Backgrounder

Results of the 2015 Global Privacy Enforcement Network Sweep

GATINEAU, Quebec, September 2, 2015 – The third Global Privacy Enforcement Network (GPEN) Privacy Sweep demonstrates the ongoing commitment of privacy enforcement authorities to work together to promote privacy protection around the world.

Twenty-nine privacy enforcement authorities in 21 countries participated in this year’s Sweep, which took place May 11-15, 2015. That’s up from 26 participating authorities last year. Over the course of the week, participants visited 1,494 websites and mobile applications (apps) that were either targeted at or popular among children. The aim: to determine whether apps and websites are collecting personal information from children, what personal information is being collected, whether protective controls exist to effectively limit the collection and whether the information could be easily deleted.

The Office of the Privacy Commissioner of Canada focused on 172 websites and apps, many of which were based in Canada. Sweep results are now available.

Results at a Glance:
  Global OPC
Total number of apps/websites examined 1,494 172
Indicator 1: % that can collect personal informationFootnote * 67% 52%
Name 41% 38%
Chat function 28% 13%
Photo/Video/Audio 23% 22%
Address 19% 20%
Phone # 22% 17%
 
Indicator 2: % with protective controls to limit collection of personal info 31% 28%
Apps/websites that request some form of parental involvement 24% 29%
Apps/websites with a parental dashboard 14% 13%
 
Indicator 3: % with a simple means for deleting account info 29% 46%
 
Indicator 4: % that left sweepers feeling uncomfortable 41% 30%
% indicating they may disclose personal information to third parties 51% 62%
Child can be redirected off site 58% 62%

Key Trends:

Many apps and websites collect personal information from children.

In several cases, particularly sensitive personal information such as full name, address, phone number and photos/video/audio were collected. Some websites and apps also offered free-text chat functions, which open the door to the inadvertent collection of personal data. Sweepers felt privacy policies didn’t always explain why the information was being collected.

Nonetheless, a significant portion of apps and websites swept did not collect personal information from children at all, suggesting developers and data controllers can produce successful, appealing and dynamic products without encroaching upon the privacy of young users.

More often than not, users could be redirected away from the app or website.

Sweepers observed that some apps and websites that purported not to collect personal information, nonetheless redirected children to sites and apps that did collect. In certain cases, the redirection took place via an advertisement or contest that sometimes appeared to be part of the original site. Sweepers also raised concern about the inappropriate nature of the content in some of those ads, which included ads for dating websites and alcoholic beverages.

Sweepers were not always comfortable with the idea of allowing a child to use a particular app or website they swept.

Chief concerns raised included inadequate or non-existent privacy policies; the lack of a full delete function; the sharing of information with third parties and the existence of “virtual worlds” that allow information to be shared via a free-text, unmonitored chat or forum function.

Best practices:

  • A best practice is to not collect personal information from children at all. One way to avoid this is through the use of protective controls such as the use of preset avatars and usernames. This removes the need for children to create their own avatars to navigate apps and websites, which could result in the use of a personal photograph. Preset usernames were also observed as a good way to prevent children from using their real names.
  • Some websites and apps with a chat function allowed users to select words and phrases from a pre-approved list. This prevented children from freely typing their messages, which opens the door to inadvertently disclosing personal information.
  • OPC sweepers observed that overall, websites and apps targeted directly at young children presented a more privacy protective environment than those that were simply popular among children. An excellent – but seldom used effectively – practice of such websites is the inclusion of a parental dashboard to control privacy settings.

About the GPEN Privacy Sweep:

The goals of the Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation and enhancing cooperation among privacy enforcement authorities.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. The Sweep was also not an assessment of an app or website’s privacy practices in general, nor was it meant to provide an in-depth analysis of the design and development of the apps or websites examined.

By briefly interacting with the apps and websites, the exercise was meant to recreate the consumer experience. Our sweepers ultimately sought to assess privacy practices by spending a few minutes per website or app checking performance against a set of common indicators.

GPEN Privacy Sweep efforts are ongoing. As was the case in previous years, concerns identified during the Sweep could result in follow-up work such as outreach to organizations and/or enforcement action. The Office of the Privacy Commissioner of Canada has also prepared a classroom activity for Grade 7 and 8 teachers based on the Sweep to help familiarize students with privacy policies and issues related to the collection of personal information online.

About the Global Privacy Enforcement Network

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

See also:

News Release
Trends Blog
Children’s Blog
Classroom activity for Grade 7 and 8 teachers and Pro Tips for Kids: Protecting Your Privacy Online
Ganz investigation
Collecting from kids? Ten tips for services aimed at children and youth
Additional youth privacy resources from the OPC

Date modified: