Legal Counsel Alert: Children’s Privacy Is Everyone’s Problem - Even If Your Company Doesn’t Target Kids

As in-house counsel or Chief Legal Officer,  you’re the gatekeeper of risk, responsible for ensuring your organization is not only compliant on paper, but in practice. When it comes to children’s online data privacy and safety, that responsibility is rapidly expanding.

Even if your company doesn’t target children and minors, it may be likely to be accessed by them or not have the correct controls to keep them out. Children are online, using platforms where they have circumvented age checks and lied about their age. That means your company may be processing their personal data unintentionally, and without affording them the protections and safety measures that regulations require.

Here’s the Reality: You’re Still on the Hook
Worldwide, one in three internet users are under 18. U.S. regulators, state attorneys general, and international data protection authorities have made it clear: failure to identify and appropriately handle children and their data is not okay, even if your terms of service states users must be 18 or older.

Ignorance isn’t a defense.

What’s Shifting— Fast

The COPPA Rule has been updated: Updates require written information security programs, documented protocols, and regular testing of systems and data handling practices involving children. Companies have until April 22, 2026, to comply. That isn’t long.

International regulations are leading the way: The GDPR (including the UK’s Children’s Code), Online Safety Act, Digital Services Act and other global regulations require privacy and safety by design and age assurance.

State laws are raising the bar: California, New York, Texas, Florida, Utah, Virginia, Nebraska, Tennessee, Vermont, and others are expanding protections and obligations for online platforms, especially regarding profiling, behavioral advertising, and algorithmic impact on minors.

Fines, enforcement action and brand damage are on the increase: Global penalties for children’s data violations have topped $1.3 billion and this is just the beginning.

Robust policy and process protects: Policies that state no data collection from minors without robust processes to ensure this don’t cut it. Working with a neutral third party like PRIVO helps to minimize data collection and processing for your organization, mitigates risk and supports brand trust and integrity. It’s always wise to have someone else check your homework.

A third-party audit can reveal:

• Gaps between policy and practice
• Unintentional data collection via SDKs, cookies, or integrations
• Third-party processors that don’t meet requirements
• Failure to enforce age gates, meet age assurance requirements or obtain parental consent
• Data categorization issues that expose your company to enforcement

Key Questions Legal Should Be Asking

• Are we collecting personal data from minors— knowingly or not?
• Do we have proper documentation for how children’s data is handled and protected?
• Have we vetted our third-party processors for COPPA, GDPR, Children’s Codes and other relevant privacy regulations compliance?
• Do we have jurisdiction-aware processes that adjust based on country and state laws?
• When was the last time we had an external privacy or security audit?

Action Items

✔  Perform a Child Data Risk Assessment – Work with internal teams and a trusted third-party like PRIVO to identify data collection and processing, map it to risk and mitigate the risk with controls.

✔ Update Contracts and Vendor Due Diligence – Ensure third-party processors and partners are contractually obligated to and comply with relevant children’s privacy laws.

✔ Build Cross-Functional Protocols – Collaborate with Trust & Safety, Security, and Product teams to align compliance requirements with operational execution.

✔ Engage with experts – PRIVO’s team of experts brings experience and solutions to support compliance while meeting business needs.

Final Thoughts
Legal teams are essential in protecting companies from regulatory risk but often benefit from the support of subject matter experts entrenched in day-to-day compliance on the ground and with industry experience. Let PRIVO be your trusted expert. We’ll help you verify compliance, spot unseen risk, and ensure your compliance position is backed by operational reality.