Child’s play?: Privacy worries about apps aimed at children


14 Dec 2015

Concerns have increased about how children's data is dealt with online

With the increased use of technology by young children, concerns about what is done with the data they may enter on websites or apps have increased. Mason Hayes & Curran looks at this issue and what is happening on a global scale.

Earlier this year, the Office of the Irish Data Protection Commissioner (DPC) announced its participation in a ‘privacy sweep’, focusing on children’s apps and websites. GPEN – the Global Privacy Enforcement Network – carries out an annual ‘privacy sweep’ that targets a specific trend or issue.

GPEN is an alliance of data protection authorities (DPAs) from around the world and its annual sweep involves a coordinated effort among participating DPAs.

In 2014, GPEN focused on general app privacy compliance. As many DPAs had identified the use of children’s data as a key area of focus, the 2015 sweep was aimed at children’s apps and websites. As the DPC noted in its announcement, “there is legitimate concern about the kind of data being collected by service providers via websites and apps that are popular with children, and how it is used and stored”.

In recent months, GPEN has published the results of the review of children’s apps and websites.

What were the results?

In total, 41pc of the roughly 1,500 sites and apps reviewed worldwide raised concerns. The primary areas of concern were the amount of data collected and the manner in which the data was shared. A noteworthy issue was the fact that a number of the sites and apps reviewed stated in their privacy statements that the site or app was not intended for children, despite the fact that it was clearly popular with children. In connection with this, such sites and apps didn’t provide additional controls to protect against the collection of children’s personal data.

Almost a quarter of sites/apps gave users the opportunity to provide a phone number or a photo or video. The DPAs highlighted the potential sensitivity of these data types, given the age of the user base. This figure was particularly significant given that more than 70pc of the total sites/apps didn’t offer an accessible means for deleting account information.

Even more worryingly, less than a quarter of the sites/apps encouraged parental involvement.

Closer to home

In Ireland, the DPC examined 18 apps and websites, both Irish and international, which are popular with Irish children. The DPC found that these apps and websites requested a lot of technical data. This included requests for cookies (61pc), device identifiers (50pc) and geo-location data (28pc).

‘Much of the advertising was either not relevant to or appropriate for children’

During the review, the DPC also found that 45pc of the apps and websites contained advertising from third parties. In particular, the DPC stated that much of the advertising was either not relevant to or appropriate for children.

According to the DPC, websites and apps being targeted at children “need to improve greatly” in terms of children’s privacy. Given the above results, the DPC highlighted excessive data collection, lack of user information and lack of parental controls as specific issues.

Good practice

As part of the results, the participating DPAs also reported examples of good practice. Certain sites/apps contained inbuilt protective controls, such as parental dashboards and pre-set information (for example, avatars and usernames) to prevent children inadvertently sharing their own personal information.

Similarly, other sites/apps displayed in-line warnings discouraging children from entering unnecessary personal information. DPAs also found that certain chat functions only allowed children to choose words and phrases from pre-approved lists.

Next steps

Participating DPAs are considering if further action is required in this space. DPAs may also decide to undertake coordinated enforcement action in certain cases. In Ireland, the DPC has stated that it aims “to carry out a more detailed examination of the sites / apps of concern and contact them requesting remedial action where necessary”.

The results of the 2014 sweep saw participating DPAs write an open letter to app marketplace operators. In particular, the letter called on operators – such as Google and Apple – to make links to privacy policies mandatory. It will be interesting to see if a similar approach is taken by DPAs following the 2015 sweep.

In light of the increasing popularity of computers and smart devices with younger children, this is likely to be a growing area of interest for regulators.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Child at computer image via Shutterstock