On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.
The participating DPAs primarily verified:
- The type of personal data collected;
- The depth of information provided to children/teenagers and whether that information was tailored to them (i.e., whether children could understand the information); and
- The presence of vigilance or control measures relating to young audiences (i.e., which precautions were taken).
The CNIL and other participating DPAs found the following:
A large collection of personal data and limited access for deleting accounts: The CNIL found that 87% of the websites audited (the average among participating DPAs was 67%) collect personal data, including IP address, mobile device identifier and location. The CNIL noted that one particular way websites collect personal data is by imposing an obligation on users to create an account. According to the CNIL, the collection of certain data is not necessary to provide the services offered by the website. Further, the CNIL found that only 39% of the websites audited by the CNIL provide users with an easy way to delete their account.
Lack of awareness among young audience about the collection of their data: The CNIL found that 71% of the websites audited include a privacy notice, but that only 33% of them tailor that notice to a young audience and include it on the form provided to the child or his or her parents.
Links to other websites, including e-commerce sites: According to the CNIL, on 63% of the websites audited, children could be redirected to other websites, including e-commerce sites, via simple hyperlinks.
No cookie banner: The CNIL noted that all of the websites audited placed cookies on users’ devices as soon as they arrived on the homepage, without obtaining users’ prior consent. In addition, 63% of the websites have still not posted the required cookie banner.
No notifications or warnings provided by most sites: The CNIL found that many websites (62%) do not provide warning messages or parental control options, such as an awareness message to children or an email sent to parents to (1) inform them about the collection of their children’s data, and (2) obtain their consent to such collection. According to the CNIL, 18% of the websites audited seek parental consent via a tick box, 15% verify the age of the user, 13% contain warning messages or notifications and 11% implemented a parental control chart when users register their account.
In light of these findings, the CNIL published new guidelines to help child-directed website publishers comply with French data protection law. The CNIL also announced that it will send a letter to the website publishers to remind them of their data protection obligations. The CNIL may then conduct further inspections and impose sanctions if website publishers do not cease their non-compliance.