Canadian Office of the Privacy Commissioner releases results of third GPEN privacy sweep In early September, Canada's federal privacy authority, the Office of the Privacy Commissioner of Canada (“OPC”), released its findings following a “privacy sweep” of mobile apps and websites that target, or are popular among, children. This was the third time the now annual Privacy Sweep was conducted, and it involved the participation of 29 privacy authorities in 21 countries around the world. This year's sweep included privacy authorities in the US, South America, Europe, West Africa, and Asia. Drawing from its findings, the OPC also released general guidance regarding best practices that any organization that releases online and mobile content directed at children would find useful. Background: Sweep Reveals Three Key Trends involving Children's Personal Information, according to OPC The OPC “sweepers” assessed the transparency of privacy communications involving 172 apps and websites (mostly based in Canada, of 1,494 websites and apps examined globally) that are likely to be used by children. The sweep focused on the following key factors: (i) whether the app or website collects personal information from children; (ii) whether the app or website offers controls to limit the collection of personal information from children by requesting some form of parental involvement, or offering a parental control dashboard; (iii) the ease of deleting accounts and associated information; and (iv) the general level of comfort the "sweepers" felt while using the app or website. This final factor examined whether the app indicated it may disclose personal information of children to third parties, and whether children can easily be redirected off the site or app. According to the OPC, in all, 52 percent of the 172 apps or websites were found to collect personal information from children, only 26 percent requested parental involvement or had parental control options, and 46 percent were found to offer a simple way to delete account information. One of the most poignant conclusions made by the sweepers was that overall, 30 percent of the apps or websites reviewed left the sweepers feeling uncomfortable at the thought of a child using the app or website. The OPC identified three key trends: a significant portion of the apps or websites reviewed did not collect any personal information from children. The sweepers stated that this demonstrates that it is possible to create popular apps without unnecessarily encroaching on the privacy of children. several apps or websites that did not collect personal information from children would often contain advertisements or some other type of redirection to websites that did. This gives rise to other concerns, such as the potential for tracking, or profiling child users without their knowledge, or displaying inappropriate content. the sweepers were concerned about the common presence of chat or forum functions which would allow children to freely interact and share information with third parties. Best Practices: How to Mitigate Privacy Concerns around the Processing of Children's Personal Information In light of these concerns, the OPC has offered the following guidance to those who design or manage apps or websites that are directed to, or likely to be used by, children: 1. Consider ways to design apps or websites in ways that prevent personal information from being disclosed by children. For example, the use of preset usernames and avatars, and requiring users to select from a pre-approved list of words and phrases while using chat features will prevent children from inadvertently disclosing any personal information. 2. Require the involvement of a parent at some point. Some of the reviewed apps and websites accomplished this by including a parental dashboard to control privacy settings, or requiring parental involvement while registering on the app or website. Additional Information about the GPEN and Previous Privacy Sweeps The GPEN was formed in 2012 further to a recommendation of the Organisation for Economic Cooperation and Development Council to foster the establishment of an informal network of privacy enforcement authorities. It counts 29 national privacy authorities among its members. The GPEN conducts these annual sweeps to promote the exchange of information, dialogue, and cooperation among participating privacy authorities and organizations having a role in privacy enforcement. The most recent sweep follows similar exercises conducted in 2013 and 2014, both of which focused on the quality of privacy policies, and the appropriateness of any data collection in popular apps for smartphones and tablets. For more information, please contact Theo Ling, Arlan Gates, Eva Warden or Zia Hassan.