Data Protection Commissioner
Data Protection Commissioner

 

GPEN Privacy Sweep 2015

Concerns over Children’s apps and websites

 An international project looking at websites and apps used by children has raised concerns over the personal information collected.

 The project, in which the Office of the Data Protection was a participant, raised concerns about 41 % of the 1,494 websites and apps considered, particularly around how much personal information was collected and how it was then shared with third parties.

 The Global Privacy Enforcement Network (GPEN) Privacy Sweep saw 29 data protection regulators around the world look at websites and apps targeted at, or popular among, children.

 Results included:

 ·         67% of sites/apps examined collected children’s personal information

 ·         Only 31% of sites/apps had effective controls in place to limit the collection of personal information from children. Particularly  concerning was that many organisations whose sites/apps were clearly popular with children simply claimed in their privacy notices that they were not intended for children, and then implemented no further controls to protect against the collection of personal data from the children who would inevitably access the app or site

 ·         Half of sites/apps shared personal information with third parties

 ·         22% of sites/apps provided an opportunity for children to give their phone number and 23% of sites/apps allowed them to provide photos or video. The potential sensitivity of this data is clearly a concern

 ·         58% of sites/apps offered children the opportunity to be redirected to a different website

 ·         Only 24% of sites/apps encouraged parental involvement

 ·         71% of sites/apps did not offer an accessible means for deleting account information.

 

The project did find examples of good practice, with some websites and apps providing effective protective controls, such as parental dashboards, and pre-set avatars and/or usernames to prevent children inadvertently sharing their own personal information. Other good examples included chat functions which only allowed children to choose words and phrases from pre-approved lists, and use of just-in-time warnings to deter children from unnecessarily entering personal information.

 While the project focused on privacy practices, authorities also noted concerns around the inappropriate nature of some advertisements on websites and apps aimed at children.

 

A summary of the Global Sweep Results is attached.

 Authorities will now consider whether further action is needed against the specific sites and apps they looked at in their country, and whether or not there are cases that should be addressed by coordinated international action.

 

In Ireland's case, the Sweep involved the examination of 18 apps and websites (both international and Irish) which are popular with Irish children. The Irish Sweep took place on 14 May 2015. The Irish results found that the apps / websites tested requested a lot of technical data such as cookies (61%), IP Address (28%), UID (50%) and Geo location (28%). The Sweep Team also noted that 45% of apps / websites tested carried third party advertising, much of which would not be relevant to or appropriate for children. The following table sets out in more detail some of the findings of the Irish Sweep Team:

 

 

Overall Results - Ireland

Total number of websites and apps examined:

18

Number of websites / apps examined which collect one or more pieces of personal information:

6

Number of websites / apps for which protective controls effectively limit the collection of personal data:

3

Number of websites / apps for which there is an accessible means for deletion of account information:

1

Number of websites / apps for which sweepers identified concerns:

7

Disclosure

Number of websites / apps which indicate that they may disclose personal information:

8

 

 

 

Controls

Number of websites / apps which request some form of parental involvement:

8

Number of websites / apps with a parental dashboard:

2

Number of websites / apps for which the child could be redirected off the site:

10

Number of websites / apps that tailor protective communications to children:

2

 

 

John Rogers, Senior Investigations Officer who coordinated the Irish Sweep said:

 

“Our findings from the Sweep are of concern and we feel that websites and apps being targeted at children need to improve greatly in terms of children’s privacy.

 

“Excessive data sought, lack of user information and lack of parental controls were among the issues indentified. We now intend to carry out a more detailed examination of the sites / apps of concern and contact them requesting remedial action where necessary.”

 

GPEN aims to improve global enforcement cooperation around privacy legislation. This is the third annual sweep, and follows reports on the privacy practice transparency of websites and mobile privacy.

 

 

Link to Global Sweep Results

 

More about the Global Privacy Enforcement Network:

https://www.privacyenforcement.net/

 

Media enquiries regarding the Data Protection Commissioner of Ireland:

media@dataprotection.ie

+353 (0)57 868 4800