potential harm. Microsoft prioritized seamless user onboarding over robust privacy protection, and WW International intentionally obscured privacy notices that made consent a complicated process. Sharenting involves parents deliberately structuring content around children to maximize visibility and engagement.

These manipulative designs represent what Solove defines as invasions and decisional interference that prompt users, particularly children, to make decisions contrary to their own interests. Mulligan et al. underscore how these practices violate the dignity principle by reducing children from autonomous individuals to mere data subjects or engagement metrics. Such systematic targeting emphasizes profitability and platform growth over ethical responsibility and child welfare.

D. Inadequacy of Existing Regulatory Frameworks

These cases collectively demonstrate that existing regulatory frameworks—particularly in the United States—are outdated, reactive, and insufficient to protect children's privacy in today's digital ecosystems. COPPA, the primary U.S. law addressing children's data, only applies to users under 13, relies on vague definitions of "child-directed," and places the burden of enforcement on under-resourced regulatory bodies. It also fails to account for emerging threats like algorithmic profiling, biometric data collection, and family-based disclosures like sharenting.

Even GDPR-K, while more comprehensive in theory, suffers from uneven enforcement and overreliance on formalistic consent mechanisms that may not be developmentally appropriate. As seen in each case, platforms and parents alike are able to exploit these legal blind spots with minimal accountability. Across the frameworks we analyzed—including the Belmont Report, Solove's Taxonomy, Nissenbaum's Contextual Integrity, and Mulligan et al.'s Multidimensional Analytic—it becomes clear that current legal structures fall short of their own ethical aspirations. Without broader, anticipatory, and enforceable standards tailored to the evolving digital experiences of children, privacy harms will continue to outpace the protections meant to prevent them.

V. Recommendations and Policy Proposals

The pattern of violations identified across our case studies reveals significant gaps in the current legal, ethical, and policy frameworks governing children's online privacy. Whilst COPPA and GDPR provide important foundations to children's privacy, they remain insufficient in the evolving digital landscape. We have identified key cases where COPPA and GDPR were insufficient to provide adequate protections to children. Here we make several proposals and recommendations to strengthen children's privacy protections, with clear indication of responsible regulatory bodies and implementation feasibility.

A. Update COPPA/GDPR and Regulatory Oversight (Medium-term Implementation)

Two major regulatory frameworks governing children's digital privacy globally—COPPA and GDPR-K—have become increasingly inadequate in the face of rapid technological evolution. COPPA, enacted by Congress in 1998 and updated in 2013, and GDPR-K, adopted by the EU in 2016, were established before the proliferation of AI systems, sophisticated biometric tracking, and advanced inferential data analytics (FTC, 2025; Wilhelm, 2016). These frameworks now represent significant regulatory blind spots in addressing contemporary digital challenges. The Epic Games case starkly illustrates this inadequacy, where deliberately manipulative "dark patterns" were deployed to systematically exploit children's developmental vulnerabilities, leading them to make unintended purchases and exposing them to unknown adults through default communication settings (Direnfield et al., 2023). Similarly, the Weight Watchers case demonstrates how companies can aggressively harvest children's sensitive behavioral data—including intimate details about food consumption, physical activity, and body metrics—without meaningful oversight. These cases do not merely represent isolated corporate malfeasance but rather expose fundamental structural deficiencies in our regulatory architecture. The significant gaps between rapidly advancing technological capabilities and static regulatory frameworks have created a permissive environment where children's privacy rights are systematically compromised through increasingly sophisticated surveillance mechanisms operating beyond the reach of outdated legal protections.

Specific Recommendations:

• Major regulatory frameworks need to explicitly include derived data such as behavioral patterns and inferred preferences as 'personal information.'
  • Responsible bodies: U.S. Congress (for COPPA amendments), European Commission, and European Parliament (for GDPR-K updates)
  • Feasibility: Moderate - requires legislative action but has growing political support
• Mandate privacy impact assessments for any product where children are involved, with particular attention to effects on children.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU)
  • Feasibility: High - can be implemented through regulatory guidance without new legislation
• Establish clear, enforceable regulatory standards for companies using AI systems that process children's data, requiring transparency about algorithmic decision-making.
  • Responsible bodies: Federal Trade Commission (U.S.), European Data Protection Board (EU), National Data Protection Authorities
  • Feasibility: Moderate - can leverage existing enforcement powers but requires technical expertise

B. Regulate Child Influencer Labor and Family Content Monetization (Long-term Implementation)

The "sharenting" phenomenon has created a situation where children's privacy rights and labor protections intersect in ways not anticipated by existing frameworks. Unlike traditional child entertainment industries (film, television, theater) that have established protections like the Coogan Laws, the digital creator economy operates with minimal oversight despite involving similarly intensive child participation (Steinberg, 2024). This mandates new regulations to protect minors in this instance.

