This piece is not about whether you should have posted. You did, or your sister-in-law did, or the nursery did in its newsletter, and the file is now sitting on three CDNs. The question is what to clean up, in what order, and how soon.
The five items below are ranked by the harm they enable. We are looking at the data points that compound — the ones that get stitched together by people and machines into a profile your child inherits at eighteen.
1. The school-uniform photo with location on
This is the cheapest, fastest fix and almost everyone gets it wrong. A photo of a child in branded uniform, posted from a phone with location services enabled, gives a stranger two of the three things they need: the school, and a daily ten-metre window where the child will stand alone for the next decade.
Delete the original and re-upload a cropped version that removes the crest. iPhone Photos lets you strip location under Adjust. Instagram and Facebook remove EXIF on upload but keep your manually-tagged location — that is the part to remove.
2. Full name plus date of birth in a birthday post
This is the single most expensive item on the list, and it looks exactly like every other birthday post on every grandparent's feed. Happy 7th to our Eleanor Margaret Williams — 14 May 2019. That is a complete identity primitive. It is the literal raw material a synthetic-identity ring needs to open a credit file in your child's name the week after their eighteenth birthday.
The 2025 Javelin Strategy & Research report put US child-identity fraud losses at $1.0 billion in the prior year, with the median case opened against a victim aged between 8 and 17. The data was harvested years earlier from exactly these posts, then aged in a drawer until the credit bureaus would accept an application.
A complete name and a complete date of birth is not a memory you are sharing. It is a credit application you are leaving on the kitchen counter for fourteen years.
The fix is unglamorous: edit the post, remove the surname, remove the year. Keep the cake.
3. Shared-name oversharing — the "Junior" problem
If your child carries your name — James Whitfield Jr., Anna Maria Costa II — their data footprint is welded to yours by every broker that does fuzzy matching, which is all of them. Your Spokeo entry pulls them in. Your BeenVerified address history names them as a relative. Your LinkedIn becomes a corroborating source for their pre-teen profile.
You cannot detach the name, but you can starve the link. Cleaning your own broker exposure cuts off the relational scaffold brokers use to assemble a child profile by inference. This is the rare case where deleting your data is the most useful thing you can do for theirs.
4. NHS numbers, school addresses and club memberships in WhatsApp groups
The most dangerous data exposure for British children in 2026 is not Instagram. It is the class-parents WhatsApp group, the Beavers group, the after-school football group, the SEN-support group. These threads routinely contain NHS numbers shared for trip consent forms, full home addresses for lift-shares, medication notes, and dietary requirements with the child's full name attached.
WhatsApp messages are encrypted in transit, but the recipients are not. Every one of those messages is one screenshot away from a parent's unlocked Google Photos backup, which is one credential-stuffing breach away from the open web. The 2024 ICO reprimand against a Greater Manchester academy trust hinged on exactly this pattern: pupil medical data leaked via a parent's personal cloud after a staff WhatsApp screenshot.
Treat group chats as publishable. If you would not put it on a noticeboard at the school gate, do not put it in the chat.
5. Children's apps signed up with your email
This is the slow leak. The maths-revision app, the reading-streaks app, the Roblox account, the Duolingo for Kids profile — most were created with a parent's email, a child's first name, and an age. That triplet, plus the device advertising identifier, is enough for a marketing network to build a longitudinal profile keyed to the household.
In April 2024 the ICO issued an enforcement notice against the platform behind a popular children's gaming SDK for sharing children's data with adtech partners in breach of the Age-Appropriate Design Code — the regulator's audit found that more than half of the children's apps it reviewed were transmitting personal data to third-party marketing networks without a lawful basis. Audit the App Store and Google Play purchase history for the parent email, revoke unused accounts, and switch remaining ones to a child-specific Apple ID or Google Family account under thirteen, which forces the parental-consent flow the law actually requires.
What to do once, and then forget
The five items above can be cleaned up in a Sunday afternoon. The harder part is the residue — the copies the brokers have already ingested, scraped, syndicated and resold. That is the part that does not get fixed by editing the original post.
This is the work we do. The Nox Æterna Family tier covers up to four people in one household for £249 (\$299), and for under-13s we run the parental-consent flow required by the UK Age-Appropriate Design Code and US COPPA before any broker request is sent. One payment. One household. Your data, gone.
Your child will be on the internet for another eighty years. Reducing the foundation now is the only intervention that compounds in their favour.
You will not get the photos back from the people who saved them. You can get the data points back from the people who sold them.