An international privacy ‘sweep’ has illustrated how simple, child‑friendly design choices on websites and mobile apps can make a real difference in protecting children’s personal information online.
It was carried out by the Global Privacy Enforcement Network (GPEN) and involved 27 data protection and privacy authorities, including the Office of the Data Protection Authority of the Bailiwick of Guernsey (ODPA). The ODPA was a coordinator for the Sweep alongside the Office of the Privacy Commissioner of Canada and the UK Information Commissioner’s Office.
Nearly 900 websites and apps used by children were reviewed. Some of these services are designed specifically for children, while others are aimed at a general audience but are popular with children.
Participating authorities looked at how these websites and apps collect and use personal information, how clearly they explain their privacy practices, whether they use age‑assurance measures, and whether they limit the amount of personal data collected. The sweep repeated a similar exercise carried out in 2015, allowing authorities to compare how children’s privacy is being protected now compared with 10 years ago.
Overall, the sweep identified several positive practices, including:
- prompts discouraging children from using real names or uploading images;
- enhanced parental controls where offered; and
- location‑sharing settings being switched off by default.
However, the sweep also highlighted areas of concern. Compared with 2015, more online services now require users to provide personal information to access full functionality. More services also state in their privacy policies that they may share personal information with third parties. These developments can increase privacy risks for children if not carefully managed.
The use of age‑assurance mechanisms has increased since 2015, but the sweep found that these measures can often be easily bypassed. This was of particular concern where websites or apps contained inappropriate content or involved high‑risk data processing or design features for children.
Bailiwick of Guernsey Data Protection Commissioner Brent Homan said:
“We were honoured to help coordinate this year’s global sweep, and the headline findings are striking. 41% of swept services were assessed by our participants as not suitable for children. Despite an increase in age assurance mechanisms — now used by 45% of services, the majority could be easily circumvented. That said, the results do reveal some positive practices including the limited use or collection of real names or photos by certain sites built for children”.
The ODPA reviewed 35 platforms, a mix of websites and apps used by children in the Bailiwick. Half were specifically targeted at children. A further 38% were platforms not designed for children but known to be popular with them.
“Our local sweep results track the global picture closely — and in some respects go further,” said Commissioner Homan. “Of the platforms we swept, which included both global and local sites, over half still collected geolocation data from children on a mandatory basis. Restricting location information to family and friends reduces the risk that our children’s location can fall in the hands of malicious actors.”
Report overview
Sweep participants evaluated the websites and mobile applications based on five indicators, which largely mirrored those from the 2015 sweep.
For each indicator, the sweep found:
- Age assurance: For 72% of websites and mobile applications reviewed, participants were able to circumvent age assurance measures, most often where self-declaration was used.
- Collection of children’s data: More than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015.
- Protective controls: 71% of the websites and mobile applications did not have information about protective controls and privacy practices that were tailored to children.
- Account deletion: More than one third (36%) of the websites and mobile applications did not provide an accessible way to delete accounts.
- Inappropriate content and high-risk design features: Only 35% of the websites and mobile applications identified as having high-risk data processing and design features for children had privacy information, such as a pop-up, directing a young person to seek permission from their parents to continue using the website or app.
About the Global Privacy Enforcement Network
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development (OECD). The network’s aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of more than 80 data protection and privacy authorities from around the world.
The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international data protection and privacy authorities.