Specific Recommendations:

• Establish "kidfluencer" regulations that mandate trust accounts similar to the Coogan Laws for child actors.
  • Responsible bodies: State legislatures in the U.S. (following California's lead), National labor ministries (EU countries)
  • Feasibility: Moderate - can build on existing child performer frameworks, but requires new legislation
• Require content review processes for monetized family channels featuring minors.
  • Responsible bodies: Federal Communications Commission (U.S.), Media regulatory authorities in EU member states
  • Feasibility: Challenging - requires new regulatory frameworks for digital content
• Create mandatory "right to erasure" provisions for content featuring minors.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU),
  • Feasibility: High for EU (building on existing GDPR provisions), Moderate for U.S. (requires new federal legislation)
• Limit the hours children can appear in monetized content.
  • Responsible bodies: Department of Labor (U.S.), National labor ministries (EU)
  • Feasibility: Moderate - requires extending existing child labor laws to digital platforms

C. Create Ethical Guidelines for "Family Creators" and Digital Parenting Platforms (Short-term Implementation)

In addition to legal protection for children's privacy when considering online platforms, there also should be consideration of ethical guidelines. Family content creators operate in an ethical gray area, with limited guidance on balancing parental rights and children's privacy interests. As discussed earlier, privacy violations can lead to psychological harms that are long lasting.

Specific Recommendations:

• Mandate the creation of ethical guidelines for platforms hosting family content.
  • Responsible bodies: Federal Trade Commission (U.S.), European Data Protection Board (EU), major technology industry associations
  • Feasibility: High - can be initiated through industry self-regulation and supported by regulatory guidance
• Establish industry standards for parental sharing of children's data and images.
  • Responsible bodies: National Institute of Standards and Technology (U.S.), European Union Agency for Cybersecurity (ENISA), industry consortia
  • Feasibility: High - can be developed through multi-stakeholder processes without legislation
• Require platforms to provide easy-to-use tools for parents to audit and manage their children's digital footprint.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU), platform companies
  • Feasibility: High - can be implemented through existing regulatory authorities' guidance
• Support research on the long-term impacts of childhood digital exposure.
  • Responsible bodies: National Institutes of Health (U.S.), European Research Council
  • Feasibility: High - funding can be allocated through existing research programs
• Create "right to be forgotten" mechanisms for formerly featured children.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU)
  • Feasibility: High for EU (expanding existing GDPR mechanisms), Moderate for U.S. (requires new guidelines)

D. Require Privacy-by-Design Defaults for Children's Apps (Short-term Implementation)

The Epic Games case highlighted many flaws of a privacy approach that is reactive and not proactive. Significant harms arose in that case study because of a lack of privacy-by-design approach and the lack of sufficient regulatory oversight (Direnfield et al., 2023). We therefore strongly recommend that in the case of Children's apps, privacy-by-design be a mandatory starting point.

Specific Recommendations:

• Mandate the highest privacy settings by default for any user identified as a minor.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU)
  • Feasibility: High - implementable through existing regulatory enforcement powers
• Mandate that children cannot communicate with unknown adults on platforms without explicit parental permission.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU), platform companies
  • Feasibility: High - can be implemented through design requirements in existing regulations
• Require two-factor authentication for purchases by default.
  • Responsible bodies: Federal Trade Commission (U.S.), Consumer Financial Protection Bureau (U.S.), European Banking Authority, payment processors
  • Feasibility: High - can be implemented through industry standards and existing consumer protection frameworks
• Prohibit the use of behavioral or inferential algorithms that trick children into making purchases or sharing information.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU), Consumer Protection Agencies globally
  • Feasibility: Moderate - requires clear definitions of manipulative design practices
• Create mandatory cooling-off periods for financial transactions in child-accessible applications.
  • Responsible bodies: Consumer Financial Protection Bureau (U.S.), European Banking Authority, financial regulators globally
  • Feasibility: Moderate - requires coordination with payment processors and platform regulations

E. Design Age-Appropriate Consent Flows with Youth Voices Included (Medium-term Implementation)

Current consent mechanisms rely on binary parent/child distinctions that usually fail to account for the view of children in the development process. Furthermore, challenges arise because legal frameworks cover certain ages (e.g., COPPA vs GDPR) and fail to consider that there are key differences between age groups.

