#NSBCS.121 - Growing Up Tracked: Protecting Minors Privacy in Apps, Games and Online Services
The latest evidence should put to rest the idea that minor’s online privacy is a niche issue. The 2025 GPEN sweep, which included the OAIC and 26 other privacy regulators, examined almost 900 websites and apps used by minor and found a clear shift towards greater data collection as the price of participation. To access full functionality, 59% required an email address, 50% required a username and 46% required geolocation. At the same time, 85% of services with privacy policies indicated they may share personal information with third parties. This is not just a privacy problem in the abstract. It is a child safety problem, because the more information a service collects, the more opportunities it creates for profiling, tracking, monetisation and unwanted contact.
The GPEN findings are especially troubling because safeguards are not keeping pace with the data appetite. 71% of the reviewed services did not have privacy communications tailored to minor, and regulators said they would not feel comfortable with minor using 41% of the websites and apps they assessed. Even where age checks were in place, they were often weak, relying on self-declared ages or controls that minor could easily bypass. This was particularly concerning on services featuring inappropriate content or higher-risk functions, such as profiling, default geolocation settings, and prompts that encourage minor to disclose more personal information.
That risk is heightened in online gaming, where platforms now operate beyond providing solely entertainment purposes. They are social environments, communication channels and, increasingly, identity spaces for minor. eSafety’s 2026 research found that 86% of minors aged 10 to 15 had played online video games, and many online harms were experienced not only on social media but also on communication and gaming platforms. In that same research set, 14% of minors aged 10 to 15 reported grooming-type behaviour online. This week, eSafety escalated its focus by issuing legally enforceable transparency notices to Roblox, Minecraft, Fortnite, and Steam, citing concerns that gaming platforms are being used to facilitate harmful and dangerous behaviours towards minors.
This points to a uniform conclusion, it is everyone’s responsibility to protect the safety and privacy of minors online. Australia’s minor’s Online Privacy Code is intended to enforce that balance. The OAIC says the Code must be finalised and registered by 10 December 2026, and that it will apply to many online services likely to be accessed by minors, including apps, games and websites. The current exposure draft signals the direction of travel, requiring online services to take reasonable steps to ascertain age, collect only the personal information strictly necessary by default, handle minor’s data consistently with the child’s best interests, and use age-appropriate notices. The exposure draft also proposes that minors under 15 generally cannot consent to the collection, use or disclosure of their personal information, with parental responsibility sitting above that threshold. Those details are not final yet, but the policy message is already clear: child users should not be expected to navigate adult-grade privacy risks on their own.
For parents and carers, the most practical response is to move from passive awareness to active configuration. Set up accounts together and choose usernames and profile pictures that do not reveal a child’s real name, date of birth, school, phone number, address or identifiable photo. Turn on parental controls across every device your child uses, including phones, tablets, laptops, consoles and smart TVs, and review those settings regularly rather than treating them as a one-off exercise. In games, restrict communication for younger minor, or at minimum limit it to known friends; turn off private messaging, gift-giving and content-sharing where possible; and keep public chat off unless there is direct supervision.
Equally important, parents should pay close attention to the settings that subtly increase a child’s exposure, not just the ones that appear obviously risky. Check whether location sharing is enabled, whether profiles are public, whether friend requests are open to anyone, whether the microphone and camera are available by default, and whether saved payment methods or in-game purchases are switched on. The OAIC’s recent age assurance guidance is useful here beyond the age-check context, as it reinforces the necessity, proportionality, privacy by design, clear consent for sensitive information, and strong vendor controls. The principle can be applied by parents and carers too, only enable what is genuinely needed, and disable everything else.
A useful script for parents and carers is to ask five questions regularly:
What does this app or game know about you?
Who can talk to you there?
What would you do if someone asked you to move to another platform?
What would you do if someone offered you gifts or asked for a secret?
And who would you tell first if something online felt wrong?
eSafety’s guidance is consistent on this point, minors are more likely to seek help when adults stay calm, explain settings openly, and use controls as supports rather than as modes of surveillance.
The other part of the job is conversational, not technical. Minors should know what counts as personal information before they are asked to hand it over. In plain terms, that includes not just name, phone number and address, but also school, date of birth, photos, videos, location and online activity. They should also know the warning signs of unsafe contact in games, including if someone trying to become a close friend too quickly, asking for private information, offering gifts, pushing them onto a different platform, asking them to keep secrets, or requesting explicit content. The goal is to equip minors with the knowledge of safe and unsafe online behaviour, as well as remind them that they should share any online behaviours that make them feel unsafe or uncomfortable.
For corporations, meeting privacy obligations to minors should involve more than satisfying minimum legal requirements or relying on consent alone. Services likely to be accessed by minors should default to high privacy, minimise data collection, avoid manipulative design, make deletion and opt-out functions simple, and explain their practices in a language minors can understand. They should also stop treating age assurance as a blank cheque for collecting more data: the OAIC has explicitly warned that age checks must be necessary, proportionate and governed properly across the vendor chain.
