Children's online privacy faces a paradox that existing legal frameworks struggle to resolve. The regulatory architecture—COPPA in the US, GDPR's age provisions in the EU, and national data protection laws worldwide—places responsibility for children's privacy primarily on parents and guardians. Parents must consent to data collection, parents must manage privacy settings, parents must determine what information about their children enters the digital sphere.
But parents are also, increasingly, the primary source of children's digital exposure. The phenomenon of "sharenting"—parents sharing photos, videos, and personal information about their children on social media—creates digital footprints that children never consented to, cannot control, and may regret when they become adults. Before a child is old enough to create their own social media account, their parent may have posted hundreds of images, developmental milestones, medical information, and behavioral observations to an audience of friends, followers, and the platform's data infrastructure.
Comparative Frameworks
Tahir and Lestari (2025) conduct a comparative analysis of child privacy protection frameworks in Indonesia, Europe, and the US. The protection of children's digital privacy has become an increasingly critical issue as children are more connected to the internet than ever before.
The comparative analysis reveals significant variation in approach:
- US (COPPA): Focuses on commercial data collection. Requires verifiable parental consent before collecting data from children under 13. Does not address sharenting or parental data sharing about children.
- EU (GDPR): Provides broader protection. Sets the age of digital consent at 16 (with member state flexibility down to 13). Establishes the right to be forgotten, which could theoretically be invoked by adults against their parents' earlier posts. But enforcement against family sharing is effectively absent.
- Indonesia: Has enacted a Personal Data Protection Law (2022) but specific provisions for children's digital privacy are underdeveloped compared to the US and EU frameworks.
The Sharenting Problem
Jamaluddin, Taher, and Rujhan (2025) explore sharenting within the Malaysian context. As social media becomes deeply embedded in daily life, sharenting serves as a common means for parents to document and share their children's lives. But the practice raises questions about whether parents' right to share conflicts with children's right to privacy.
The sharenting problem exposes a conceptual gap in privacy law: privacy frameworks assume that the person whose data is at risk can exercise (or delegate) control over that data. Children cannot exercise control, and the delegation to parents creates a conflict of interest when the parent is both the protector and the sharer. A parent who posts a child's photo to Instagram simultaneously acts as privacy guardian (legally responsible for the child's data) and data controller (choosing to expose the child's data to a platform and its audience).
Children's Rights Perspective
Verma and Mishra (2024) examine the conflict between children's rights to privacy and parents' freedom to share online. The digital age has transformed children's lives, raising new challenges for their privacy and data protection.
The paper reviews global frameworks including the UN Convention on the Rights of the Child (UNCRC), which establishes children's right to privacy (Article 16) independently of parental authority. The UNCRC framework suggests that children's privacy is a right they hold in their own name, not merely a right that parents exercise on their behalf. This creates a tension with sharenting: a parent who shares a child's information without the child's capacity to consent may be violating the child's rights as defined by international law—even if no national law prohibits the specific act.
Parental Digital Literacy
Abreu, Viegas, and Santin (2025) evaluate parental readiness to manage children's privacy across social media platforms. Current legislation places the responsibility for managing children's privacy on parents and guardians, assuming they possess the necessary knowledge to make informed decisions.
The study challenges this assumption: many parents lack the technical knowledge to configure privacy settings, understand platform data practices, or evaluate the long-term implications of sharing children's information online. The gap between legislative assumption (informed, competent parents) and empirical reality (parents with limited digital privacy literacy) means that the legal framework's protective mechanism is weaker than its design intends.
Claims and Evidence
<| Claim | Evidence | Verdict |
|---|---|---|
| Existing frameworks adequately protect children's online privacy | Tahir & Lestari (2025): significant gaps across all three jurisdictions | ❌ Refuted |
| Parents are reliable protectors of children's digital privacy | Jamaluddin et al. (2025), Abreu et al. (2025): sharenting and literacy gaps undermine this assumption | ❌ Refuted |
| Children have independent privacy rights under international law | Verma & Mishra (2024): UNCRC Article 16 establishes children's privacy as an independent right | ✅ Supported |
| Parents possess adequate digital literacy to manage children's privacy | Abreu et al. (2025): significant knowledge gaps identified | ❌ Refuted |
Open Questions
Implications
Children's online privacy requires a framework that recognizes children as rights-holders, not merely as objects of parental protection. This means: legal provisions that address sharenting alongside commercial data collection, platform design features that protect children's data by default, parental digital literacy programs that build capacity for informed consent, and—eventually—mechanisms through which young people can exercise control over their own digital identities as they develop the capacity to do so.