Results show improvements in some areas along with new concerns.
The results of the latest Global Privacy Enforcement Network (GPEN) sweep highlight how child-friendly practices can protect children’s privacy online. Along with emerging concerns, the sweep identifies improvements in some regards.
The global sweep included 27 data protection and privacy authorities from around the world, including the Office of the Information and Privacy Commissioner (OIPC) of Alberta. The sweep examined almost 900 websites and apps that are used by children. While some are designed for children’s use, others are used by the general population but are popular with children.
“Children’s privacy remains a key priority for our office, as stated in our annual business plan,” said Information and Privacy Commissioner of Alberta Diane McLeod. “Participation in this annual initiative helps us to raise awareness about how children’s personal information is used. Our focus for the most recent sweep focussed on popular games aimed at children, even those as young as five years old, as well as educational applications and social media. We are pleased to see that protections for children have been enhanced in some regards, but new concerns have also arisen.”
The findings in Alberta align largely with findings around the globe. For example, one finding from the Alberta part of the sweep is that apps aimed specifically at children are more likely to have child-friendly privacy practices, compared to those aimed at a larger audience (but still popular amongst children).
As part of the global initiative, the Alberta OIPC looked at the platforms’ mechanisms and practices regarding the collection of users’ personal information, as well as those relating to transparency, age assurance and limitations on data collection.
By replicating a 2015 children’s privacy sweep done by GPEN, participating authorities were able to compare how online services protected children then and now.
Overall, the sweep found good practices to protect children and their personal information, such as notifications advising children not to use their real names or upload images, as well as having location-sharing disabled by default.
However, the sweep also found concerning practices and increases in some privacy risks to children over the last decade. For example, compared to 2015, more of the online services used by children now require users to provide their personal information to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal information with third parties.
The sweep found increased use of age assurance mechanisms to limit children’s access to online services but also found that such measures could easily be circumvented. This is a particular concern when websites and apps have inappropriate content or high-risk data processing and design features for children.
“The privacy sweep is not an investigation, nor is it intended to conclusively identify compliance issues or legal contraventions,” said McLeod. “Instead, concerns identified during the sweep may support targeted advice and engagement with organizations or enforcement actions in the future.”
Quick Facts
Sweep participants evaluated websites and mobile applications based on five indicators, which largely mirrored those considered in the 2015 sweep.
- Age assurance: For 72% of websites and mobile applications reviewed, participants were able to circumvent age assurance measures, most often where self-declaration was used.
- Collection of children’s data: More than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geo-location. Overall, participants noted an increase in the collection of certain types of information compared to 2015.
- Protective controls: 71% of the websites and mobile applications did not have information about protective controls and privacy practices that were tailored to children.
- Account deletion: More than one third (36%) of the websites and mobile applications did not provide an accessible way to delete accounts.
- Inappropriate content and high-risk design features: Only 35% of the websites and mobile applications identified as having high-risk data processing and design features for children had privacy information, such as a pop-up, directing a young person to seek permission from their parents to continue using the website or app.
The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international data protection and privacy authorities.
This year’s sweep was coordinated by the Office of the Privacy Commissioner of Canada, the United Kingdom Information Commissioner’s Office, and the Office of the Data Protection Authority of the Bailiwick of Guernsey.
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development (OECD). The network’s aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of more than 80 data protection and privacy authorities from around the world.
Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in Alberta’s access to information and privacy laws, the Access to Information Act, the Protection of Privacy Act, the Freedom of Information and Protection of Privacy Act during the transition period, the Health Information Act, and the Personal Information Protection Act. The Commissioner operates independently of government.
Click here to read the GPEN news release, with links to this year’s GPEN Sweep report (in English and French) found at the bottom of the news release.
For more information:
Elaine Schiman
Communications Manager
Office of the Information and Privacy Commissioner of Alberta
communications@oipc.ab.ca
Mobile: (587) 983-8766