What has changed¶
Children have always been marketed to. What is new is that the marketing now runs on a detailed, individual, and durable record of each child, and that the systems built to protect children often add to that record rather than shrink it.
Profiling arrived before the rules did¶
For most of the past two decades, services aimed at or used by children collected data on much the same terms as services for adults, with a consent notice a child could not meaningfully give and a parent rarely read. Regulation has been catching up, unevenly.
In the UK, the Age Appropriate Design Code, usually called the Children’s Code, has been enforced by the Information Commissioner’s Office since September 2021. It is a statutory code under the Data Protection Act 2018, and it expects any online service a child under eighteen is likely to use to default to high privacy, to switch off profiling and location tracking unless there is a good reason, and to collect the minimum. Under the UK GDPR a child can consent to their own data being processed from the age of thirteen; below that a parent consents for them. The EU sets the same default higher, at sixteen, and lets member states lower it to thirteen, so the age varies across Europe.
These rules have changed how the better services behave. They have not ended profiling, and they apply patchily to the games, apps, and platforms that sit outside their reach or ignore them.
The age-assurance turn, and its cost¶
The newer pressure is age assurance: proving how old a user is. The UK’s Online Safety Act 2023 brought this to the fore, and Ofcom’s Protection of Children Codes came into force in July 2025, requiring services likely to be accessed by children to check ages and moderate content that is harmful to them.
The aim is protective. The privacy cost sits inside it. Checking an age reliably usually means collecting more identity data, not less: a face scan, an identity document, a payment card. A measure introduced to keep children away from harmful content can end up attaching a verified identity to a child’s browsing, which is its own exposure. This is the pattern to watch across children’s safety policy: the protective measure and the surveillance measure are frequently the same measure.
New collectors, wider reach¶
Three shifts have widened the surface since the rules were written.
Education moved online, and with it a layer of monitoring. Learning platforms, school-issued devices, and classroom-management and safety software now observe a great deal of what a child does, sometimes including content scanning and flagging, often supplied by firms whose business is data.
Connected toys and devices reached into the home and the nursery, with microphones, cameras, and cloud accounts attached to products used by very young children.
And generative systems changed what a leaked image or a scrap of a child’s data can be turned into, from synthetic media to more convincing approaches by people seeking contact.
None of this is a reason for alarm on its own. Together it means the question of what is known about a child, by whom, and for how long, is a live one in a way it was not a decade ago.
Last reviewed: 2026-07-08.