Given the sophisticated tracking technologies embedded into so many digital products and services as a matter of course, it should come as no surprise that a global privacy audit of children’s websites and apps has highlighted big concerns about the collection and use of kids’ data. That doesn’t make it acceptable, however.
The Global Privacy Enforcement Network, a network of global privacy regulators, conducted a joint research project last May, involving 29 data protection regulators looking at just under 1,500 websites and apps targeted at or popular with children. Reporting their findings now, they’ve raised concerns about close to a majority (41 per cent) of the services, especially around how much personal information is being collected from minors and how that data is then shared with third parties.
Among the overall findings reported by the U.K.’s ICO are that:
- 67% of sites/apps examined collected children’s personal information
- Only 31% of sites/apps had effective controls in place to limit the collection of personal information from children. Particularly concerning was that many organisations whose sites/apps were clearly popular with children simply claimed in their privacy notices that they were not intended for children, and then implemented no further controls to protect against the collection of personal data from the children who would inevitably access the app or site
- Half of sites/apps shared personal information with third parties
- 22% of sites/apps provided an opportunity for children to give their phone number and 23% of sites/apps allowed them to provide photos or video. The potential sensitivity of this data is clearly a concern
- 58% of sites/apps offered children the opportunity to be redirected to a different website
- Only 24% of sites/apps encouraged parental involvement
- 71% of sites/apps did not offer an accessible means for deleting account information
Per country results vary, with France’s CNIL data protection agency saying it found 87 per cent of the 54 websites it looked at were collecting personal data, such as name, email, IP address, identifying the mobile terminal and the user’s location. And for more than 63 per cent of sites children could be redirected to another website (including a commercial website) with a single click. While just 18 per cent of the subset of sites it looked at prompt users to ask for parental consent to access the content.
None of this is surprising, given the rampant tracking technologies developed to monetize free services via ad targeting. But as more regulatory attention is paid to the user data heist that’s going on in the background of the digital economy then more pressure will build to enforce stronger consumer protections and a stricter data protection regime.
In the U.S., for instance, there is a fresh attempt to pass a Do Not Track Kids Act this year. While big tech providers such as Google and Apple have been responding to criticism about how kids and apps collide by creating dedicated kids zones within their content marketplaces, or offering programs where developers can opt in to an additional review layer, such as Google Play’s ‘Designed for Families’ program, to gain a kid-friendly certification.
Such moves are of course welcome but only cover digital products that are available within certain subsections of the Web. If kids are accessing websites and apps that aren’t explicitly designed for them — such as Tumblr or Twitter or Facebook, for instance — then there’s no such safeguards in place. The onus remains on parents to be aware which apps and websites their kids are accessing.
Ultimately the core issue here is the digital economy’s reliance on ad-powered business models which apparently encourage the obfuscation of user data collection; disingenuous approaches to gaining user ‘consent’ for data collection and processing; and a rank lack of transparency about what happens to and with users’ personal data generally.
Yet, as barely a week goes by without another huge data leak, digital consumers are bound to start asking more questions about how and for what purposes their personal data is being appropriated. And those tech companies that publicly stand up for privacy will stand out as trustworthy, while those that keep quiet will seem as if they have something unsavory to hide.
Commenting on the kids-focused research in a statement, the ICO’s Adam Stevens said:
These are concerning results. The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children. Internationally we saw some websites and apps gathering more information than we felt they needed, and sharing that data with third parties.
The most common concern domestically was a lack of information being provided about how their information would be used. We saw generic privacy policies that simply weren’t specific enough, and some without any information at all, which isn’t good enough.
We’ll now be writing out to the sites and apps that caused us concern, making clear the changes we expect them to make. We wouldn’t rule out enforcement action in this area if required.