The Office of the Data Protection Commissioner (ODPC) participated in the third Global Privacy Enforcement Network (GPEN) Privacy “Sweep” (the Sweep) which took place between 11th and 15th May 2015. The aim of the Sweep was to examine the data privacy practices of websites and apps aimed at or popular among children.
GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. The aim of GPEN is to create cooperation between data protection regulators worldwide in order to strengthen personal privacy. GPEN is currently made up of 51 data protection authorities across 39 jurisdictions.
29 data protection authorities participated in the Sweep which examined 1494 websites and apps. The Sweep found that many websites and apps which are targeted at, or popular among children, are collecting personal information without offering children or their parents adequate controls on the use and disclosure of their personal data. The Sweep also found a lack of measures for children or their parents to permanently delete accounts. Only one third of websites examined demonstrated that they could be successful without the need to collect personal data.
Data Protection Authorities’ Concerns
Data protection authorities expressed concern over 41% of websites and appsthat participated in the Sweep. In particular, the GPEN report highlights the following areas of concern:
· Inadequate or non-existent privacy policies, or lengthy and complex privacy policies
· Over-collection of information e.g. collecting an exact date of birth instead of simply the year/month of birth to verify a user’s age
· 78% of websites and apps swept were found not to use simple language, or to present warnings that could be easily read and understood by children
· User information was, in some cases, disclosed for vague or unspecified purposes and 51% of websites and appsswept stated that they may disclose user information to third parties.
· Virtual worlds that facilitate contact with children e.g. a free text chat function. This and other examples are sometimes unmonitored, posing a risk of children disclosing their personal information to strangers.
· 58% of websites and apps examined contained advertisements that redirect users to another website.
The Irish Sweep was carried out on 14 May 2015 and involved the examination by the ODPC of 18 apps and websites which are popular among Irish children. The Sweep found that many of the websites and apps surveyed required a lot of technical data e.g. cookies (61%), IP Address (28%), UID (Unique Identification)(50%) and Geo location (28%). It was noted that 45% of websites and apps examined contained third party advertising which would not be relevant to or appropriate for children. In addition, the Sweep highlighted the following:
· 30% of websites and apps examined collected one or more pieces of personal information and 44% of websites and apps stated that they could disclose personal information.
· 15% of websites and apps examined contained protective controls which effectively limited the collection of personal data.
· Only one website or app was found to have an accessible means of deleting account information.
· 44% of websites and apps requested some form of parental involvement.
· 11% of websites and apps tailored protective communications to children.
Although data protection regulators expressed concern over the practices of a number of websites and apps, the Sweep also highlighted some positive measures to protect children’s privacy. The report provides examples of protective controls e.g. websites providing users with pre-created avatars to use when navigating a site in order to avoid children providing their personal details for their own avatars. Some sites and apps provided children with a warning not to use their real name when signing up for an account. Some chat functions only allowed children to use certain words from a pre-approved list. One app provided an alternative version of the app for children under a certain age collected and shared less personal information than the adult-version.
John Rogers of the ODPC said that the findings from the Sweep were of concern and that ‘websites and apps being targeted at children need to improve greatly in terms of children’s privacy.’ He added that the ODPC now intends to "carry out a more detailed examination of the sites/apps of concern and contact them requesting remedial where necessary".
You can find the full results of the Sweep here.