Kids' privacy sweep lesson plan

Alternate versions

Level: Grades 7 and 8

Learning Objectives

By conducting their own “privacy sweep” to examine the types of information gathered by their favourite websites and apps, students will:

  • Gain an appreciation of what “personal information” is in the context of privacy laws;
  • Become aware of how and why websites and apps collect personal information; and
  • Better understand privacy policies and privacy communications to make informed choices about the websites they visit and the apps they use.

Background

Mobile apps and websites can collect large amounts of personal information from users – in many cases, this information is required in order to fully experience everything the website or app has to offer. But are we, as users, aware of what information is being collected, and do we know how it is being used?

For the last few years, the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (OIPC), along with privacy authorities from around the world, have participated in something called a Privacy Sweep. Each year a different theme is chosen and in 2015, the Sweep focused on Children’s Privacy. During the Sweep, staff from the OPC and OIPC assessed whether apps and websites collected personal information from children and if so, whether those apps and websites offered tips or guidance to limit the amount of information they were collecting. We looked at hundreds of websites and apps targeted at or popular among children and used a version of the accompanying sweep form to keep track of what type of personal information was being collected, whether protective controls were in place to limit collection, whether accounts could be easily deleted and whether adults ultimately felt comfortable allowing a child to use a particular app or website.

Some staff from the OPC also brought their kids to work to help with the project. While our young Sweepers interacted with their favourite apps and websites, parents closely monitored their interactions and took notes on certain privacy practices and communications. The kids had fun and some parents involved in the Sweep reported that their children have since become much more aware of the potential risks that could come from sharing personal information online. This lesson plan is based on our experience with the “Kids’ Privacy Sweep”.

Preparation and Materials

  • Read and photocopy the attached worksheet (“Sweep Form”) and “10 Tips” student handout for your class
  • Have enough Internet-connected computers and/or mobile devices (smartphones or tablets) for the class to work either individually or in small groups. You may even want to preload some apps onto devices to save time installing them.

Procedure

  • Begin by asking your students to identify their favourite websites and apps.
    • Record these on the board or on a flipchart.
  • Ask students to define “personal information.”
    • Here’s a definition you may wish to use:

      Personal information is information about an identifiable individual. It can include your name, birthday, e-mail address, and phone number. It can also include: your opinions, your spending habits, your IP address, photos and digital images, and your e-mail and text messages.

  • Ask students if the websites and apps they’ve identified collect personal information, and if so, what types of information they collect.
    • Common answers include:
      • Full name
      • E-mail address
      • Age
      • Photo
  • Ask them what they think companies use that information for.
    • Some common answers:
      • To create an account
      • To verify your age or identity
      • To customize your experience
      • To share with marketers so they can show you ads based on your interests
      • Ask students if they are comfortable sharing this type of information with these companies. (After the exercise, you may wish to mention the results of a 2014 survey by MediaSmarts that found that the majority of Canadian students were not comfortable with marketers having access to their personal information – only 5% said marketing companies should have access to their social networking profiles and only 1% said they thought marketers should be able to track where they are: Executive Summary — Key Findings)
  • Explain that the class will be taking a closer look at their favourite apps and websites to see what types of personal information are collected and how websites and apps explain what they will collect and how they plan to use it.
  • Distribute the worksheet to students and assign each student a website or app to examine. (You may wish to have students work in pairs or groups of three, depending on the availability of computers and mobile devices.)
  • Model the sweep for students by first reading through the sweep form together to ensure students understand what they are looking for, then examining a website or app and filling out a sweep form. As a starting point, look for the website’s or app’s privacy policy – particularly for an explanation of what types of information they are collecting, and how they plan to use it. If you’re examining an app, look at the permissions the app is asking for in order to work.

The following glossary of terms may be useful:

WHAT’S A...

COOKIE?

A cookie is a small file of text that a website can place on your computer. The file collects and stores information, such as your username and password and how many times you’ve visited that site. The information can then be transmitted back to the website. (See our fact sheet on cookies for more information.)

AN INTERNET PROTOCOL (IP) ADDRESS?

An IP address is a unique number assigned to your computer or mobile device. It often looks like this: 192.168.1.1 Because an IP address can be assigned to just one computer or device, when it’s combined with other information like location information or search history, it can be used to create a detailed profile of a specific person.

A UNIQUE DEVICE IDENTIFIER (UDID)?

A UDID is a unique 40-character string assigned to an iOS (Apple) device. The string is alphanumeric (made up of letters and numbers). Like an IP address, it can reveal a lot of information about the user of that device when combined with other pieces of information.

GEOLOCATION INFORMATION?

Geolocation information is information provided through the Internet which can identify the geographical location of a person, computer or mobile device.

FIXED CHAT VS. FREE CHAT?

In a fixed chat, users choose a comment or question from a list of choices provided. In a free chat, users can enter their own messages using the keyboard.

  • Have students examine a website or app and fill out the sweep form.
  • After the students have completed their examination of sites and apps, regroup for a discussion:
    • What kind of information was collected? What information was required and what information was just requested?
    • Were sites and apps upfront about what they were collecting and why?
    • Did you have any trouble finding out what was being collected and why?
    • Did the site or app attempt to redirect you to another site or app through advertising, contests or links to social media?
    • Were you able to figure out how to delete your account or information from the site or app?
    • Knowing what types of information companies are collecting about you, do you feel differently about companies collecting information about you than you did before doing the sweep?
    • Did the site or app offer any tips to protect your privacy (e.g. don’t use your real name as your profile name)?
    • Would you have any concerns letting a younger sibling use the site or app on their own?
    • What tips would you offer a younger sibling or a friend? (You may wish to distribute or read out loud the “10 Tips” student handout. Ask: what are some other tips or advice you could give?)
  • After the discussion, explain that the exercise they just completed is very similar to one conducted around the world by data protection officials earlier this year. You may want to distribute or read either the news release or blog post mentioned above (“Dig deeper”).

