Probably the task furthest from experience as an engineer/architect, but when it's not enough to tell them (boss, executives, legal) that it's a "potentially bad thing," also include some dollar figures.
As a tangent, you should also always have the right to contact Legal without supervision. In this case, you could even tell that person in the legal department you're doing a risk-impact report (without lying) and need an estimate for how much it would cost for the company to legally defend or settle a class-action violation of those COPPA guidelines/regulations. Because that suddenly becomes the development budget for making sure everything is in compliance.
"If you want to know what happens to you when you die, go look at some dead stuff." -- Dave Enyeart