Last week, the Global Privacy Enforcement Network (GPEN) released the results from their third annual Privacy Sweep. Twenty-nine privacy enforcement authorities spread across 21 countries reviewed 1,494 websites and mobile applications (apps) either targeted to or popular among children – the theme of this year’s sweep.
Canadian regulators participating in the international sweep included the Office of the Privacy Commissioner of Canada (OPC), the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner of British Columbia, who focussed their review on websites and apps based in Canada.
Among the overall findings by GPEN, 67% of the websites and apps examined collected personal information from children, such as names, photos, videos, audio, addresses and phone numbers.
“Too many developers are collecting particularly sensitive personal information such as photos, videos and the location of children, and often allowing it to be posted publicly, when there are clearly ways to avoid it,” said Privacy Commissioner Daniel Therrien in a statement. The OPC has repeatedly recommended in its publications and report of investigations that the best practice is to never collect personal information from children.
The OPC noted that many companies are developing innovative, creative and dynamic technological tools that balance the purpose of the website or app while respecting privacy protection.
The Privacy Sweep also found that 51% of websites and apps reviewed indicated they may disclose the children’s personal information to third parties. The Privacy Sweep found that 58% of websites and apps reviewed, while purporting not to collect personal information, redirected children to sites and apps that did collect personal information. The redirection was via an advertisement or a contest that sometimes appeared to be part of the website or app.
In considering parental or some form of adult supervision or control, only 31% of websites and apps reviewed had any protective control in place that would limit the collection of personal information; even less (24%) had some form of parental involvement.
The focus of privacy protection of vulnerable groups, such as youth and children, is one of Commissioner Therrien’s current privacy priorities.
The OPC also provided recommendations for companies to consider when collecting, using or disclosing personal information that may involve children, including:
- Avoid collecting any personal information from children.
- Instead of requiring children to disclose their name or photo or other personal information – for example to register with a website or app – companies should use protective controls such as preprogrammed avatars and usernames that children can select instead.
The goals of the GPEN Privacy Sweep include creating awareness and encouraging compliance with privacy legislation; however, GPEN and the OPC note that the results of the Privacy Sweep could lead to follow-up action being taken, including outreach and investigations.