Additional Resources

Social Smarts: Privacy, the Internet and You

Information: Once it’s out there…. Video

Protecting your online rep presentation package for Grades 7 and 8

“Why I make my kids read privacy policies,” blog post by Nicole Wong

Protecting your privacy on commercial websites tip sheet by MediaSmarts

Online marketing to kids: Protecting your privacy lesson plan by MediaSmarts

For more information, please contact:

OPC Logo

Office of the Privacy Commissioner
of Canada
30 Victoria Street – 1st Floor
Gatineau, QC  K1A 1H3
Toll-free: 1-800-282-1376
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591
www.priv.gc.ca

Alberta Logo

Office of the Information and Privacy
Commissioner for Alberta
#9925 – 109 Street NW, Suite 410
Edmonton, AB  T5K 2J8
(780) 422-6860 or 1-888-878-4044
Fax: (780) 422-5682
generalinfo@oipc.ab.ca
www.oipc.ab.ca


SWEEP FORM
Basic Info ☐Website  ☐App URL /App name:
  Does the website or app have a privacy policy? (Tip: Check the bottom of the webpage or app for the words” Privacy policy,” “Terms of service” or “Legal.” You’ll probably need to read the privacy policy to answer the following questions.) ☐ Y ☐ N
Does the website or app say it collects personal information? ☐ Y ☐ N
Does the website or app say it may disclose personal information to third parties? ☐ Y ☐ N
Does the website or app explicitly state that it does not collect personal information? ☐ Y ☐ N
  WHAT INFORMATION IS COLLECTED… DURING REGISTRATION?
(Websites or apps may collect information so you can make purchases, enter contests or use certain features of the website or app.)
…DURING USE? …AUTOMATICALLY? Other (identify)
User name Email Name (full or partial) Age /
grade
Date of birth Address Phone number Photo / Video / Audio file Chat Function Info of 3rd parties (e.g., friend) Cookies IP address Unique device identifier Geo-location info  
OPTIONS
Mandatory
Optional
Not Collected
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐M
☐O
☐NC
☐Yes
☐Fixed chat
☐Free chat
☐ No
☐M
☐O
☐NC
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
 
PRIVACY ADVICE Did this website/app offer any advice or tips to limit the amount of personal information you provide (e.g. “don’t use your real name as a username”)?☐ Y ☐ N
Is the advice presented in a way a child can understand (e.g. simple language, large print, audio, animation)?    ☐ Y ☐ N
Did the website/app ask or suggest you involve a parent?    ☐ Y ☐ N
Was there a special section of the website meant for parents (possibly called a parental dashboard)?    ☐ Y ☐ N
Does the website/app redirect you to another website or app?   ☐ Y ☐ N
If it does, are there any warnings that you are leaving the site?    ☐ Y ☐ N
DELETION Is there an option to delete your account?                                                        ☐ Y ☐ N
If there is, is it easy to find?                                                                 ☐ Y ☐ N
If there is, is it easy to understand?                                                   ☐ Y ☐ N

Indicator
1. Does the website / app collect your personal information?
☐  Yes  ☐  No
2. Does the website/app offer any advice on protecting your privacy?
☐  Yes  ☐  No
3. Is there an easy way to delete your account or your info from this website/app?
☐  Yes  ☐  No
4. Would you be comfortable letting a younger sibling use this website/app alone?
☐  Yes  ☐  No

Pro Tips for Kids: Protecting Your Privacy Online

Just as we look both ways before crossing the street, we need to take a closer look at websites and apps before we agree to use them. You’ve probably heard advice like this before: Talk to a parent or guardian before providing your real name or any personal information online. That still applies of course, but here are some additional tips to help you out:

  1. Before downloading an app, look at the permissions. Ask yourself: what does the app need in order to run? Why would they need that information?
  2. Get into the habit of going through the privacy policy for any new apps or websites. Don’t understand something? Ask an adult for help. If, after reading the privacy policy, you still have questions about why an app or website would need your information, contact the company. You should be able to find a contact for privacy-related questions in their privacy policy.
  3. Still uncomfortable with how a website or app is collecting and using your information? Look for alternative apps and websites.
  4. When creating an account on a website or app, try to provide only the information they need in order to create an account.
  5. Don’t use your real name as a username or handle. Create a made-up name (an alias).
  6. Look out for links that may redirect you to other websites and apps. You may end up in a different place online where information is collected and used for purposes different from the ones outlined in the privacy policy of the original app or website you were using.
  7. Don’t blindly trust a website or app because it features seals, badges or stickers suggesting that it’s safe or secure.
  8. Lock down the privacy settings on apps and websites you use.
  9. If you’re especially curious about what information websites may be collecting about you, you might try downloading a browser plug-in to learn about, and even block, cookies and other tracking technologies. These are often available for free.
  10. Bottom line: Your personal information is valuable and it’s up to you to decide who should have it. If you think an organization hasn’t been upfront about what it’s collecting and why, let them know. Organizations will respond to consumer demand – make sure they know you take your privacy seriously.
Date modified: