Probably the task furthest from experience as an engineer/architect, but when it's not enough to tell them (boss, executives, legal) that it's a "potentially bad thing," also include some dollar figures.
As a tangent, you should also always have the right to contact Legal without supervision. In this case, you could even tell that person in the legal department you're doing a risk-impact report (without lying) and need an estimate for how much it would cost for the company to legally defend or settle a class-action violation of those COPPA guidelines/regulations. Because that suddenly becomes the development budget for making sure everything is in compliance.
If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley