Children are building permanent digital profiles before they are old enough to understand what that means.

Every interaction – what they watch, search, click, and share – is captured, analysed, and retained. Over time, this creates behavioural profiles that can influence opportunities, shape experiences, and follow them well into adulthood.

The risk isn’t just the volume of data. It’s the long-term consequences of data generated at a stage where individuals have little awareness and no real control.

This is why regulators are moving away from treating children’s data protection as a question of consent.

Across jurisdictions, the focus is shifting toward how digital services are actually designed and operated – not just what organisations say in their privacy notices.

We are seeing convergence around a set of core expectations:

• privacy by design and by default
• age-appropriate design
• restrictions on behavioural profiling and targeted advertising
• enhanced transparency adapted to children
• risk-based governance, including child-specific DPIAs

Our latest white paper examines how these expectations are developing globally across Europe, North America, Latin America, the Middle East, and Asia-Pacific – and what this means in practice for organisations designing and operating digital services.

Children’s data protection is becoming the testing ground for broader platform accountability. What applies here today will not remain limited to children.

The question is whether organisations are building products that reflect this, or relying on compliance models that no longer hold.