Educators and schools also have an important role to play in educating minors in online safety and privacy. eSafety provides classroom resources designed to help students protect personal information and build safer online habits. Where schools run gaming clubs or use games in learning environments, they should use school-managed accounts rather than personal student accounts, ensure current security software is installed, choose age-appropriate games, supervise communication features closely, and keep reporting and referral pathways clear for students, staff and parents. If communication is enabled, it should be restricted and actively supervised.
For the government, the task is to finish the job it has started. The minor’s Online Privacy Code should become an enforceable standard that works in practice, complements eSafety’s regime, and places the burden of safer design where it belongs, on the entities collecting and profiting from minor’s data. Families still need to stay engaged, but they should not be the only line of defence against systems built to extract attention, information and trust.
The bigger lesson is that protecting minors online is no longer only about blocking content or restricting access. It is about limiting unnecessary data collection, reducing risky contact pathways, designing for privacy by default, and teaching minors that their information has value. In that sense, digital privacy is not separate from child protection. It is rapidly becoming one of its most important foundations.
References2025 global privacy sweep puts websites and apps used by children under the microscope | OAICGPEN-Sweep-Report-March-2026.pdfChildren’s Online Privacy Code | OAICOAIC releases Exposure Draft of the Children’s Online Privacy Code | OAICPrivacy Commissioner publishes new guidance to ensure proportionate age assurance as a gateway to access online experiences | OAICDigital use and risk: Online platform engagement among children aged 10 to 15 | eSafety CommissionereSafety asks gaming giants what they are doing to prevent grooming and radicalisation | eSafety CommissionerPrivacy and security | eSafety CommissionerAustralia asks Roblox, Minecraft to detail child safety measures | Reuters
What we read this week
CISA Adds Eight Actively Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalogue - The US Cybersecurity and Infrastructure Security Agency has added eight new vulnerabilities to its Known Exploited Vulnerabilities catalogue, including three critical flaws in Cisco Catalyst SD-WAN Manager. Evidence confirms active exploitation in the wild, prompting urgent federal patching deadlines of 23 April for the Cisco issues and 4 May for the remainder. The additions underscore the accelerating pace of vulnerability exploitation across networking and enterprise platforms. Organisations should immediately inventory affected systems, apply available patches, restrict unnecessary exposure of management interfaces, and integrate KEV catalogue entries into automated vulnerability management workflows to reduce the window of exposure.
Vercel Supply-Chain Breach Linked to Compromised Third-Party AI Tool - Web infrastructure provider Vercel has disclosed a breach originating from a compromised Context.ai AI productivity tool used by an employee. Attackers leveraged stolen OAuth tokens with overly permissive Google Workspace access to reach internal systems, exposing limited customer credentials and prompting claims of a $2 million data sale on underground forums. The incident highlights the emerging risks of shadow AI tools and third-party OAuth integrations in development environments. Organisations should enforce strict OAuth scoping policies, monitor third-party application permissions, implement just-in-time access controls, and conduct regular audits of employee-sanctioned tools to prevent similar supply-chain compromises.
The Gentlemen Ransomware Group Rises Rapidly with SystemBC Botnet - A newly prominent ransomware-as-a-service operation known as The Gentlemen has claimed hundreds of victims in recent months, leveraging the SystemBC proxy malware to build a botnet of over 1,570 compromised systems since July 2025. Check Point Research analysis of the exposed command-and-control infrastructure reveals the group’s aggressive expansion and integration of proxying techniques for stealthy lateral movement and payload delivery. The operation’s rapid ascent demonstrates the continuing commoditisation of ransomware tooling. Organisations must prioritise behavioural detection for proxy malware indicators, enforce network segmentation, maintain immutable offline backups, and monitor dark-web leak sites for early warning of targeted campaigns.
Surge in Bomgar RMM Exploitation Exposes Downstream Supply-Chain Risks - Security researchers have observed a sharp increase in attacks targeting internet-exposed Bomgar remote monitoring and management instances over the past two weeks, resulting in compromise of managed service providers and cascading impacts on dozens of downstream customers. Attackers are using the RMM tools for persistence and further exploitation, with incidents already affecting sectors including healthcare and professional services. The wave illustrates how legitimate remote access solutions can become high-value targets when misconfigured. Organisations should immediately audit and secure RMM deployments, limit public exposure, enable multi-factor authentication on all administrative accounts, and implement continuous monitoring for anomalous RMM activity.
Seiko USA Website Defaced with Claims of Customer Data Theft - Threat actors defaced the Seiko USA website over the weekend, replacing content with a ransom demand and alleging theft of Shopify customer database records including names, addresses, and payment details. The incident follows a pattern of opportunistic attacks on e-commerce platforms and serves as a public shaming tactic to pressure the victim. While the full scope remains unconfirmed, the defacement highlights the persistent risk to consumer-facing retail sites. Retail and e-commerce organisations should strengthen web application firewalls, enforce secure coding practices, regularly review third-party payment integrations, and prepare clear incident communication protocols to mitigate reputational damage.
Referenceshttps://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.htmlhttps://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.htmlhttps://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.htmlhttps://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exploitation-demonstrates-supply-chain-riskhttps://www.bleepingcomputer.com/news/security/seiko-usa-website-defaced-as-hacker-claims-customer-data-theft/