The right to digital privacy for minors

"No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation." The text was drafted in 1989, before mass internet adoption. Its application to digital environments is the subject of General Comment 25 (2021), which extends the right to digital spaces and specifies that states must require businesses to undertake child-rights impact assessments. The Convention has been ratified by every UN member except the United States. This absence shapes US children's-privacy debates: the affirmative-rights framing that animates European and Commonwealth law has no domestic constitutional foothold here. American children's privacy is built from a patchwork of statutes and Fourth Amendment doctrines, not from a unifying rights instrument. The architectural difference matters for what advocates can plausibly demand.

Robert Selman's stages of perspective-taking, Erikson's identity-versus-role-confusion stage, and the maturation of the prefrontal cortex through the mid-twenties all imply that privacy interests grow gradually rather than appearing at thirteen or eighteen. Empirical work on adolescents' privacy preferences (Marwick and boyd, 2014; Livingstone, 2018) confirms that teenagers actively manage privacy across multiple audiences from roughly age eleven onward, with strategies becoming more sophisticated through middle adolescence. The legal regimes' binary cutoffs flatten this gradient. A policy that takes the gradient seriously would specify tiered rights: parental-consent-with-child-input for under-12s, child-consent-with-parental-notice for 12-15s, child-consent for 16-17s, except where specific risks justify deviation. No legislature has drafted such a tiered regime. Several have drafted something like it for medical privacy. Translating that to digital privacy is overdue.

The parental-monitoring software market is projected to exceed $3.5 billion globally by 2027. The leading products differ in approach: keyword-based alerting (Bark), full-content review (Gaggle), location and driving telemetry (Life360), screen-time and app blocking (Apple, Google, Qustodio), and AI-summary digests of children's communications (newer entrants since 2024). Each product makes different privacy trade-offs. AI-summary tools, in particular, raise new questions: they read everything but show parents only summaries, which feels less invasive while being more comprehensive. Parents who adopt these tools without understanding the architecture often end up with more surveillance than they intended. Honest product disclosures — what is read, what is stored, what is shared with the vendor — are not yet standardized.

Pamela Wisniewski and collaborators at the University of Central Florida (now Vanderbilt) have produced the most sustained empirical critique of parental-control software. Their findings, across multiple studies from 2017 to 2024: high-surveillance regimes correlate with reduced parent-child communication about online experiences, increased adolescent secrecy, and no measurable improvement in actual online-risk avoidance. The mechanism is not mysterious. Adolescents who feel surveilled treat the monitored channel as compromised and migrate to unmonitored channels — burner accounts, peer-borrowed devices, Discord servers their parents don't know about. The risks they then encounter are higher because parental visibility is lower. Wisniewski's recommended alternative is "teen-centric" design that supports adolescent self-regulation and prompts conversation rather than substituting surveillance for relationship.

A typical child born in 2010 had several thousand images shared online by parents before her tenth birthday. A child born in 2025 will have substantially more, and many will include AI-processed or AI-generated variants. None of this content was consented to by the child. Some of it is innocuous. Some of it is humiliating, medically sensitive, or commercially exploited (family vloggers, sponsored-content children). France passed a law in 2024 requiring parents to consider children's privacy when posting and creating cause-of-action rights for children against parents who violate. The law is largely symbolic — no French child has yet sued — but its drafting captures something real. The 1,000-page manual asks parents to apply a simple rule: do not post what your child cannot retract at eighteen.

Gaggle, GoGuardian Beacon, Securly Aware, and similar school-surveillance products monitor student communications on school-issued devices and accounts. Investigative reporting (most notably by The 74 and the Center for Democracy and Technology, 2021-2024) has documented that these systems disproportionately flag LGBTQ students (for searches related to identity, support, or community), students of colour (for vernacular language flagged as threatening), and students writing about trauma or mental health for class assignments. The flags trigger reviews by school staff, sometimes by school resource officers, sometimes by local police. Court doctrine grants schools wide latitude under New Jersey v. T.L.O. (1985). Parents whose children attend public schools should know what software is deployed, what is monitored, and what the disclosure protocols are. Most parents do not know.

The Children's Online Privacy Protection Act (1998) requires verifiable parental consent for collection of personal information from children under 13. Its drafting predates social media, smartphones, and behavioural advertising. The under-13 line was a negotiation artifact, not a developmental finding. The "actual knowledge" standard — platforms are liable only if they know a user is under 13 — created a structural incentive to remain ignorant. The FTC's recent enforcement has tried to push the standard toward "constructive knowledge," but the statutory architecture limits how far that can go. COPPA 2.0 would raise the age to under-17 and clarify the knowledge standard. It has been pending in Congress for five years. The legislative paralysis is not because the policy is contested; it is because the floor time required to advance it has been displaced by other priorities.

