Georgetown Law
Technology Review

Two U.S. private equity backed companies have collected and analyzed the calls, texts, and emails of incarcerated individuals and their children for decades. In an alarming development, they are now using that data to train AI models that they claim will predict and prevent crimes.

Securus Technologies (“Securus”) and ViaPath Technologies (“ViaPath”) collectively control over 80% of the U.S. prison communications market, providing phone calls, video visits, and electronic messaging that connect incarcerated people to their families.

Despite their philanthropic rhetoric—Securus’s tagline is “Connecting What Matters” and ViaPath claims to “help break the cycle of incarceration through transformative technology and services”—their business models depend on excessive surveillance and extraction.  Families pay exorbitant rates: a 15-minute phone call costs between $1.80 and $6, while a video visitation costs between $0.20 and $1.50 per minute. Every interaction, including biometric data, is recorded, analyzed, and shared with law enforcement or data brokers, creating a multi-billion-dollar industry built by exploiting some of the most vulnerable people in the country.

The harms inflicted by Securus and ViaPath are well-documented. Both companies have been sued for recording thousands of calls between incarcerated people and their attorneys, among other abuses. Yet, meaningful scrutiny has been limited. Courts often accept claims that pervasive surveillance is necessary to ensure the safety of staff, visitors, and incarcerated people, and many lawsuits end in quiet settlements rather than binding precedent or structural reform.

Courts have overlooked that many children under 13 routinely use these platforms to speak with their incarcerated parents or caregivers or because they are detained in juvenile jails. Because Securus and ViaPath knowingly collect children’s personal information, their operations fall squarely under the Children’s Online Privacy Protection Act (“COPPA”). Properly enforced, COPPA is an overlooked but potentially powerful tool for regulating the prison communications industry.

Surveillance in the Digital Carceral State

Surveillance has long existed in prisons, but analog methods—mail monitoring, physical searches, and head counts—required human labor, which limited scale and abuse. Today’s carceral surveillance technologies are fundamentally different.

Securus and ViaPath now use AI to monitor communications at a massive scale. Securus’s NextGen Platform purports to record calls, generate voiceprints, transcribe conversations, and flag keywords selected by prison administrators in real time. This data is also matched against databases compiled across different contracted jails and public sources. ViaPath’s Data IQ claims to do the same and assess emotional tone, map social networks in and out of prisons, and predict criminal activity. Both use facial recognition in video visitation.

Critically, this data collection is indiscriminate by design. These systems function as digital dragnets, capturing voices, images, and personal information of not only incarcerated people, but also of their families, attorneys, and children, many of whom have no criminal involvement. The resulting datasets are sometimes retained indefinitely  and function as profit-generating assets within these platforms.

COPPA’s Framework and Its Relevance

Enacted by Congress in 1998 and implemented by the Federal Trade Commission (“FTC”), COPPA is the primary federal law governing the collection and use of personal information from children under 13. It defines “personal information” to include names, addresses, phone numbers, photographs, audio recordings, video files, and biometric identifiers.

COPPA gives parents meaningful control over their children’s data. It requires platforms to provide clear notice of their data practices and to obtain verifiable parental consent before collecting personal information. Parents have the right to access and delete their child’s data and to prohibit third-party sharing. COPPA prohibits conditioning participation in a service on the collection of more data than is “reasonably necessary.” A narrow exception allows operators to collect a child’s name and contact information to provide “information to law enforcement agencies or for an investigation on a matter related to public safety” before getting parental consent.

COPPA applies to commercial online services that knowingly collect children’s data or are directed toward children. Services are classified as general audience, child-directed, or mixed audience. Mixed-audience services—primarily aimed at adults but known to be used by children—must either implement age screens or obtain verifiable parental consent.

How Securus and ViaPath Violate COPPA

Securus and ViaPath try to evade COPPA by labeling their platforms as general audience; Securus states that their products “are not directed to children” while ViaPath alleges it “does not knowingly solicit” from children. But these claims collapse under scrutiny.

Both companies have actual knowledge that children use their platforms. Securus partners with juvenile prisons and markets tablets for detained youth. Its commercials have shown a young child communicating with an incarcerated parent on Christmas. ViaPath contracts with juvenile correctional facilities.

Neither company conducts meaningful age screening nor obtains verifiable parental consent. Securus, for example, relies on prerecorded warnings at the start of calls claiming that continued use constitutes consent, an approach that COPPA expressly rejects. Parents cannot consent while refusing third-party data sharing, and even if the companies’ data collection falls into the law-enforcement exception, they collect far more than a child’s name and online contact information. The scope of law-enforcement access far exceeds COPPA’s narrow exception. Moreover, children visiting their incarcerated parents should be able to communicate freely without worry that their data will be sold, as should incarcerated children, even if their rights are diminished in custody.

This “consent” is coercive. Moreover, prisons are increasingly eliminating in-person visitation, making digital visitation the only available option. Conditioning communication on surveillance means that any purported consent cannot satisfy COPPA’s requirements.

COPPA’s Untapped Power

These violations demonstrate COPPA’s untapped capacity to constrain surveillance-driven business models in the prison communications industry. COPPA is more than a notice-and-consent regime and establishes enforceable structural limits on the collection, retention, and disclosure of children’s data. Recent FTC rule amendments expanding biometric protections and strengthening consent standards illustrate the statute’s adaptability to modern data practices.

The government could bring a COPPA enforcement action against Securus and ViaPath, clarify their status as mixed-audience services, and place them under a child-centered regulatory framework. The “actual knowledge” standard is especially consequential where companies know children routinely use these systems to communicate with incarcerated family members, creating an obligation to limit the surveillance of children by restricting the recording, analysis, and sale of their data. COPPA’s requirements for verifiable parental consent and FTC-approved age-verification mechanisms offer a pathway away from passive consent models that treat children and their families as commercial data sources.

Finally, COPPA’s remedial and penalty provisions can reshape market incentives. Civil penalties, disgorgement, and consumer redress can change the cost calculus of companies whose profitability depends on pervasive surveillance, particularly in highly leveraged, private equity-backed markets. The prospect of liability also creates pressure on platforms to redesign and reform their systems to comply. Taken together, COPPA could compel a reckoning in an industry that treats children’s privacy as expendable in the pursuit of profit from incarcerated people.

Conclusion

Recent legislative and litigation efforts have tried to curb the financial exploitation of incarcerated people and their children. In 2024, the Federal Communications Commission (“FCC”), acting under the Martha Wright-Reed Fair and Just Communications Act, implemented price caps for phone calls of six cents per minute for prisons and large jails and seven cents per minute for medium-sized jails. That same year, the Civil Rights Corps (“CRC”) filed two landmark civil rights lawsuits on behalf of children in Michigan alleging that Securus and ViaPath violated their constitutional rights to maintain relationships with their incarcerated parents.

Both efforts have since stalled. In October 2025, the FCC postponed the price caps for two years, and the CRC cases were dismissed and are now on appeal. Meanwhile, the surveillance-driven prison communications market remains intact and largely unregulated.

As a bipartisan children’s privacy law, COPPA offers an immediately available and politically viable mechanism for structural reform. It is time for the FTC to enforce COPPA and hold Securus and ViaPath accountable for profiting from children’s data.