Indeed. My focus is on protecting families, small children and small children are primarily using tablets and phones. It's not perfect but it is a valid starting point. Grabbing everyone's PII and leaking it is a non starter. We can knock down the other goal posts once we fix this piece.

Another option of course is to force all these companies and their age/ID vendors to be under something much stricter than PCI DSS and Fedramp for their entire data-centers as a starting point if we must allow storing PII data of children and their parents.