The DDPA has investigated the collection of personal data by operators of several (social networking) websites.13 The DDPA has found that personal data was being collected on a large scale in violation of the APPD. In one case, the DDPA concluded that the operator of a website targeting young people under 16 failed to duly notify users of the purposes for the collection and processing of personal data and further to put security measures in place to restrict the risk of online publication of such data. In another case, an operator acquired a significant number of email addresses by encouraging the (underage) users of the website to submit email addresses of third parties in order to obtain extra credits for playing an online game. The parties behind those email addresses then received unsolicited mailings, which is not permitted without the recipient’s prior consent. Both websites now comply with the recommendations of the DDPA.