Kids' Surveillance Self-Defense: A Parent's Guide
This article is for general information only and is not financial advice.
A child born today will have roughly 72,000 photos posted online before their eighteenth birthday, according to research by Nominet. That is only the visible layer. The invisible layer — data collected by apps, games, school platforms, smart toys, and connected devices — is far larger. By adolescence, hundreds of companies may hold profiles that include a child's location history, behavioral patterns, academic performance, health indicators, and social relationships.
This data does not expire, and the commercial incentives that drove its collection persist long after a child grows up. Teaching kids surveillance self-defense — the practical habits and mental models that limit data exposure — is one of the most durable protections a parent can provide. This guide covers what gets collected, what the law actually protects, how to have age-appropriate conversations without spreading fear, and the specific settings that make a real difference.
Key takeaways
- Children are tracked simultaneously through apps, school platforms, and smart toys — most of it invisible and permanent.
- COPPA and state laws like California's Age-Appropriate Design Code give parents real rights to deletion and opt-out, but coverage has large gaps.
- Privacy conversations should scale with age: rules for young kids, "data as currency" for tweens, autonomy and judgment for teens.
- Device-level controls, DNS filtering, and identity hygiene matter more than any single parental-control app.
How Children Are Tracked Online
Children are tracked through several channels at once. Apps built for kids — games, educational tools, social platforms — collect device identifiers, usage patterns, and behavioral data. Many embed third-party advertising SDKs that build persistent tracking profiles across apps. A study by researchers at ICSI Berkeley found that 72% of children's apps on Google Play sent data to third-party trackers, and nearly 60% sent data to Google. Many of those apps were rated as safe for children and categorized as educational.
School platforms are a second major collection point. Tools like Google Workspace for Education and Microsoft 365 Education gather detailed behavioral and academic data as a condition of participation. When schools hold that data it falls under FERPA, but the same data held directly by a vendor can slip into regulatory gaps. Ed-tech surveillance expanded sharply during remote learning and never fully retracted: proctoring software, engagement analytics, and behavioral monitoring remain active in many districts. This is the same pattern of quiet, permission-based collection covered in our look at how modern apps are spying on you.
Smart toys and connected devices are a third category. Voice assistants in children's products, toys with microphones and cameras, and fitness trackers capture audio, video, and location data inside the home. The FTC has brought enforcement actions against toys that recorded children's audio without clear disclosure, but the category grows faster than the rules. The general principle: any device with a microphone, camera, or internet connection in a child's environment is a potential collection point.
Legal Protections and Their Limits
COPPA — the Children's Online Privacy Protection Act — bars collecting personal data from children under 13 without verifiable parental consent. In practice, coverage has gaps. It applies to operators who knowingly collect data from under-13 users; platforms that claim not to know a user's age often fall outside its scope. The consent mechanism — a parent clicking a checkbox — does not prevent collection; it provides a legal basis for it. FTC enforcement has produced meaningful penalties, including $170 million against Google's video platform and $5.7 million against TikTok, but it has not structurally changed collection practices.
State laws add protections beyond COPPA. California's Age-Appropriate Design Code, modeled on the UK's, requires platforms to apply high privacy settings by default for users identified as children, restrict profiling, and avoid design patterns that push kids to share more than necessary. Virginia, New York, and other states have enacted similar laws. As a parent, your most actionable rights are: requesting deletion of your child's data, opting out of behavioral advertising, and requesting access to what a platform has collected. Because breach exposure compounds over years, it is worth understanding how these records accumulate — our guide to protecting your identity from data breaches explains why.
Age-Appropriate Privacy Conversations
Young children (ages 5–8). The goal is building basic concepts without generating anxiety. Privacy works best as analogies and rules rather than technical explanation: some information is private (home address, school name, full name, passwords, appearance) and should not be shared with people they don't know in person. Make it concrete: "If someone asks your full name or where you live in a game, that's like a stranger asking in a park — you don't answer, and you tell me." At this age the parent controls all device access, so conversation reinforces rules you can enforce.
