Between May 12 and May 15, 2015, as part of the annual Internet Sweep Days, nearly 30 Data Protection Authorities (“DPAs”)audited child-oriented websites and mobile apps to check compliance with data privacy rules. Results are expected in Q3 2015.

The Global Privacy Enforcement Network (“GPEN”), which brings together numerous countries’ DPAs from across the world, regularly initiates and coordinates global audits. The 2014 Internet Sweep days revealed that many websites and mobile apps collecting personal data do not properly inform users on how this data will be collected and used — for example, insufficient privacy notices or none at all, poor accessibility or visibility of notices, etc.

In 2015, GPEN focused on websites and mobile apps targeted at or used by children. These are principally social networks, educational services, school support and game-oriented websites. The DPAs notably checked whether these websites and apps:

  •  require parental consent prior to use of the relevant services or collection of personal data,
  • facilitate the deletion of personal data submitted by children,
  •  make young users aware of data privacy issues, and
  •  provide information on personal data protection suitable to young users (e.g. simple language, animations).

Children’s personal data, a specific concern in the draft EU General Data Protection RegulationThis year’s sweep days were held as the Council is working on its proposal for an EU General Data Protection Regulation. This proposal emphasizes the necessity of protecting children’s personal data such “the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorized by the child’s parent or  guardian“. The proposal states that DPAs are encouraged to “draw up Codes of Conduct on the information and protection of children and the way to collect the parent’s and guardian’s consent“, and that DPAs must “grant specific attention to activities addressed specifically to children“.In proposing a bright-line test for consent at 13, the EU is moving to the US standard, which is inconsistent with civil law principles by which the general age of majority — and for giving lawful consent — is 18.