DOJ complaint (August 2024): TikTok "knowingly permitted children under 13 to create regular TikTok accounts." Internal documents showed TikTok was aware millions of users were under 13. Estimated 17 million US users under 13. "Kids Mode" (Restricted Mode) easily bypassed by entering a false birthdate. FTC found TikTok violated its 2019 consent decree by continuing to collect children's data. Internal TikTok metric tracked time-to-addiction per user.

FTC + NY AG fined Google $170M (2019) for collecting personal information from children without parental consent. YouTube tracked children with persistent identifiers and served targeted behavioral ads. FTC found YouTube knew channels were directed at children but treated them as general audience to maximize ad revenue. Commissioner Rohit Chopra dissented: "$170 million is a fraction of the revenues YouTube earned from the illegal conduct." No executive held personally liable.

The FTC fined Google $170 million in 2019 — the largest COPPA fine in history at the time — for collecting children's personal data through YouTube to target ads without parental consent. Google tracked children across YouTube to build advertising profiles, then served targeted ads to viewers it knew were under 13. YouTube Kids was created as a response, but researchers found the "kid-safe" app still contained inappropriate content and data collection.

Ten Ten auto-plays audio on locked phones without the recipient answering — anyone with your PIN code can blast audio through your phone at any time. Teens share PIN codes on social media, enabling strangers to contact minors. The app had no finalised privacy policy at launch despite collecting names, phone numbers, and IP addresses from a user base that is predominantly children. 21 million downloads. The French government summoned the founders after France's Ministry of Interior flagged harassment and privacy risks. Australia's eSafety Commissioner issued guidance on the app. An app designed for children that lets strangers play audio through a child's phone, launched without a privacy policy.

In November 2015, VTech's Learning Lodge database was breached, exposing personal data of 6.4 million children and 4.9 million parents across 15 countries. The data included children's names, dates of birth, genders, photos, and chat logs between children and parents. The FTC fined VTech $650,000 for violating COPPA. The attacker found VTech used no encryption, stored passwords in MD5, and had SQL injection vulnerabilities.

Teachers award or deduct "behavior points" from children in real time during class. Default categories include "Needs Work" and "Disruptive." Children as young as 5 -- kindergarteners -- are rated on subjective behavioral criteria. Points often displayed on classroom screens: public shaming and praise in front of peers. Sound effects play when points are awarded or deducted, broadcasting behavioral judgments to the entire class. Psychologists warn this is operant conditioning -- Skinner box mechanics applied to kindergarteners.

Microsoft account requirement (2022): all players must link to Microsoft ecosystem. Microsoft Privacy Statement covers Minecraft data: "We collect data about your device and how you and your device interact with Microsoft and our products." Bedrock Edition sends extensive telemetry: session duration, blocks placed/broken, items crafted, biomes visited, mobs killed, death locations, multiplayer interactions. Every creative act in "your world" is logged and transmitted to Microsoft servers. Players who refuse to migrate lose access to the game they purchased.

Google Analytics deployed across khanacademy.org, including pages used by children studying math, reading, and science. Facebook pixel present -- sends data about children's learning behavior to Meta. Google Tag Manager loads additional third-party tracking scripts. These commercial trackers create advertising profiles from children's educational activity. Khan Academy is funded by Google.org ($2M+) and uses Google Cloud Platform -- children's learning data processed on Google infrastructure.