Specific Recommendations:

• Create youth advisory boards at regulatory bodies to incorporate youth perspectives.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU)
  • Feasibility: High - can be established through administrative action without legislation
• Develop tiered consent frameworks that recognize increasing autonomous decision-making capacity as children mature.
  • Responsible bodies: Federal Trade Commission (U.S.), European Data Protection Board (EU), platform companies
  • Feasibility: Moderate - requires rethinking current regulatory approaches to age verification
• Require platforms to present privacy information in developmentally appropriate formats.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU), consumer protection agencies
  • Feasibility: High - can be implemented through regulatory guidance and enforcement actions
• Establish regulatory standards for obtaining "meaningful consent" as articulated by Citron's Technological Due Process framework.
  • Responsible bodies: Federal Trade Commission (U.S.), European Data Protection Board (EU), academic institutions
  • Feasibility: Moderate - requires legal evolution of consent standards
• Require periodic re-consent prompts rather than permanent permissions.
  • Responsible bodies: Federal Trade Commission (U.S.), Data Protection Authorities (EU), platform companies
  • Feasibility: High - can be implemented through design requirements in existing regulations

F. Implementation Priority

In terms of implementation priority, we recommend focusing on:

• Immediate actions (within 1 year): Privacy-by-design defaults (Section V.D) and ethical guidelines (Section V.C), which can be implemented through existing regulatory powers and industry self-regulation.
• Medium-term reforms (1-3 years): Updates to COPPA/GDPR (Section V.A) and age-appropriate consent mechanisms (Section V.E), which require more substantial regulatory changes but have clear paths forward.
• Long-term structural changes (3-5 years): Child influencer labor regulations (Section V.B), which require new legislative frameworks and international coordination.

The rapidly evolving technology requires adaptive regulatory approaches to ensure that children's fundamental rights remain protected in increasingly complex digital ecosystems. By clearly delineating regulatory responsibility and creating realistic implementation timelines, these recommendations provide a practical roadmap for meaningful reform.

Protecting children's online privacy requires a comprehensive approach that extends beyond traditional regulatory frameworks. By implementing these recommendations, policymakers can address the significant gaps identified in our analysis and create a digital environment that respects children's dignity, autonomy, and developmental needs. These proposals reflect the complex nature of privacy in the digital age and acknowledge the special responsibilities in protecting children.

VI. Conclusion

The landscape of children's online privacy is shaped by a fragmented mix of outdated legal protections, ethically questionable platform design, and enforcement mechanisms that too often react only after harm has occurred. Across the case studies examined—Microsoft, Epic Games, Weight Watchers, and the broader phenomenon of sharenting—we observed a consistent pattern: children's data is treated as an afterthought, and their vulnerability as digital users is exploited through weak defaults, opaque consent flows, and manipulative interfaces.

Our analysis reveals that existing legal frameworks like COPPA, while foundational, are no longer sufficient to address the full scope of privacy risks facing children in today's digital environments. Compared to more comprehensive and enforceable international standards like GDPR-K, U.S. regulation falls short both in its normative reach and in the magnitude of its penalties. However, GDPR is not without limitations. Its implementation remains uneven across member states, and enforcement can be slow or inconsistent. Moreover, like COPPA, GDPR still relies heavily on consent-based mechanisms that may not be developmentally appropriate or easily understood by children and their guardians. Even so, GDPR's emphasis on data minimization, accountability, and design-based protections offers a more holistic foundation for children's digital rights.

Ethically, companies continue to violate core principles of autonomy, beneficence, and justice—as articulated in the Belmont Report and supported by frameworks like Contextual Integrity, Solove's Privacy Taxonomy, and Mulligan et al.'s Multi-Dimensional Analytic. These violations persist not simply because of legal loopholes, but because dominant design logics prioritize data collection, engagement, and monetization over child well-being.

Beyond the letter of the law, our research points to the urgent need for platforms to adopt a child-centered design philosophy—one that respects developmental limitations, integrates meaningful parental involvement, and builds privacy safeguards into every layer of the user experience. Regulatory enforcement must be proactive rather than reactive, and policymakers should prioritize harmonizing international standards to ensure children's data is protected regardless of where or how they engage online.

