Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Protection of children’s privacy in focus

How well do websites and mobile apps protect the privacy of the children that they target? The Office of the Australian Information Commissioner (OAIC) will find out this week, when it takes part in the third Global Privacy Enforcement Network (GPEN) Privacy Sweep.

The OAIC is joining with 28 other privacy enforcement authorities around the world to examine websites and mobile apps for issues related to children’s privacy.

‘We know from previous privacy sweeps that many mobile apps and websites collect a great deal of personal information. This year we will examine 44 websites and mobile apps that are targeted at children aged 12 and under, to see how well they protect privacy. This includes checking if the website or app collects children’s personal information, and if so, whether protective controls exist to limit that collection,’ said Australian Privacy Commissioner Timothy Pilgrim.

The activity will also assess whether the websites or apps seek parental involvement, whether they allow users to be redirected off the site, whether they make it easy to delete personal information and whether privacy communications are tailored to the age group through approaches such as simple language, large print, audio or animation.

‘Another aspect we will examine is whether the websites and apps make it easy for parents to delete any personal information that has been collected about their child,’ Mr Pilgrim said.

‘I look forward to sharing the results of the sweep later this year. The results will help us to provide useful information to organisations about ways that they can protect the privacy of children, and to parents about any privacy issues they should be aware of when their children are using websites and apps,’ Mr Pilgrim said.

Children’s privacy was chosen by privacy enforcement authorities as the focus of the sweep due to the proliferation of websites and mobile apps that are targeted at this demographic. The GPEN was established to foster cross-border cooperation among privacy authorities.

Media contact:          Ms Sarah Croxall        0407 663 968              media@oaic.gov.au

Background information

The Privacy Act and children’s privacy

The Privacy Act 1988 (Cth) does not specify an age after which individuals can make their own privacy decisions.

For consent to be valid, an individual must have capacity to consent. Where consent is required for an organisation or agency to handle the personal information of an individual under the age of 18, the organisation or agency will need to determine on a case-by-case basis whether that individual 18 has the capacity to consent.

The OAIC’s Australian Privacy Principle guidelines state:

‘As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.

If it is not practicable or reasonable for an organisation or agency to assess the capacity of individuals under the age of 18 on a case-by-case basis, they may presume that an individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise. An individual aged under 15 is presumed not to have capacity to consent.’

GPEN privacy sweep

  • The third Global Privacy Enforcement Network (GPEN) Privacy Sweep will take place 11 to 15 May 2015.

  • GPEN was established to foster cross-border cooperation among privacy authorities.

  • This year, 29 privacy enforcement authorities are participating in the Sweep.

  • Authorities will participate in a coordinated effort to examine privacy issues related to children’s privacy.

  • Participants will be looking at the type and amount of personal information that websites and apps targeted at children are seeking and whether the website or app seeks parental involvement in this collection. Participants will also examine whether the website or app permits users to delete their personal information, and whether it seeks to rely on a child’s consent.

  • Concerns identified during the Sweep may result in follow-up work such as outreach to organisations and/or enforcement actions.

  • The goals of the Sweep initiative include: increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation; identifying concerns which may be addressed with targeted education and/or other regulatory activities; and enhancing cooperation amongst privacy enforcement authorities.

  • The results of this year’s Sweep will be compiled and made public later in 2015.

Participants in the 2015 Sweep

CountryParticipant
Argentina
  • National Directorate for Personal Data Protection of Argentina
Australia
  • Office of the Australian Information Commissioner
  • Office of the Commissioner for Privacy and Data Protection, Victoria
Belgium
  • Privacy Commission of Belgium
Canada
  • Office of the Privacy Commissioner of Canada
  • Office of the Information and Privacy Commissioner of Alberta
  • Office of the Information and Privacy Commissioner for British Columbia
  • Commission d’accès à l’information, Quebec
Colombia
  • Superintendence of Industry and Commerce of Colombia
Estonia
  • Estonian Data Protection Inspectorate
France
  • Commission Nationale de l'Informatique et des Libertés
Germany
  • Federal Commissioner for Data Protection and Freedom of Information
  • Data Protection Supervisory Authority of Bavaria
  • Berlin Data Protection Commissioner
  • Data Protection Commissioner of Hessen
Gibraltar
  • Gibraltar Regulatory Authority
Hong Kong
  • Office of the Privacy Commissioner for Personal Data, Hong Kong
Ireland
  • Office of the Data Protection Commissioner
Israel
  • Israeli Law, Information and Technology Authority
Italy
  • Garante per la protezione dei dati personali (Italian Data Protection Authority)
Macao
  • Office for Personal Data Protection, Macao
Mexico
  • Federal Institute for Access to Information and Data Protection
The Netherlands
  • Dutch Data Protection Authority
New Zealand
  • Office of the Privacy Commissioner
Norway           
  • Norwegian Data Protection Authority
Republic of Macedonia
  • Directorate for Personal Data Protection
United Kingdom
  • United Kingdom Information Commissioner's Office
United States
  • Federal Communications Commission
  • Federal Trade Commission