In December 2024, a cyberattacker used a stolen employee username and password — no sophisticated exploit, just a stolen credential — to access the systems of PowerSchool, a student information platform used by schools across the United States. By January 2025, more than 62 million student records had been exfiltrated. Names. Addresses. Dates of birth. Social Security numbers. Medical conditions. Disability accommodations. Disciplinary records. The income data embedded in free and reduced lunch applications. For millions of families, this was the first time they learned that their children's most sensitive information existed in a single database, with security no more robust than a single username and password.
The Texas Attorney General, suing PowerSchool in the aftermath, noted one particular detail that should stop any parent cold: the stolen data included bus stop locations. Not just who the children were. Where they could be found.
This breach was catastrophic. It was also not exceptional. It was the visible surface of an infrastructure that most parents have never been shown.
The Data Portrait Built Without Permission
Long before a child logs into a school system — long before they can type their own name — AI systems are building what researchers call a behavioral profile: a detailed, continuously updated portrait of who the child is, what they want, and how they can be influenced.
The data categories involved are far broader than most parents imagine. There is the obvious layer: names, ages, photos. But beneath that sits a far richer stratum of passive behavioral data — every scroll, tap, pause, replay, and skip. When a toddler watches a video on a parent's phone, the platform logs not just which video was watched but how much of it, whether it was rewatched, what the child's attention did at each moment. This is not incidental. It is the product. The behavioral trace a child leaves while watching is more commercially valuable than the content they watched.
Below that sits the inferred layer — and this is where the technology becomes genuinely unsettling. AI systems do not need children to tell them sensitive facts. They derive them. Algorithms trained on aggregate behavioral data can infer emotional states, family income, cognitive development stage, and susceptibility to social influence from the pattern of a child's interactions. A 2025 paper published in ScienceDirect found that social media algorithms "have actionable knowledge about child users and at-risk teens" after as little as one online session. One session. Before a parent has had any opportunity to make a meaningful choice.
Shadow Profiles: The Data That Precedes the Child
The concept of a shadow profile — data collected about a person who has never created an account, never agreed to any terms, never been notified — is one of the most important and least-discussed facts in modern digital life.
For children, shadow profiles are constructed through multiple mechanisms simultaneously.
The first is sharenting — the accumulation of photographs, videos, and personal information shared by parents on social media before children can object. By age five, research estimates that the average child has approximately 1,000 photographs of themselves online. Each image, shared on platforms with facial recognition capabilities, contributes to a biometric record. Each caption — "Yusuf's first day of school!" "Fatima loves pasta!" — is indexed, analyzed, and attached to a profile. A study from Barclays Bank projected that, by 2030, two-thirds of identity fraud cases will trace back to sharenting: children's clean credit histories and Social Security numbers, volunteered by parents before the children could understand what was being given away.
The second mechanism is contact network propagation. Even if a child has never created a social media account, the platforms build shadow profiles from contact lists uploaded by the child's parents, relatives, and friends. When those contacts interact on a platform, behavioral signals — connection to the child, shared location check-ins, mutual tags — propagate to the non-user's profile. The child exists in the platform's model before the child has ever touched the platform.
The third, and least visible, mechanism is the EdTech pipeline. A 2024 study by Internet Safety Labs found that the average educational technology application with trackers transmits children's behavioral data to 6.7 different data broker companies every time a student logs in. These are not educational analytics. These are commercial entities that have no relationship with the child or family and no educational function. They receive data on reading speed, error patterns, time-on-task, and inferential markers about cognitive development — not to improve teaching, but to build commercial profiles.
Enforcement and Its Limits
The federal law governing children's online privacy — COPPA, the Children's Online Privacy Protection Act — was enacted in 1998, five years before MySpace existed. It prohibits the collection of personal information from children under 13 without verifiable parental consent.
Between January 2023 and January 2025, the Federal Trade Commission published six COPPA enforcement actions — six, over two years, against an industry generating billions in annual revenue from children's data.
The most significant was the August 2024 lawsuit against TikTok and ByteDance. The Department of Justice complaint described a company that had built systematic back doors allowing children to bypass age verification by signing up through Google or Instagram credentials, requiring no age entry and no parental consent. TikTok's Kids Mode — marketed to parents as a walled garden — was found to be sharing in-app activity identifiers with third parties to track and retain users. Human reviewers spent, on average, five to seven seconds determining whether an account belonged to a child.
Epic Games, maker of Fortnite, paid $275 million in COPPA penalties in 2023 — the largest in FTC history at the time. The complaint detailed not just illegal data collection but deliberately counterintuitive interface design: buttons configured to charge accounts while children attempted to wake a sleeping game, purchases triggered during loading screens, default voice and text chat enabled between children and adult strangers. Google and YouTube paid $170 million in 2019 for placing targeted advertisements against content it knew was directed at children under 13 — then faced a $30 million class action settlement in 2025 for conduct that continued long after the first penalty.
These are not edge cases. They are the documented behavior of the companies that children use most.
What Saudi Families Should Know
The Personal Data Protection Law that took effect in Saudi Arabia in 2023 defines children as those under thirteen — the same threshold as COPPA — and requires parental or guardian consent for the processing of their data. Controllers handling the data of vulnerable individuals, including minors, must register in the National Register maintained by the Saudi Data and Artificial Intelligence Authority (SDAIA).
The law applies not only to organizations operating within Saudi Arabia but to any entity that processes the data of Saudi residents, including multinational platforms. In principle, this means TikTok, YouTube, Instagram, and every international EdTech provider serving Saudi children falls within its scope.
In practice, the gap between legal framework and enforcement reality is significant. The same gap exists in the United States, the European Union, and the United Kingdom — all of which have stronger enforcement infrastructure than most jurisdictions and still struggle to hold platforms accountable at the scale of their violations. For Saudi parents, the legal framework provides important rights on paper. It should not be mistaken for active protection in practice.
What This Means for Your Family
Shoshana Zuboff, the Harvard Business School professor whose research on surveillance capitalism remains the most rigorous analysis of this industry, draws a comparison to child labor. Society mobilized to protect children from dangerous factory conditions, she argues, because we recognized that "we need children to be healthy, to be educated, to grow." The question she poses — and that parents are now living inside — is whether that same mobilization will come for children's data before the compounding effects of early surveillance become irreversible.
The data portrait being assembled about your child right now will not be deleted. It will be held, refined, traded, and used. By the time your child applies for a job, seeks a loan, or encounters a political advertisement in twenty years, the behavioral record that began when they were a toddler will have informed thousands of algorithmic decisions about how they are categorized, what they are shown, and how they are understood by systems that will never ask for their consent.
What parents can do — and we will return to this in Part 9 of this series — is not pretend the infrastructure does not exist, but become deliberate about what they feed into it. The shadow profile cannot be prevented. It can be shaped.
In the next piece, we move from the static question of what data is collected to the dynamic one: what does the algorithm do with it? The answer turns out to involve something closer to knowing your child than you might expect — and in ways that create risks far beyond advertising.
This is Part 2 of "Raising Children in the Age of Intelligent Machines," a 10-part series from PeopleSafetyLab on the intersection of AI and family safety.