Children's data harvested on vast scale as global watchdogs find age checks routinely bypassed

The digital surveillance of children has grown substantially more invasive over the past decade, according to a sweeping international investigation that found the majority of websites and apps used by young people collect personal information on a scale that regulators say is unjustified, poorly disclosed and inadequately protected.

The findings come from a global "privacy sweep" conducted by the Global Privacy Enforcement Network (GPEN), a coalition of 27 national data protection authorities that jointly audited 876 websites and mobile applications commonly used by children. Co-ordinated by the UK's Information Commissioner's Office, the Office of the Privacy Commissioner of Canada, and the Office of the Data Protection Authority of Guernsey, the exercise represents one of the most extensive examinations of children's data practices ever undertaken.

Investigators examined how services collect personal information from younger users, how that collection is explained in privacy notices, whether age-verification mechanisms offer any meaningful barrier, and to what extent data harvesting is curtailed for minors. The full report, published in March 2026, found cause for concern on each count.

"The headline findings are striking — 41% of swept services were assessed as not suitable for children." — Brent Homan, Data Protection Commissioner, Guernsey

Compared with a similar GPEN sweep conducted in 2015, the 2025 audit found a measurable increase in the collection of certain categories of personal information, suggesting that rather than responding to growing public concern about children's privacy, many technology companies have intensified their data practices. Geolocation and persistent identifiers — data points that enable fine-grained profiling — are now more routinely bound to core functionality than they were a decade ago.

Perhaps the starkest finding concerns the ease with which age restrictions can be circumvented. Around 72 per cent of age-verification mechanisms were found to be easily bypassed, most commonly because they rely upon users self-declaring their own age with no further verification. A child who enters a false date of birth is, in most cases, indistinguishable from an adult. Regulators described the prevalence of self-declaration as a fundamental inadequacy, noting that it allows companies to claim compliance with age-related requirements while providing no substantive protection.

The Guernsey Data Protection Authority, which co-ordinated the sweep, noted that 41 per cent of services were assessed as not suitable for children at all. A further 36 per cent gave children no clear or accessible means of deleting their accounts, with deletion options commonly buried inside multiple menus, redirected to lengthy help pages, or requiring contact with customer support — processes described by investigators as "laborious" and "practically impossible for children". 

The investigation also drew attention to the purposes for which children's data are deployed. In many cases, email addresses, usernames and location data are used for personalisation, targeted advertising and analytics, with limited child-specific safeguards or anonymisation applied. Children were frequently not clearly informed about targeted-advertising practices — a finding that reinforces longstanding regulatory concerns about opaque data-processing models that monetise young audiences while obscuring that fact from them and their families. 

The sweep arrives at a moment of intense policy debate in Britain and across Europe about whether existing protections for children online are sufficient. In the United Kingdom, the ICO has made children's privacy a central enforcement priority, opening investigations into TikTok, Reddit and Imgur over the past year, while Ofcom is implementing mandatory child safety duties under the Online Safety Act. In the European Union, the Digital Services Act prohibits targeted advertising to minors and demands greater transparency, yet regulators across the bloc are still navigating enforcement.

The Isle of Man Information Commissioner's Office, one of the participating authorities, noted that six out of eight local services reviewed had high-risk design features such as complex privacy language, public-by-default settings, and geolocation enabled by default. The pattern closely tracks the global picture. Young people are almost universally online across the developed world, making the intensification of data collection from this group especially concerning from a rights and safety perspective.

The Global Privacy Enforcement Network has not named specific services or platforms in the published report, but the findings are expected to inform enforcement action by participating authorities, several of which have signalled that compliance investigations in the children's applications sector will be a priority for the remainder of 2026.

---

Image: Wikimedia Commons
Across the services examined — encompassing both dedicated children's platforms and general services that minors are known to use — 59 per cent required an email address to access full functionality, even for the youngest users. Half demanded a username, while 46 per cent collected geolocation data, typically tied to features such as search results, content recommendations or in-application purchases. The breadth of this data capture, investigators noted, is rarely justified by the basic services being offered.