Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Survey of child-targeted websites and apps reveals progress on privacy protection, but parental involvement still the key

Websites and mobile apps that target children should limit the amount of personal information that they collect about children, and ensure that adequate protective controls for parents are in place where personal information is collected.

This was the message from the Office of the Australian Information Commissioner (OAIC) and the 28 other privacy enforcement authorities that took part in the third Global Privacy Enforcement Network (GPEN) Privacy Sweep.

As part of the sweep, which took place from 11 to 15 May 2015, the OAIC examined 38 free websites and mobile apps targeted at children aged 12 and under. Globally, participating privacy enforcement authorities examined 1,494 websites and apps targeted at, or popular among, children.

Sweep participants looked at whether the website or app collected children’s personal information, and if so, whether protective controls exist to limit that collection. The sweep also examined whether the websites or apps seek parental involvement, whether they allow users to be redirected off the site, whether they make it easy to delete personal information and whether privacy communications are tailored to the age group.

Acting Australian Information Commissioner, Timothy Pilgrim, said that most of the websites and apps that the OAIC examined did not collect any personal information from children.

‘It is encouraging to see many website and app developers take a best practice approach to privacy protection by limiting, or eliminating the collection of children’s personal information when targeting products to children aged 12 and under,’ Mr Pilgrim said.

‘However, there is still room for improvement. Less than a quarter of the websites and apps that we examined tailored their privacy messages to children, and three quarters of the websites or apps enabled children to be redirected off the platform,’ Mr Pilgrim said.

‘Internationally, the results from a number of other privacy enforcement authorities suggest that many of the most popular apps and websites used by children are not specifically designed for children and as such do not incorporate child-appropriate privacy measures.

‘For this reason, parental guidance and knowledge of what content children are accessing, including what information they may be asked to provide, is key to protecting their privacy.’

Mr Pilgrim encouraged developers and owners of websites and apps that are targeted at children to improve their privacy practices by tailoring privacy communications to children, where possible, and ensuring that privacy policies explain to parents whether the website or app will collect their child’s personal information, and if so, how it will be handled.

Developers of websites and apps targeting children should also:

  • promote parental involvement
  • put in place protective controls that will effectively limit the ability for children to disclose personal information or be redirected off the site or app without parental consent
  • provide an accessible means for deleting account information.

‘I also encourage parents and guardians to read privacy policies and to familiarise themselves with websites and apps that their children use,’ Mr Pilgrim said.

The OAIC is currently considering the results for any further follow up action.

The annual GPEN sweep is an example of growing international cooperation in privacy regulation and enforcement. ‘Cross-border privacy compliance and regulation is a growing issue in the connected environment, and cooperative exercises like the GPEN sweep give regulators around the world the opportunity to compare issues and share strategies to address common problems,’ Mr Pilgrim said.

Media contact: Ms Sarah Croxall     0407 663 968     media@oaic.gov.au

Background information

About the Global Privacy Enforcement Network (GPEN) sweep

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 57 privacy enforcement authorities in 43 jurisdictions around the world.

The GPEN sweep, which took place from 11 to 15 May 2015, involved 29 privacy enforcement authorities.

The sweep did not involve an in-depth analysis of the privacy practices of each website or mobile app, but the exercise sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.

The sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. The GPEN initiative is aimed at encouraging organisations to comply with privacy legislation, to identify areas of good and bad privacy practice for potential follow-up action, and to enhance co-operation between privacy enforcement authorities.

