Data protection authorities around the world will “sweep” the websites directed to children

By Milda Macenaite, fellow of the European Privacy Association


The sweep reaffirms the concerns around a growing number of websites and mobile apps targeted at ever-younger internet users and the lack of specific data protection rules that would take into account the unique needs of children as data subjects. Apart from providing an incentive to improve for the websites and apps, in the wake of the EU data protection reform, the results of the sweep can provide impetus to crystalize the final position on the protection of children’s personal data online among the policy makers, especially as regards the requirements on parental consent to children’s personal data processing online. “EPA fully supports initiatives that aim at coordinating data protection effort at the international level, given that online privacy is by definition a global matter” (Paolo Balboni, Scientific Director of the European Privacy Association).

On 11-15 May, 29 data protection authorities from around the world carry out a joint review of websites and apps directed to children – a Global Privacy Sweep 2015. The aim of the sweep is to verify whether internet websites and apps targeted at or frequently used by children, seek parental consent before collecting children’s personal data, provide a privacy notice tailored to children’s understanding and facilitate the erasure of personal data provided by children. Combined results of this joined effort are expected to be published in fall this year. The initiative is coordinated by the Global Privacy Enforcement Network (GPEN), which aims to promote cross-border information sharing and enforcement of privacy laws.

In the previous years the GLEN sweeps focused on website privacy policies and apps collecting personal data. To the disappointment of many, sweepers around the world found that: in 2013 21% of the 1 883 websites and apps analysed had no privacy policy at all and in 2014 that 85% of apps examined failed to clearly explain how they collect, use and disclose personal data of their users. However, the previous sweeps are reported to continue to yield improvements and positive results for the internet users. Although normally the sweeps are aimed to get a broad overview of the existing problems in the online data collection practises and later used to raise awareness rather than to impose sanctions, data protection authorities may consider action against those who seriously violate the national privacy laws.

This year’s focus of the sweep reflects the concerns around a growing number of websites and mobile apps targeted at, or popular among, ever younger children and the lack of specific data protection rules that would take into account the unique needs of children as data subjects. In the wake of the EU data protection reform, the results of the sweep can be very informative and help to crystalize the final position on the protection of children’s personal data online among the policy makers. This could be especially true as regards the future requirements for privacy policies and even more in relation to parental consent to children’s personal data processing obtained online.

Although some websites, especially those designed for small children, have experimented with simplified information for users, in general privacy policies are known as being long, legalistic and barely understandable even for the adults of average intelligence. The results of the sweep, unfortunately, most probably will not surprise anyone much in this respect. In relation to this, at least, there seems to be a strong agreement among the EU institutions that in the future General Data Protection Regulation data controllers should be bound by an explicit obligation to use a clear and audience-appropriate language in their privacy policies, in particular applying this requirement to children.

The findings on parental consent could be much more ground-breaking. In the EU, the rules on legal capacity to consent to data processing operations are fragmented and unclear. Each Member State can set their age limits until which parental consent in data protection is required (varying from 14 to 18) and foresee how valid consent from minors should be obtained. Only a few Member States have an explicit age threshold for a valid consent of a minor established in laws, many rely only on recommendations or guidelines from the DPAs, which favor different degrees of protectiveness and apply different tests (e.g. require to evaluate the capacity of the child, evaluate specific data collection circumstances). This situation can hardly be expected to change with the General Data Protection Regulation. Although the European Commission in its draft devoted a dedicated article to children (following the example of COPPA in US) which requires parental or custodian consent for those below 13 years of age when an information society service is offered directly to them, the future of this provision is more than unclear due to the current disagreements in the Council on the text. According to the latest drafts published by the Latvian Presidency, more and more Member States would rather prefer to avoid making the rules on children’s consent instead of strengthening them. Many advocate to have the article on children’s consent deleted or watered down to a provision on child protection in some other form, for example child protection in relation to profiling. This would leave the current state-of-the-art unchanged: no clarity and harmonised age threshold in the European Digital Market on when children can consent to their data processing themselves and to which extent their consent is valid. Therefore, it would be very interesting to know not only how many websites and mobile apps used by children actually gain parental consent, but also to explore how their developers interpret and comply with the diverging national requirements on consent. Also, some light could be shed on how valid is parental consent in different online environments, how (effectively) it is verified and if consent remains verifiable through time, as well as if such verification leads to unnecessary additional personal data processing. These questions are particularly relevant given the academic research findings that demonstrate how easily parental restrictions are circumvented, how often under-age users provide a false age online in order to access restricted services and how parents assist their young children in circumventing age restrictions on adult websites.

Finally, hopefully the sweep will substantially touch not only the websites that are directed to children, but also websites with mixed audiences, as they are the ones to generate major privacy concerns and anxieties. Various studies in Europe and North America report that from a broad range of websites that children nowadays use, the most favourite websites are often not directed or targeting children (at least not those under 13), such as Youtube, Facebook, Google. Many of such websites claim in their terms of use that their services are not intended to those under 13, even if in practise young children are active there in substantive numbers. As a result, the young “unauthorised users” are treated as adults and presented the same information and privacy settings, without any consideration of their particular needs, online behaviour and risks of the online environment.