This study is aimed at the theoretical conceptualization and engineering-methodological substantiation of Privacy by Design as a foundational architectural imperative in the development of digital platforms oriented toward children and family-centered usage scenarios. Against the backdrop of an accelerating escalation of cyber risks in both educational environments and the domestic sphere, where in the second quarter of 2025 the average number of attacks per organization reached 4,388 per week, the limitations of reactive and predominantly perimeter-based approaches to data protection become increasingly evident. The analysis focuses on current models of data minimization and localization implemented through federated learning and on-device computing, as well as on mechanisms of attribute-based access control (ABAC) modified to account for family hierarchy and the distribution of roles within the household. In addition, the article examines the concept of the fiduciary responsibility of technology companies as a normative and ethical superstructure that demands not mere formal compliance, but the prioritization of the child’s interests within a logic of loyalty and the prevention of conflicts of interest. As a final result, a multi-level architectural model, the Family-Centric Privacy Framework (FCPF), is proposed, integrating technical privacy guarantees with ethical and legal obligations embedded throughout the product life cycle. The theoretical conclusions and architectural solutions are grounded in an analysis of recent shifts in international regulation (COPPA 2.0, GDPR, DSA) and in the findings of empirical studies published in recent years.

Privacy by Design, data minimization, access differentiation, fiduciary responsibility, digital platforms for children, ABAC, information fiduciaries, family cybersecurity

Iqbal, M. Z., Xu, X., Nallur, V., Scanlon, M., & Campbell, A. G. (2023). Security, ethics and privacy issues in the remote extended reality for education. In Mixed reality for education (pp. 355-380). Singapore: Springer Nature Singapore.

European Data Protection Board. (2025). Statement 1/2025 on age assurance. Retrieved from: https://www.edpb.europa.eu/our-work-tools/our-documents/statements/statement-12025-age-assurance_en (date accessed: February 18, 2025).

Le Métayer, D. (2013). Privacy by design: A formal framework for the analysis of architectural choices. Proceedings of the 2013 ACM Conference on Computer and Communications Security. https://doi.org/10.1145/2435349.2435361

Bi, T., Yu, G., & Wang, Q. (2023). Privacy in Foundation Models: A Conceptual Framework for System Design. arXiv preprint arXiv:2311.06998.

Verizon. (2025). 2025 Data Breach Investigations Report. Retrieved from: https://www.verizon.com/business/resources/reports/dbir/ (date accessed: April 24, 2025).

Mireshghallah, N. (2025). Privacy and security challenges in machine learning systems [Conference presentation]. Retrieved from: https://mireshghallah.github.io/talks/camlis_2025.pdf (date accessed: June 3, 2025).

Gartner. (2025). Gartner identifies the top cybersecurity trends for 2025. Retrieved from: https://www.gartner.com/en/newsroom/press-releases/2025-03-03-gartner-identifiesthe-top-cybersecurity-trends-for-2025 (date accessed: March 19, 2025).

Benthall, S., & Shekman, D. (2023). Designing fiduciary artificial intelligence. In Proceedings of the 3rd ACM Conference on Equity and Access in Algorithms, Mechanisms, and Optimization. https://doi.org/10.1145/3617694.3623230

Harkous, H., et al. (2025). Evaluating a data fiduciary standard for privacy: Developer and end-user perspectives. Proceedings on Privacy Enhancing Technologies, 2025(4). https://doi.org/10.56553/popets-2025-0114

European Commission. (2025). Commission publishes draft guidelines on protection of minors online under the Digital Services Act. Retrieved from: https://digital-strategy.ec.europa.eu/en/news/commission-publishes-draft-guidelines-protection-minors-online-under-digital-services-act (date accessed: May 20, 2025).

European Data Protection Board. (2025). EDPB comments on the draft guidelines on protection of minors online under the Digital Services Act (DSA). Retrieved from: https://www.edpb.europa.eu/system/files/2025-06/edpb_comments_europeancommission_article_28_dsa_en.pdf (date accessed: June 18, 2025).

Federal Trade Commission. (2025). FTC finalizes changes to children's privacy rule limiting companies' ability to monetize kids' data. Retrieved from: https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data (date accessed: January 22, 2025).

Chereja, I., Erdei, R., Delinschi, D., Pasca, E., Avram, A., & Matei, O. (2025). Privacy-conducive data ecosystem architecture: By-design vulnerability assessment using privacy risk expansion factor and privacy exposure index. Sensors, 25(11), 3554. https://doi.org/10.3390/s25113554

National Institute of Standards and Technology. (2025). Attribute Based Access Control (ABAC). Retrieved from: https://csrc.nist.gov/projects/attribute-based-access-control (date accessed: May 15, 2025).

Sandhu, R. (2025). Role-based access control. In Encyclopedia of Cryptography, Security and Privacy. https://doi.org/10.1007/978-3-030-71522-9_829

National Center for Missing & Exploited Children. (2025). NCMEC releases new data: 2024 in numbers. Retrieved from: https://www.missingkids.org/blog/2025/ncmec-releases-new-data-2024-in-numbers (date accessed: May 12, 2025).

