On the surface, websites built for children seem innocent, as most of them offer innocent looking games, learning tools, bright colors, cartoon mascots and kids-friendly apps. But behind that cute interface, a different picture emerges: one of surveillance, exploitation, and regulatory neglect. A recent investigation into more than 2,000 children’s websites shows a disturbing trend: nearly all of them engage in hidden tracking, while a significant number serve behaviorally targeted ads, some of which promote content ranging from mental health quick-fixes to sexually suggestive services.
The research, led by a team of privacy and cybersecurity specialists, did not rely on third-party lists or assumptions. Instead, the team built a custom classifier to detect websites that genuinely target children based on metadata scraped from over two million pages. Once the catalog was built, these sites were crawled using advanced tools across five global regions and multiple devices. The result is one of the most comprehensive audits of child-facing online spaces to date—and what it found raises urgent questions.
Roughly 90% of the surveyed sites were found to embed third-party trackers—scripts and cookies that silently log user behavior, device data, and browsing habits. Around 27% of the sites displayed ads that had been personalized using behavioral data, a practice that—by law in several jurisdictions—should require explicit parental consent. Yet no such mechanisms were in place.
Even more alarming were the types of ads uncovered. Using machine learning and computer vision, the team scanned tens of thousands of ad images and links. Among them were promotions for dating services, weight loss programs, and even sex toy vendors. Some ads used suggestive or disturbing imagery, including semi-nude figures or emotionally manipulative text meant to prompt clicks. These ads were not buried in obscure corners of the internet—they appeared on sites offering educational worksheets, coloring pages, or math games for elementary-aged children.
Legally, this content lives on dangerous ground. In the United States, the Children’s Online Privacy Protection Act (COPPA) prohibits data collection from users under 13 without verified parental permission. In the European Union, the GDPR and upcoming Digital Services Act go even further—prohibiting behavioral targeting to minors altogether. Yet enforcement is inconsistent, and as this study shows, many child-focused websites either ignore the rules or work with ad networks that do.
The crawler built for this investigation didn’t just record what children might see—it simulated interaction with consent banners, captured visual recordings, and scraped ad disclosures to determine which ads were explicitly marked as personalized. More than 70% of those with disclosure pages admitted to using behavioral targeting.
One particularly grim discovery: even when sites claim to be COPPA-compliant, many embed tracking scripts before a user even interacts with the page. In essence, they violate privacy laws from the moment a child lands on the site. Worse still, trackers often link back to major ad networks and data brokers known for assembling detailed user profiles—profiles that, in this case, may belong to children who cannot legally consent.
The implications of this research are wide-reaching. It demonstrates not just a technical vulnerability in the children’s web, but a policy failure. Despite laws on the books, enforcement remains lax, and advertisers continue to reach young audiences with material deemed harmful by their own industry standards. Until regulators apply meaningful oversight—and developers of children’s platforms assume real responsibility—these sites will remain a weak point in the digital privacy landscape, wide open to exploitation.
Image: DIW-Aigen
Read next: Google Search Impressions Up 49%, Clicks Down 30% as AI Overviews Favor Depth, Bury Top-Ranked Sites
The research, led by a team of privacy and cybersecurity specialists, did not rely on third-party lists or assumptions. Instead, the team built a custom classifier to detect websites that genuinely target children based on metadata scraped from over two million pages. Once the catalog was built, these sites were crawled using advanced tools across five global regions and multiple devices. The result is one of the most comprehensive audits of child-facing online spaces to date—and what it found raises urgent questions.
Roughly 90% of the surveyed sites were found to embed third-party trackers—scripts and cookies that silently log user behavior, device data, and browsing habits. Around 27% of the sites displayed ads that had been personalized using behavioral data, a practice that—by law in several jurisdictions—should require explicit parental consent. Yet no such mechanisms were in place.
Even more alarming were the types of ads uncovered. Using machine learning and computer vision, the team scanned tens of thousands of ad images and links. Among them were promotions for dating services, weight loss programs, and even sex toy vendors. Some ads used suggestive or disturbing imagery, including semi-nude figures or emotionally manipulative text meant to prompt clicks. These ads were not buried in obscure corners of the internet—they appeared on sites offering educational worksheets, coloring pages, or math games for elementary-aged children.
Legally, this content lives on dangerous ground. In the United States, the Children’s Online Privacy Protection Act (COPPA) prohibits data collection from users under 13 without verified parental permission. In the European Union, the GDPR and upcoming Digital Services Act go even further—prohibiting behavioral targeting to minors altogether. Yet enforcement is inconsistent, and as this study shows, many child-focused websites either ignore the rules or work with ad networks that do.
The crawler built for this investigation didn’t just record what children might see—it simulated interaction with consent banners, captured visual recordings, and scraped ad disclosures to determine which ads were explicitly marked as personalized. More than 70% of those with disclosure pages admitted to using behavioral targeting.
One particularly grim discovery: even when sites claim to be COPPA-compliant, many embed tracking scripts before a user even interacts with the page. In essence, they violate privacy laws from the moment a child lands on the site. Worse still, trackers often link back to major ad networks and data brokers known for assembling detailed user profiles—profiles that, in this case, may belong to children who cannot legally consent.
The implications of this research are wide-reaching. It demonstrates not just a technical vulnerability in the children’s web, but a policy failure. Despite laws on the books, enforcement remains lax, and advertisers continue to reach young audiences with material deemed harmful by their own industry standards. Until regulators apply meaningful oversight—and developers of children’s platforms assume real responsibility—these sites will remain a weak point in the digital privacy landscape, wide open to exploitation.
Image: DIW-Aigen
Read next: Google Search Impressions Up 49%, Clicks Down 30% as AI Overviews Favor Depth, Bury Top-Ranked Sites
