Download the parent PDF — a checklist and ready-made lines for talking to the school, for the fridge or your inbox. Or read on first to understand what’s actually at stake. There’s also a separate one-pager for the institution you can forward to the preschool or school.

A scene every parent of a small kid knows

You open the preschool’s Facebook page. “Family Day with the Teddy Bears!” — a gallery of sixteen photos. Your child in the front row, face in full view. Eighteen likes underneath and comments from people you don’t know. The page is public — anyone can see it, not just the parents in the group.

Most of us react with a smile: “oh, there’s our little one.” And keep scrolling. This piece is about why it’s worth pausing for a second — and what you can actually do if it doesn’t sit right with you.

This isn’t panic or “switch off the internet.” It’s three concrete things the institution probably didn’t think through, and five moves you can make today.

Why a public photo of a child is a problem — three layers

At the start of the year you signed a stack of consent forms. Somewhere in there was “I consent to the use of likeness.” Case closed, it seems. It isn’t.

Under the GDPR, consent to process someone’s image must be specific — it has to state the purpose, the place, and how long the photo will be published. A blanket “I agree to photos” doesn’t cut it. In Poland, the data protection authority (UODO) has ruled against institutions that had a signed consent form, but where it wasn’t broken out specifically for publishing on Facebook — and treated that processing as a GDPR breach (prawo.pl on the UODO position).

A few facts worth knowing — these hold across the EU:

  • Consent can be withdrawn at any time, and under the GDPR it must be as easy to withdraw as it was to give. The institution can’t make it hard.
  • Consent can’t be a condition for a child taking part in classes, a play, or a trip.
  • In Poland, the regulator has held that if one parent objects (and both hold full parental authority), the institution may not publish — one objection blocks it (UODO guidance on children’s images). How this is handled can vary by country.
  • Regulators recommend minimizing publication of children’s photos on social media. And where photos do go up, they should be ones where no individual is recognizable (UODO).

There’s one common exception: if the child is a detail of a whole — a figure in a crowd at an event where no one is singled out — consent generally isn’t required. But the line between “a detail of a whole” and an identifiable child is fuzzy and depends on framing and context. Once the institution frames a face and tags a name, it’s clearly publishing a specific child’s likeness, and the rules above apply.

A note on jurisdiction: the specifics below reference Poland’s regulator (UODO) because that’s where tatai.pl is based. If you’re elsewhere in the EU, the GDPR principles are the same; your national authority’s guidance fills in the local detail.

2. The physical layer: a photo tells people where your child is

This is the part the fewest people think about. A photo isn’t just an image — it’s also metadata. A file from a camera or phone often carries EXIF data: the date, the time, and sometimes the GPS coordinates of where it was taken.

Put it together: the institution’s name on the page, the group name (“Teddy Bears”), timestamps from photos across different days. A stranger assembles a routine from that — where the child is, when, what they look like. Researchers studying sharenting name this directly: exposing a child’s image and location creates risks ranging from identity theft to pinpointing where the child is by people with bad intentions (odo24.pl on safe sharing; research review on sharenting).

Most platforms strip GPS on upload these days — but “most” and “these days” are weak guarantees when it’s a three-year-old.

3. The digital layer: the internet doesn’t forget

A photo posted publicly slips out of your control in seconds. It can be downloaded, copied, indexed by search engines, pulled into training datasets. Your child never got to agree to any of it — and the trail lasts for years, long before they can decide for themselves what they want to show the world.

The scale is striking: research by the agency OPINIUM found parents post roughly 1,300 photos of a typical child before that child turns 13. And only about one parent in four even knows the term “sharenting” — sharing a child’s life online (cyberprofilaktyka.pl on sharenting). The institution adds to that pile, often without a second thought.

What you can do — five parent moves

  1. Check what you actually signed. Ask the institution for a copy of the likeness-consent form. See whether it covers social media publication and whether it states a purpose and a timeframe. If it’s vague, you have grounds to tighten it or withdraw it.
  2. Withdraw or narrow consent in writing. A short email does it: “I withdraw consent to publish my child’s likeness on the institution’s social media. I consent only to photos where the child is not recognizable.” It’s your right, and they must respect it.
  3. Offer a concrete alternative to a public page. Suggest a closed parents-only group, a password-protected gallery, or shots from behind / with blurred faces. Most institutions don’t publish out of malice — no one offered them another way.
  4. Request a specific photo be taken down. If your child is already on a public page with their face showing, you can ask for removal. Point to the post, ask for it down, set a deadline.
  5. Start with yourself. Before you email the school — audit your own profile. How many public photos of your child are there? With geolocation? With the school name in the background? The rule is the same for the institution and for us.

How to talk to the school without a fight

The worst move is to come in swinging the law like a club. The preschool director isn’t your enemy — in 9 cases out of 10, no one laid this out for them, and the photos go up via whoever “handles the Facebook.”

What works:

  • Lead with intent, not the statute. “I know you want to show how great things are with the kids — and that’s lovely. I just have one small request.”
  • Bring a solution, not a problem. A closed group, or photos without recognizable faces. Make it easy for them to say yes.
  • Hand them a ready-made resource. Below is a one-pager for the institution. It’s easier to change a practice when someone gives you a starting point than when you have to invent one.
  • Remember the shared goal. Everyone wants the same thing: a safe child. Privacy isn’t a parent’s whim — it’s part of safety.

Download and print

  • Parent PDF — the five-move checklist plus ready lines for the email and the conversation with the director. For the fridge or the inbox.
  • Institution one-pager — one page for the preschool or school: why it’s a risk and five things they can change tomorrow. Forward it to the teacher or the head.

Both are licensed CC BY-NC-SA — share, print, forward. Don’t sell.


This is educational material, not legal advice. For disputes, the institution’s data protection officer (DPO) is usually the right contact — public bodies and most schools are required to appoint one, though the rule depends on the institution’s status and national implementation.