Global Privacy Sweep Finds Children’s Data Still Under Pressure a Decade On

Key Takeaways

• Data Collection Expanding: More platforms now require personal information (such as email, usernames, and even geolocation) to access full functionality, marking a clear increase since 2015
• Age Checks Falling Short: While age assurance measures are more common, 72% can be easily bypassed, raising concerns about their real-world effectiveness
• Transparency Gaps Persist: Most services still fail to present privacy information in a way children can understand, limiting meaningful awareness and consent
• Limited User Control: Over a third of platforms do not provide an easy way for users to delete accounts, highlighting ongoing usability and rights issues
• Risk Outpacing Safeguards: Despite visible improvements, the overall risk to children’s privacy appears to be increasing as data-driven models become more entrenched

Deep Dive

A decade after regulators first put children’s online privacy under the microscope, a new global sweep suggests the landscape has shifted, but not necessarily in ways that reduce risk.

The 2025 exercise, led by the Global Privacy Enforcement Network, examined nearly 900 websites and apps used by children, with participation from 27 privacy authorities worldwide. By replicating a similar sweep conducted in 2015, regulators were able to draw a direct comparison between how platforms treated children’s data then and how they do now.

What emerges is a picture of incremental progress layered over deeper structural concerns.

Some protections are more visible today. Platforms are more likely to discourage children from sharing personal details, and location sharing is often turned off by default. Age checks have also become more common.

But at the same time, the volume of personal data being requested from children has increased, and in many cases, access to core features now depends on providing it.

More than half of the services reviewed required an email address to unlock full functionality. Half required usernames. Nearly half collected geolocation data. Regulators noted that this marks a clear increase compared to 2015.

There is also a noticeable shift in how platforms frame data use. More services now explicitly state in their privacy policies that personal data may be shared with third parties, reflecting broader changes in digital business models.

Age Checks Present but Easily Circumvented

If there is one area where progress appears more widespread, it is age assurance. But the sweep found that these measures often fall short in practice.

In 72 percent of cases, participants were able to bypass age checks, most commonly where platforms relied on self-declaration. That raises questions about whether these controls are functioning as meaningful safeguards or simply as formalities.

The concern becomes more pronounced where platforms involve higher-risk features, including more intensive data processing or exposure to inappropriate content. In those cases, ineffective age controls leave children with limited protection.

Persistent Gaps in Transparency and Control

Beyond how data is collected, the sweep points to ongoing shortcomings in how platforms communicate with and empower younger users.

Seven in ten services did not provide privacy information in a way that could reasonably be understood by children. More than one third lacked a clear and accessible way to delete an account. And among platforms identified as having higher-risk features, only a minority directed users to seek parental permission before continuing.

These findings suggest that while awareness of children’s privacy obligations has grown, implementation remains uneven.

A Changing Risk Environment

The sweep was not designed to determine compliance or trigger enforcement. But regulators have indicated that the findings may inform future engagement with organizations and, where necessary, regulatory action.

In the meantime, authorities are encouraging companies to take a more deliberate approach to protecting children online. That includes strengthening age assurance, limiting data collection, providing clearer privacy notices, and making it easier for users to delete accounts.

The comparison with 2015 ultimately underscores a broader shift. The tools used to protect children’s privacy may be more visible than they once were, but the systems collecting and using their data have grown more complex and more demanding.

For regulators, that tension is becoming harder to ignore.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.