Without a shift toward more ethical, anticipatory governance, the burden of privacy protection will continue to fall on the very users least equipped to defend themselves. As technology continues to evolve, so too must our legal, ethical, and policy responses—especially when the rights and futures of children are at stake.

VII. Positionality and Reflexivity Statements

As a team, we bring a range of personal experiences, generational perspectives, and professional backgrounds to our analysis of children's online privacy. While our individual viewpoints differ, we share a common concern about the insufficiency of current legal and ethical protections for children navigating today's digital landscape. The following statements reflect how each of us approached the topic, including the values, experiences, and potential blind spots we brought to this project.

Sarah Julius: As someone who hopes to have kids one day, protecting children from potential dangers online is something I am very concerned about. I grew up with the early internet, so I have been exposed to the evolving online world my entire life. I have had the opportunity to see both the good and the bad sides of the internet, and hope that future children will be protected from many of the same things that my friends fell for in the early 2000s. With this perspective, I feel that I am in an ideal position to look at the shortcomings and successes of frameworks and regulations relating to child safety and privacy on the internet.

Joseph Chan: As a millennial, I was raised in an era of a nascent digital world, which was deeply unregulated. As a willing participant in this world, I am heavily influenced by both the benefits and detriments I saw in this 'digital wild west'. Now, as a parent of a young child, I am driven to see a digital space that is built to protect those who lack the capacity to protect themselves. As a physician, I also deeply understand individual and societal responsibilities to children as a particularly vulnerable group. However, reflexively, I acknowledge that there may be inherent bias when viewing this area through those lenses. In particular, I acknowledge that I lack a corporate viewpoint that my peers may have, but I seek to remain open and objective in this project.

Serina Li: As a member of Gen Z, I grew up immersed in digital technologies and witnessed firsthand how platforms evolved—often at the expense of user privacy and autonomy. My experience navigating the internet as a young person informs my awareness of how easily children's data can be collected, used, or misused. Professionally, I work at the intersection of law and data science, and I approach children's online privacy through both a regulatory and technical lens. While I do not yet have children, I hope to in the future—and that shapes my perspective on the need for safer, developmentally appropriate digital spaces. My training equips me to critically evaluate frameworks like COPPA and GDPR-K, though I recognize this systems-level view can sometimes obscure the lived realities of children and families. Throughout this project, I've tried to remain mindful of that distance while advocating for more ethical and protective approaches to children's privacy online.

Ambro Quach: As someone who grew up in the early days, pre-social media of the internet, platforms like Yahoo and basic message boards were the only gateways online. My childhood was untouched by the pervasive data collection, algorithmic targeting, and hyper-social connectivity that define today's digital landscape. While the digital world can facilitate connections and foster community, it can also intensify the risks of surveillance, harassment, and data exploitation. Reflecting on my own experience, I realize that the simplicity of my time protected me from these complex risks that children face today. As the internet has evolved into an immersive and often exploitative space, I believe we have a responsibility to cultivate a more sustainable and ethical digital space for the younger generations. Children today deserve to grow up in a safe online setting, protected from the compounded digital harms that were not a concern during my childhood.