Federal Bureau of Investigation. (2024). 2024 IC3 annual report. Retrieved from: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf (date accessed: January 29, 2025).

Alabdulatif, A. (2025). Blockchain-based privacy-preserving authentication and access control model for e-health users. Information, 16(3), 219. https://doi.org/10.3390/info16030219.

Kurian, N. (2025). ‘No, Alexa, no!’: Designing child-safe AI and protecting children from inappropriate AI interactions. Learning, Media and Technology. https://doi.org/10.1080/17439884.2024.2367052

Colnago, J., et al. (2020). Operationalizing the legal principle of data minimization for personalization. Proceedings on Privacy Enhancing Technologies, 2020(4), 6–25. https://doi.org/10.2478/popets-2020-0050

OECD. (2025). How’s life for children in the digital age? Retrieved from: https://www.oecd.org/en/publications/how-s-life-for-children-in-the-digital-age_0854b900-en.html (date accessed: May 27, 2025).

National Institute of Standards and Technology. (2025). Role-based access control (RBAC). Retrieved from: https://csrc.nist.gov/glossary/term/role_based_access_control (date accessed: June 6, 2025).

Information Commissioner’s Office. (2025). Age appropriate design: A code of practice for online services. Retrieved from: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/ (date accessed: February 27, 2025).

Federal Trade Commission. (n.d.). Protecting kids online. Retrieved from: https://consumer.ftc.gov/identity-theft-and-online-security/protecting-kids-online (date accessed: March 28, 2025).

Federal Trade Commission. (2025). How to use parental controls to keep your kid safer online. Retrieved from: https://consumer.ftc.gov/consumer-alerts/2025/04/how-use-parental-controls-keep-your-kid-safer-online (date accessed: April 30, 2025).

National Institute of Standards and Technology. (2025). Role-Based Access Control (RBAC) project. Retrieved from: https://csrc.nist.gov/projects/role-based-access-control (date accessed: June 11, 2025).

Federal Trade Commission. (n.d.). Children’s privacy. Retrieved from: https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy (date accessed: June 17, 2025).

Balkin, J. M. (2016). A duty of loyalty for privacy law. Boston University Law Review, 99(3), 1183–1227. https://doi.org/10.2139/ssrn.2790379

Delacroix, S., & Lawrence, N. (2020). Trust law, fiduciaries, and data trusts. Data Economy Lab Report. https://doi.org/10.2139/ssrn.3531568

Meacham, D., Gianni, R., Brüggen, E., Werf, M., & Post, T. (2025). AI-based financial advice: An ethical discourse on AI-based financial advice and ethical reflection framework. Journal of Public Policy & Marketing, 44(3), 436–456. https://doi.org/10.1177/07439156241302279

Nassif, S. A., & Ben Moussa, M. (2024). Algorithm literacy among youth: Understanding and navigating social media algorithms. The Egyptian Journal of Media Research, 89, 33-72.

Delacroix, S., & Lawrence, N. (2019). Bottom-up data trusts: Disturbing the “one size fits all” approach to data governance. International Data Privacy Law, 9(4), 236–252. https://doi.org/10.1093/idpl/ipz014

Ministry of Electronics and Information Technology. (2025). Draft Digital Personal Data Protection Rules, 2025. Retrieved from: https://www.meity.gov.in/content/draft-digital-personal-data-protection-rules2025 (date accessed: February 11, 2025).

U.S. Securities and Exchange Commission. (2025). Cybersecurity risk management, strategy, governance, and incident disclosure. Retrieved from: https://www.sec.gov/rules-regulations/2023/07/s7-09-22 (date accessed: May 26, 2025).

Russell Reynolds Associates. (2025). Global corporate governance trends for 2025. Retrieved from: https://www.russellreynolds.com/en/insights/reports-surveys/global-corporate-governance-trends/2025 (date accessed: February 21, 2025).

IBM. (2025). Cost of a Data Breach Report 2025. Retrieved from: https://www.ibm.com/reports/data-breach (date accessed: June 20, 2025).

U.S. Department of Education. (n.d.). K-12 cybersecurity. Retrieved from: https://www.ed.gov/teaching-and-administration/safe-learning-environments/school-safety-and-security/k-12-cybersecurity (date accessed: June 23, 2025).

U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Breach portal: Notice to the Secretary of HHS involving unsecured protected health information. Retrieved from: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (date accessed: June 24, 2025).

U.S. Department of Education. (n.d.). Data breach. Retrieved from: https://studentprivacy.ed.gov/topic/data-breach (date accessed: June 25, 2025).

National Institute of Standards and Technology. (2025). Role-based access control (RBAC). Retrieved from: https://csrc.nist.gov/glossary/term/role_based_access_control (date accessed: June 28, 2025).

Li, X., Keown-Stoneman, C. D., Omand, J. A., et al. (2025). Screen time and standardized academic achievement tests in elementary school. JAMA Network Open, 8(10), e2537092. https://doi.org/10.1001/jamanetworkopen.2025.37092