On September 2, the Privacy Commissioner of Canada (OPC) released the findings of the third annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which took place May 11-15, 2015. The GPEN Privacy Sweep assessed 1,494 mobile applications and websites and involved sweepers from 29 privacy enforcement authorities in 21 countries, including Canada. In Canada, the OPC Privacy Sweep reviewed 172 mobile applications and websites.
The GPEN Sweep focused on mobile applications and websites targeted to and/or popular with children. In this context, the Sweep assessed whether and to what extent such apps and websites:
- collected personal information, including sensitive information;
- provided protective controls, such as direct parental involvement and/or parental dashboards, to limit collection of personal information;
- provided a simple means for deleting account information; and
- caused concern with respect to use of the app or website by a child, either because information could be disclosed to third parties through use of the app or website, or a child could be easily redirected from the app or website.
The GPEN Sweep revealed that most of the mobile applications and websites assessed were actively collecting personal information, including some sensitive information, from children such as full name, address, phone numbers, and photograph, video or audio information, and sharing it with third parties. Furthermore, many of the apps and websites assessed failed to provide adequate protective controls to limit the collection of personal information from children and often redirected children to extraneous sites with different privacy protection practices and, in some instances, inappropriate content.
In Canada, the OPC Privacy Sweep found that two-thirds of the websites and apps swept included links redirecting children to other sites with varied privacy protection practices, often by means of an advertisement or contest icon that sometimes appeared to be part of the original site. In addition, two-thirds of websites and apps mentioned that they may disclose personal information to third parties. Overall, websites and apps targeted directly at children presented more privacy protective environments than those that were popular among children. Sweepers reported that they felt comfortable allowing a child to use 77 percent of the apps and websites swept that were specifically targeted at children; however, only 46 percent of apps and websites that were popular with children provided the same level of comfort.
Federal Privacy Commissioner Daniel Therrien recently identified enhancing privacy protection for vulnerable groups such as children and youth as a key priority of the OPC over the next five years. Further, June 2015 amendments to PIPEDA arising from enactment of the Digital Privacy Act have clarified the fundamental requirement that meaningful consent for the collection, use and disclosure of personal information must be obtained through the addition of a new "valid consent" requirement, such that consent is considered valid only if it is reasonable to expect that an individual understands the nature, purpose and consequences of the collection, use or disclosure. In announcing the amendments, the government explained the addition of the new requirements as a means to "…establish stronger rules to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences when companies ask to collect and use their personal information. Companies will need to communicate these requests in clear and simple language for the target audience." Given that PIPEDA has historically been silent on whether children can provide meaningful consent, recent government and regulatory interest in this area suggests that organizations collecting and using personal information from children, particularly in the digital space, must be increasingly and continuously vigilant in their consideration and communication of privacy issues.
The OPC's blog identifies a number of mobile applications and website features and privacy practices that are appropriate for children and instructive in providing best practices examples and guidance to both those who use and those who develop mobile applications and websites:
- Personal information should not be collected directly from children. Protective controls, like preset avatars, preset usernames, and chat functions that allow users to select words and phrases from a pre-approved list can be effective in preventing children from unintentionally divulging personal information online.
- Moderated message/chat functions that ensure posts are screened for both content and personal information before they are published are preferred. Posts screened only for content but not for personal information can result in the inadvertent sharing of potentially sensitive information.
- Parental dashboards, if used correctly and not as a vehicle for collecting additional personal information about the parent, child, or other household members, can be an effective means of controlling privacy settings by placing limits on the functionality of a mobile application or website.
- Ease of deletion of account information is essential. Multistep deletion processes that involve multiple phone calls or e-mails, or privacy policies that are unclear regarding whether account information can or will be deleted are concerning, particularly if the information collected by the mobile app or website is sensitive or ubiquitous.
- Redirection to external apps or websites through ads or contest icons that appear to be part of the originating app or website can be problematic, particularly if the external site employs different personal information collection practices or contains questionable content. Pop-up warnings displayed prior to redirection may also be helpful, depending upon the age group for whom the app or website is designed.