Earlier this year, the Office of the Irish Data Protection Commissioner (“DPC”) announced its participation in another ‘privacy sweep’ (“Sweep”), focusing on children’s apps and websites. GPEN – the Global Privacy Enforcement Network – carries out an annual ‘privacy sweep’ which targets a specific trend or issue. GPEN is an alliance of data protection authorities (“DPAs”) from around the globe and the annual Sweep involves a co-ordinated effort among participating DPAs.
In 2014, GPEN focused on general app privacy compliance. As many DPAs had identified the use of children’s data as a key area of focus, the 2015 Sweep was aimed at children’s apps and websites. As the DPC noted in its announcement, “there is legitimate concern about the kind of data being collected by service providers via websites and apps that are popular with children, and how it is used and stored.” In recent months, GPEN has published the results of the review of children’s apps and websites.
What were the results?
In total, 41% of the roughly 1,500 sites/apps reviewed worldwide raised concerns. The primary areas of concern were the amount of data collected and the manner in which the data was shared. A noteworthy issue was the fact that a number of sites/apps reviewed stated in their privacy statements that the site or app was not intended for children, despite the fact that it was clearly popular with children. In connection with this, such sites/apps didn’t provide additional controls to protect against the collection of children’s personal data.
Almost a quarter of sites/apps gave users the opportunity to provide a phone number or a photo or video. The DPAs highlighted the potential sensitivity of these data types, given the age of the user base. This figure was particularly significant given that over 70% of the total sites/apps didn’t offer an accessible means for deleting account information.
Moreover, less than a quarter of the sites/apps encouraged parental involvement.
Closer to home
In Ireland, the DPC examined 18 apps and websites, both Irish and international, popular with Irish children. The DPC found that these apps and websites requested a lot of technical data. This included requests for cookies (61%), device identifiers (50%) and geo-location data (28%).
During the review, the DPC also found that 45% of the apps and websites contained advertising from third parties. In particular, the DPC stated that much of the advertising was either not relevant to or appropriate for children.
According to the DPC, websites and apps being targeted at children “need to improve greatly” in terms of children’s privacy. Given the above results, the DPC highlighted excessive data collection, lack of user information and lack of parental controls as specific issues.
As part of the results, the participating DPAs also reported examples of good practice. Certain sites/apps contained in-built protective controls, such as parental dashboards and pre-set information (for example, avatars and usernames) to prevent children inadvertently sharing their own personal information. Similarly, other sites/apps displayed in-line warnings discouraging children from entering unnecessary personal information. DPAs also found that certain chat functions only allowed children to choose words and phrases from pre-approved lists.
Participating DPAs are considering if further action is required in this space. DPAs may also decide to undertake coordinated enforcement action in certain cases. In Ireland, the DPC has stated that it aims “to carry out a more detailed examination of the sites / apps of concern and contact them requesting remedial action where necessary.”
The results of the 2014 ‘Sweep’ saw participating DPAs write an open letter to app marketplace operators. In particular, the letter called on operators – such as Google and Apple – to make links to privacy policies mandatory. It will be interesting to see if a similar approach is taken by DPAs following the 2015 Sweep. In light of the increasing popularity of computers and smart devices with younger children, this is likely to be a growing area of interest for regulators.