2015 Sweep highlights — Global and Australian results

Participating Data Protection Authorities: 29
Websites and apps: 1456
Websites and apps examined by the OAIC: 38

  • The OAIC’s GPEN sweep results differed from the global results in the number of websites and apps examined that did not collect any personal information from children.
  • The OAIC’s results indicated that only 34% of examined websites/apps collected personal information, compared with the 68% of websites/apps examined globally that appeared to collect personal information.
  • This difference may be explained by the fact that the OAIC examined websites and apps that were targeted at children aged 12 and under, while other privacy enforcement authorities decided to examine a mixture of websites and apps both targeted at and/or popular with children.
  • Several authorities observed that, overall, websites and apps targeted at young children presented a more protective privacy environment for children than those that were simply ‘popular’ with children.
  • The OAIC’s results and the global results identified examples of good privacy practices and bad privacy practices on websites and apps targeted at children:

Examples of good privacy practices on websites/apps targeted at children

  • Sweep participants found a number of good examples of the use of protective controls, for example:
    • One website provided users with pre-created avatars to use when navigating the site, removing the need for children to create their own avatars and to use their own information.
    • Certain sites warned children not to use their real names when setting up an account.
    • Some sites and apps with a chat function only allowed users to select words and phrases from a pre-approved list, instead of typing freely, so that children could not disclose their personal information inadvertently.
    • One app automatically offered children under a specified age an alternative version of the app: this child-centric alternative appeared to collect and share less personal information compared to the adult-version of the app.
  • A small number of websites and apps tailored their protective communications to children by writing in plain, age-appropriate language or delivering their messages in some other child-friendly way.
  • Some websites and apps had age verification or gating to bar younger children from accessing the site or app.
  • Some websites and apps encouraged parental involvement.

Examples of bad privacy practices on websites/apps targeted at children

  • Sweep participants found a number of examples of bad privacy practices, including:
    • Inadequate or non-existent privacy policies, or lengthy and complex privacy policies.
    • Over-collection of personal information, for example, collection of exact date of birth instead of simply the year/month of birth to verify a user’s age.
    • Failure to use simple language, or failure to present warnings that children could easily read and understand
    • The potential to be redirected to another website via advertisements. In certain cases, the redirection took place via an advertisement or contest which had the appearance of being part of the original site.
    • Unclear or generic privacy policies that provided little information about why a particular site or app was collecting personal information.
    • Ineffective age verification or gating tools, for example, controls that did not function (e.g., a child indicating she was 10 years old could still access the site) and others were only passive (e.g., a pop-up indicating that a child below a specified age should not access the site).
    • No accessible means of deleting account information.

OAIC resources

The OAIC has published a number of resources that developers can use to ensure that their websites and apps comply with the Privacy Act 1988 (Cth) and contain adequate privacy protections, including:

Participants in the 2015 Sweep

Country Participant

Argentina

  • National Directorate for Personal Data Protection of Argentina

Australia

  • Office of the Australian Information Commissioner
  • Office of the Commissioner for Privacy and Data Protection, Victoria

Belgium

  • Privacy Commission of Belgium

Canada

  • Office of the Privacy Commissioner of Canada
  • Office of the Information and Privacy Commissioner of Alberta
  • Office of the Information and Privacy Commissioner for British Columbia
  • Commission d’accès à l’information, Quebec

Colombia

  • Superintendence of Industry and Commerce of Colombia

Estonia

  • Estonian Data Protection Inspectorate

France

  • Commission Nationale de l'Informatique et des Libertés

Germany

  • Federal Commissioner for Data Protection and Freedom of Information
  • Data Protection Supervisory Authority of Bavaria
  • Berlin Data Protection Commissioner
  • Data Protection Commissioner of Hessen

Gibraltar

  • Gibraltar Regulatory Authority

Hong Kong

  • Office of the Privacy Commissioner for Personal Data, Hong Kong

Ireland

  • Office of the Data Protection Commissioner

Israel

  • Israeli Law, Information and Technology Authority

Italy

  • Garante per la protezione dei dati personali (Italian Data Protection Authority)

Macao

  • Office for Personal Data Protection, Macao

Mexico

  • Federal Institute for Access to Information and Data Protection

The Netherlands

  • Dutch Data Protection Authority

New Zealand

  • Office of the Privacy Commissioner

Norway

  • Norwegian Data Protection Authority

Republic of Macedonia

  • Directorate for Personal Data Protection

United Kingdom

  • United Kingdom Information Commissioner's Office

United States

  • Federal Communications Commission
  • Federal Trade Commission