VIII. References

• Brignull, H. (2010). Deceptive Design. https://www.deceptive.design/
• Brignull, H. (2011, November 1). Dark Patterns: Deception vs. Honesty in UI Design. A List Apart. https://alistapart.com/article/dark-patterns-deception-vs-honesty-in-ui-design/
• "Children's Data and Parental Consent under the GDPR." GDPR-Info.eu. https://gdpr-info.eu/art-8-gdpr/
• Citron, Danielle Keats. "Technological Due Process." Washington University Law Review, vol. 85, no. 6, 2007, pp. 1249–1313.
• CNN. (2023, August 16). Kid influencer law passed in Illinois to protect children's earnings online. https://edition.cnn.com/2023/08/16/tech/kid-influencer-law/index.html
• CNN. (2024, May 29). Social media and children: A growing concern for privacy and exploitation. https://edition.cnn.com/2024/05/29/us/social-media-children-influencers-cec/index.html
• DHEW. (1978). The Belmont Report. United States Government Printing Office.
• Direnfield, J., Tabatabai, E., Yavorsky, S., & Pen, N. (2023). 6 Top Takeaways from the FTC's $520 Million Landmark Epic Games Settlements. https://www.orrick.com/en/Insights/2023/02/6-Top-Takeaways-from-FTCs-Landmark-Epic-Games-Settlements
• Federal Trade Commission. (1998). Children's Online Privacy Protection Rule ("COPPA"). https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
• Federal Trade Commission. (2022, December 16). Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges. https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations
• Federal Trade Commission. Complaint for Civil Penalties, Permanent Injunction, and Other Relief: United States of America v. Microsoft Corp., 5 June 2023.
• Federal Trade Commission. FTC Will Require Microsoft to Pay $20 Million Over Charges It Illegally Collected Personal Information from Children, 5 June 2023. https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information
• Fortnite – A Free-to-Play Battle Royale Game and More. (n.d.). Epic Games' Fortnite. https://www.fortnite.com/?lang=en-US
• Fortnite Usage and Revenue Statistics (2025). (n.d.). Business of Apps. https://www.businessofapps.com/data/fortnite-statistics/
• Harvard Law Today. (n.d.). DOJ's lawsuit against TikTok signals more aggressive policing of children's privacy online, says Harvard Law expert. https://hls.harvard.edu/today/dojs-lawsuit-against-tiktok-signals-more-aggressive-policing-of-childrens-privacy-online-says-harvard-law-expert/
• Hill, A. (2023, January 1). Social media triggers children to dislike their own bodies, says study. The Guardian. https://www.theguardian.com/society/2023/jan/01/social-media-triggers-children-to-dislike-their-own-bodies-says-study
• Karimi, F. (2024, May 29). Cam Barrett opens up about childhood oversharing on social media. CNN. https://edition.cnn.com/2024/05/29/us/social-media-children-influencers-cec/index.html
• Kidday. (n.d.). What is sharenting and how does it affect children's privacy and identity? Kidday. https://kidday.com/post/what-is-sharenting-how-does-it-affect-childrens-privacy-identity/
• Mulligan, Deirdre K., et al. "Privacy Is an Essentially Contested Concept: A Multi-Dimensional Analytic." Journal of Information, Communication and Ethics in Society, vol. 14, no. 3, 2016, pp. 228–242.
• National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research. U.S. Department of Health, Education, and Welfare, 1979. https://www.hhs.gov/ohrp/sites/default/files/the-belmont-report-508c_FINAL.pdf
• Nissenbaum, Helen. (2011). A Contextual Approach to Privacy Online (SSRN Scholarly Paper No. 2567042). Social Science Research Network. https://papers.ssrn.com/abstract=2567042
• Nissenbaum, Helen. "A Contextual Approach to Privacy Online." Daedalus, vol. 140, no. 4, 2011, pp. 32–48. https://www.amacad.org/publication/contextual-approach-privacy-online
• Project Safe Childhood | About Project Safe Childhood. (2014, June 17). Www.justice.gov. https://www.justice.gov/psc/about-project-safe-childhood
• Simonpillai, R. (2025, January 15). 'Absolutely heartbreaking': The dark side of family vlogging. The Guardian. https://www.theguardian.com/tv-and-radio/2025/jan/15/update-on-our-family-vlogging-documentary
• Sole-Smith, V. (2020, April 17). A Weight Watchers App for Kids Raises Concerns. The New York Times. https://www.nytimes.com/2020/04/17/parenting/big-kid/weight-watchers-kids.html
• Solove, Daniel J. (2005). A Taxonomy of Privacy (SSRN Scholarly Paper No. 667622). Social Science Research Network. https://papers.ssrn.com/abstract=667622
• Solove, Daniel J. "A Taxonomy of Privacy." University of Pennsylvania Law Review, vol. 154, no. 3, 2006, pp. 477–560. https://www.jstor.org/stable/40041279
• "Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief: United States of America v. Microsoft Corp." United States District Court, Western District of Washington, 5 June 2023.
• Steinberg, S. (2024). Beyond Sharenting (SSRN Scholarly Paper No. 4961682). Social Science Research Network. https://doi.org/10.2139/ssrn.4961682
• Thiess, H. R.-L., & Dimov, V. (2023, February 7). FTC vs. Epic Games: Illegal Dark Patterns? Lexology. https://www.lexology.com/library/detail.aspx?g=7e9ab476-0cff-4ebf-a070-396b3860f853
• "WeProtect Global Alliance." WeProtect.org. https://www.weprotect.org/
• Wilhelm, E. (2016). A brief history of the General Data Protection Regulation (1981–2016). IAPP. https://iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/

A data ethics project from UC Berkeley's School of Information, by Ambro Quach, Joseph Chan, Sarah Julius, and Serina Li.