From TikTok to gaming apps, our children are growing up in an environment where personal data is the currency, and they’re the product.

While social media and gaming platforms offer fun and connection, they often rely on data-driven models that quietly collect information ranging from names and ages to browsing habits and biometric data. For businesses, this presents a double-edged sword: an opportunity to innovate responsibly, or a reputational and legal risk if we get it wrong.

In the UK, we’ve already seen regulatory action. TikTok was fined £12.7 million in 2023 for misusing children’s data. Now, further investigations into platforms like Reddit and Imgur are underway. This scrutiny is not just about breaches of trust, it’s about the law. The UK’s GDPR and the Online Safety Act 2023 place a firm legal obligation on organisations to protect young users, not just through policies, but through meaningful action.

Catarina Santos is a Data Protection Expert for the Data Protection People

Under GDPR, any company processing children’s data must obtain verifiable parental consent for users under 13, minimise data collection, and use clear, age-appropriate language in privacy notices.

The Online Safety Act goes further, requiring robust age verification systems and risk assessments to prevent exposure to harmful content. The UK government is considering a social media ban for children under 16.

Chief Medical Officer Chris Whitty has been tasked to assess the potential risks and harms associated with children using social media, which could lead to increasing the digital “age of consent” from 13 to 16. These examples underscore the pressing need for enhanced data protection measures tailored to children’s online activities. In short, compliance is no longer a tick-box exercise, it’s a strategic imperative.

But enforcement alone won’t solve the problem. Many companies still operate in regulatory grey areas, prioritising growth over governance. It’s time for UK businesses, especially those in tech, gaming, and digital media, to lead by example. Embedding privacy-by-design into products, regularly reviewing data practices, and fostering transparency can distinguish responsible organisations in a crowded marketplace.

Parents, too, have a role to play, but the burden shouldn’t fall solely on them.

Most children can’t fully grasp the long-term consequences of digital exposure, and even the most vigilant parent can only do so much. That’s why businesses must step up and champion safety as part of their brand ethos.

This is also a moment of opportunity. Consumers are increasingly privacy-conscious and supportive of ethical business practices. Companies that take child data protection seriously will not only meet regulatory expectations but build lasting trust with customers and communities.

Ultimately, protecting children’s data is about more than avoiding fines, it’s about shaping a safer digital future.

Businesses that understand this and act accordingly will not only comply with the law but also lead the way in creating a responsible, human-centric digital economy.