Data protection agencies concerned by use of personal info
An international project looking at websites and apps used by children has raised concerns over the personal information collected.
The project raised concerns about 41% of the 1,494 websites and apps considered, particularly around how much personal information was collected and how it was then shared with third parties.
The Global Privacy Enforcement Network (GPEN) Privacy Sweep saw 29 data protection regulators around the world look at websites and apps targeted at, or popular among, children.
- 67% of sites/apps examined collected children’s personal information
- Only 31% of sites/apps had effective controls in place to limit the collection of personal information from children. Particularly concerning was that many organisations whose sites/apps were clearly popular with children simply claimed in their privacy notices that they were not intended for children, and then implemented no further controls to protect against the collection of personal data from the children who would inevitably access the app or site
- Half of sites/apps shared personal information with third parties
- 22% of sites/apps provided an opportunity for children to give their phone number and 23% of sites/apps allowed them to provide photos or video. The potential sensitivity of this data is clearly a concern
- 58% of sites/apps offered children the opportunity to be redirected to a different website
- Only 24% of sites/apps encouraged parental involvement
- 71% of sites/apps did not offer an accessible means for deleting account information.
The project did find examples of good practice, with some websites and apps providing effective protective controls, such as parental dashboards, and pre-set avatars and/or usernames to prevent children inadvertently sharing their own personal information. Other good examples included chat functions which only allowed children to choose words and phrases from pre-approved lists, and use of just-in-time warnings to deter children from unnecessarily entering personal information.
The ICO looked at 50 websites domestically, with similar results to the international picture.
While the project focused on privacy practices, authorities also noted concerns around the inappropriate nature of some advertisements on websites and apps aimed at children.
Authorities will now consider whether further action is needed against the specific sites and apps they looked at in their country, and whether or not there are cases that should be addressed by coordinated international action.
Adam Stevens, who heads up the ICO’s intelligence hub, said:
“These are concerning results. The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children.
“Internationally we saw some websites and apps gathering more information than we felt they needed, and sharing that data with third parties.
“The most common concern domestically was a lack of information being provided about how their information would be used. We saw generic privacy policies that simply weren’t specific enough, and some without any information at all, which isn’t good enough.
“We’ll now be writing out to the sites and apps that caused us concern, making clear the changes we expect them to make. We wouldn’t rule out enforcement action in this area if required.”
About the Global Privacy Enforcement Network (GPEN)
GPEN aims to improve global enforcement cooperation around privacy legislation. This is the third annual sweep, and follows reports on the privacy practice transparency of websites and mobile privacy.
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 57 privacy enforcement authorities in 43 jurisdictions around the world.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection