What does this cover?

The Global Privacy Enforcement Network (GPEN) was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. It has more than 50 members from over 40 countries.

 As part of the GPEN Privacy Sweep 2015 (the Sweep) 29 data protection regulators around the world reviewed websites and apps targeted or popular among children in order to examine data privacy practices. The Sweep took place between 11 and 15 May 2015.

As a result of the Sweep, serious concerns were raised with 41% of the 1494 websites and apps examined. In particular, the GPEN report highlights the following areas of concern: 

  1. The collection of personal data from children including phone numbers, photographs and videos;
  2. Inadequate, non-existent or lengthy and complex privacy policies;
  3. Complex warnings that children are unlikely to easily read or understand;
  4. Over-collecting information (e.g. collecting an exact date of birth rather than simply requesting the year of birth to verify a user’s age);
  5. The disclosure of children's information to third parties;
  6. The use of advertisements that redirect child users to another website;
  7. Failure to encourage parental involvement;
  8. Inability to delete account information.   

The Irish Sweep

The Irish Sweep was carried out on 14 May 2015 and involved the examination by the Office of the Data Protection Commissioner of Ireland (ODPC) of 18 apps and websites (both international and Irish) which are popular with Irish children.

The Sweep found examples of good practices with some websites and apps providing effective protective controls such as parental dashboards, pre-set avatars and/or usernames to prevent children inadvertently sharing their own personal information. Other examples included chat functions that only allowed children to choose words and phrases from pre-approved lists and the use of "just-in-time" warnings to deter children from unnecessarily entering personal information.

However, the Sweep did raise similar concerns to the overall themes identified above including the collection and use of personal data from Irish children, the transfer of data to third parties, the unsuitable use of privacy policies and the inability to allow children to delete account information.  The Sweep also highlighted the unnecessary collection of technical data by websites and apps (e.g. cookies (61%), UID (Unique Identification) (50%) and Geo location (28%).

Next Steps

Authorities will now consider whether further action is needed against the specific sites and apps they reviewed in their country and whether or not there are cases that should be addressed by coordinated international action. 

From an Irish perspective, John Rogers, Senior Investigations Officer of the ODPC, said that the findings were of concern and that 'websites and apps being targeted at children need to improve greatly in terms of children’s privacy.' He added that the ODPC now intends to "carry out a more detailed examination of the sites/apps of concern and contact them requesting remedial where necessary". 

To view the GPEN Privacy Sweep 2015 Final Results, please click here.

(Article submitted by Rowena McCormack, Associate, DAC Beachcroft Dublin)

What action could be taken to manage risks that may arise from this development?

None - this is for interest only.