The General Data Protection Regulation (Article 8) sets a default age of 16 for children's data-processing consent, with member-state discretion to lower to 13. Most member states have lowered. The German Federal Data Protection Act sets 16; the UK Data Protection Act 2018 sets 13; France sets 15. The variation makes pan-European compliance complex for platforms and creates uneven protection for children. The EU's Better Internet for Kids strategy (BIK+, 2022) attempts coordination without harmonization. The pragmatic effect is that European children get meaningfully stronger privacy protection than American children, but with significant cross-border variation that limits the model's clarity. The lesson for US federal legislation: a single national standard, even imperfect, beats fifty-state variation.

California's Age-Appropriate Design Code Act, the UK ICO Code, and several proposed federal bills (COPPA 2.0, KOSA) ban or severely restrict behavioural advertising to minors. The economic stake is substantial. Industry estimates of revenue at risk from a US-wide under-17 behavioural-advertising ban range from $4 to $11 billion annually. The platforms have therefore lobbied aggressively against age-line increases and consent-based architectures. Where bans have been implemented (UK contextual-advertising-only rules for under-18s on platforms that opted in), the platforms' revenue declined less than predicted because contextual advertising is more effective than industry rhetoric admits. The 1,000-page manual treats behavioural-advertising bans as the highest-leverage privacy intervention available to collective parenthood: it changes the economic model, which changes everything downstream.

Generative AI models trained on web-scraped corpora have ingested billions of images, posts, and conversations involving minors. Some of this content was posted by the minors themselves; much was posted by parents, schools, news outlets, or platforms. The legal status of training-data inclusion is contested (Andersen v. Stability AI, NYT v. OpenAI, Getty v. Stability AI). Children's specific rights in this context are barely litigated. A child whose face appears in a 2017 family Facebook photo may now be findable through a generative-AI face-similarity tool. A child whose creative writing was posted to a fan-fiction site may be replicable in style by a model. The remediation paths — opt-out registries, training-data audits, deletion rights — are emerging slowly. Parents who care about their children's long-term digital footprint should now think about training-data exposure, not just platform exposure.

The constitutional protection of US children's privacy from state action depends on a string of decisions — Tinker (school speech), T.L.O. (school searches), Vernonia (random drug testing), New Jersey v. T.L.O. (reasonable suspicion), Riley v. California (cellphone searches require warrants for adults). The doctrines do not coherently extend to digital school-issued devices, social-media monitoring, or geolocation tracking. The Supreme Court has not yet taken a case that resolves whether school officials need a warrant to read a student's private messages on a school-issued laptop. Lower courts are split. Parents who want clarity should support test-case litigation. The ACLU, EFF, and several academic clinics are running such cases.

The infrastructure of a genuinely child-respecting digital-privacy regime would include: tiered consent regimes mapped to developmental stages; default data-minimization architectures audited annually; behavioural-advertising bans through age seventeen; school-surveillance disclosure mandates with parent-and-student review rights; meaningful enforcement budgets at federal and state levels; a private right of action for children harmed as adults by data their parents posted; training-data deletion rights for content involving minors; and federal preemption only where the federal floor is high enough to justify it. None of this is utopian; pieces exist in pieces of jurisdiction. Stitching the pieces together is the work. Collective parenthood at the political scale is the constituency that can do it. The constituency is currently distributed, fatigued, and underserved by its intermediaries. Organizing it is the bottleneck.

1. Livingstone, Sonia. "Children's Privacy Online: Experimenting with Boundaries Within and Beyond the Family." In Children, Media, and Culture, 145-167. London: Sage, 2018. 2. Collier, Anne. "Sharenting and the Limits of Parental Authority." NetFamilyNews, July 2024. 3. Thierer, Adam. "Privacy as a Process: Reframing the Children's Privacy Debate." Mercatus Working Paper, May 2022. 4. boyd, danah, and Alice Marwick. "Networked Privacy: How Teenagers Negotiate Context in Social Media." New Media & Society 16, no. 7 (2014): 1051-1067. 5. Aiken, Mary. The Cyber Effect. New York: Spiegel & Grau, 2016. 6. Solove, Daniel J. Nothing to Hide: The False Tradeoff Between Privacy and Security. New Haven: Yale University Press, 2011. 7. Allen, Anita L. Unpopular Privacy: What Must We Hide? New York: Oxford University Press, 2011. 8. Goldman, Eric. "Children's Privacy Online: Lessons from the FTC's COPPA Enforcement." Berkeley Technology Law Journal 38, no. 4 (2023): 1109-1162. 9. Khan, Lina M. Prepared remarks, FTC PrivacyCon, July 2023. 10. Khan, Salman. Brave New Words. New York: Viking, 2024. 11. Luckin, Rose. Machine Learning and Human Intelligence. London: UCL IOE Press, 2018. 12. Reich, Justin. Failure to Disrupt. Cambridge, MA: Harvard University Press, 2020.