Recently the Global Privacy Enforcement Network (GPEN) carried out a privacy sweep of websites and apps targeted at or popular among children.

GPEN is a consortium of 29 global privacy regulators including many within the European Union and the UK Information Commissioner’s Office is an active participant.

The ICO looked at 50 websites domestically and found that a large proportion of websites do not have suitable controls.

The GPEN results highlighted that:

  • 60% of sites/apps examined collected children’s personal information
  • half of those sites/apps shared children’s personal information with third parties
  • only 31% of sites/apps have effective controls in place to limit the collection of personal information from children
  • 22% of sites/apps provided an opportunity for children to submit their phone number and 23% allowed them to provide photos and videos
  • 71% of sites/apps did not offer an accessible means for deleting account information, and
  • only 24% of sites/apps encouraged parental involvement.

Particular concerns from the above findings are that many organisations whose services were clearly popular with children indicated in their privacy notices that the services were not intended for children but had no mechanisms to prevent children actually using those services.

Furthermore, the fact that many websites encouraged or allowed the submission of phone numbers and photos causes given the sensitivity of this data.

The GPEN privacy sweep did find examples of good practice and intend to use such good examples to provide future guidance.

Many GPEN members will be writing to sites/apps owners that did not comply with the law and/or good practice requiring changes to be made and the ICO’s office in a recent press release said:

“We wouldn’t rule out enforcement action in this area if required”.