Tweens (ages 9–12). Introduce the idea of data as currency. "This app is free because it collects information about how you use it and sells that to advertisers" is something this age can grasp and apply. Discuss digital footprints concretely: anything posted is potentially permanent and shareable beyond its original audience. Practice a pause-and-think habit — "Would you be OK if your teacher, grandparent, or future employer saw this?" This group benefits from configuring privacy settings together rather than having a parent do it invisibly.
Teenagers (ages 13–18). The conversation shifts to autonomy, judgment, and consequences. Teens resist controls framed as parental surveillance, so focus on power and risk: who benefits from the data collected, what algorithmic recommendation does to what they see and believe, and what a compromised footprint costs socially and professionally. Treat teens as capable of the full picture — platform business models, data-broker aggregation, and the difference between security and privacy. The goal is independent judgment, not compliance with rules they will route around.
Parental Controls and Privacy Settings
Device-level controls. iOS Screen Time and Android Family Link provide app filtering, content restrictions, time limits, and location sharing, and both let parents approve downloads before installation. Enable these early — the friction of requesting approval for each app is a natural prompt for the privacy-and-value conversation. Use them transparently; secret monitoring erodes trust and teaches nothing.
Browser and search controls. SafeSearch on Google, Bing, and major video sites blocks explicit content at the search level. Network-level DNS filtering (NextDNS, CleanBrowsing) blocks whole content categories and can't be dodged by switching browsers. A child's browser should use a dedicated profile with extensions disabled and browser-saved passwords off in favor of a password manager. For older children learning to browse independently, a privacy-respecting browser is a sensible default.
Account and identity hygiene. Children should not use real full names as usernames or real faces as profile photos on public platforms. Separate email aliases for gaming and social accounts limit aggregation, and a password manager such as Bitwarden (which has a free family plan) teaches good credential habits before bad ones form. When a platform requires an account, consider a family account managed by a parent instead of extending full adult features to a minor. For private conversations, steer older kids toward encrypted messaging apps rather than default SMS. If you want to recognize the broader signals of monitoring, our piece on signs you're being watched is a useful companion read.
FAQ
At what age should I start teaching kids about online privacy?
Age 5–6 is right for the first basic concepts: what information is private (name, address, school, appearance), that some people online are not who they claim to be, and that they should tell a parent about anything confusing or uncomfortable. Earlier than that, the parent controls all device interaction and there is nothing to teach. Waiting past age 8 risks normalizing unsupervised sharing before the child has any framework. Think of it like traffic safety — you teach the rules before the child meets the hazard alone.
Are parental control apps actually effective?
In two ways. Technically, for younger children who can't circumvent them, they genuinely limit access and exposure. Educationally, for all ages, setting them up together and explaining each setting is more valuable than the control itself. Controls become less effective as kids grow — a motivated 14-year-old can bypass most via mobile data, a friend's device, or a VPN — so the goal should shift from restriction to judgment by age 12–13. What survives adolescence: network-level DNS filtering, account management requiring approval for installs, and the habits built in earlier years.
What should I do if my child has already overshared personal information?
Don't panic or punish — a child who fears punishment will stop telling you about mistakes. Assess what was shared and with whom. If it includes home address, school name, or a real full name on a public platform, edit or delete the posts and use the COPPA-based deletion process (for under-13s, platforms must honor parental deletion requests). If photos went to unknown individuals, report to the platform and, for serious concerns, to the NCMEC CyberTipline. Then use it as a teaching moment about what to share and with whom.
Should I monitor my teenager's messages?
Covert monitoring of a teen's private messages usually costs more trust than it buys in safety, and most teens can detect and route around it. A better approach is transparency about what you do and don't monitor, paired with clear agreements. Reserve active monitoring for concrete safety concerns rather than routine surveillance, and prioritize building the judgment your teen will need in the many situations you cannot see.
Sources
- FTC — Complying with COPPA: Frequently Asked Questions: authoritative guide to COPPA requirements, coverage, and consent.
- ICSI Berkeley — Analyzing third-party tracking in children's apps: study finding 72% of children's Google Play apps send data to third-party trackers.
- EPIC Student Privacy Project: overview of FERPA and COPPA in educational contexts and ed-tech surveillance concerns.
- NCMEC CyberTipline: national reporting mechanism for online exploitation of children.