Websites and mobile applications that appeal to children are often not taking adequate steps to protect kids' privacy, according to a global investigation.
Organizations in 21 countries, including the Office of the Privacy Commissioner of Canada (OPC), carried out the privacy sweep in the spring, examining the apps and websites most popular among children in each country. The results released on Wednesday were not encouraging.
The study found many websites and apps examined in the sweep are collecting personal information – including sensitive material such as photographs, full names, genders, ages and hometowns – and sometimes sharing it with third parties or failing to prevent it from becoming public. (In Canada "children" are defined as those under 12.)
In Canada, 62 per cent of websites and apps examined "mentioned that they may disclose personal information to third parties," the OPC said.
"These are fairly high percentages of websites that collect information and share it with others," privacy commissioner Daniel Therrien said in an interview on Wednesday. "It's an issue of concern."
The sweep was done by the Global Privacy Enforcement Network, which includes privacy organizations in the United States, the United Kingdom, China, Germany, France, Mexico and other countries. It looked at 1,494 apps and websites in total; Canada's team examined 172.
The sweep looked at not just which sites and apps collected personal information, but whether they kept data collection to a minimum – asking for only what was necessary to create an account, for example. The sweep also assessed whether children are prompted to have a parent or guardian supervise their registration, and whether privacy policies were stated in a way that would help children understand the terms of service, such as simple language or animated characters.
As children increase their use of websites and apps to chat with others, play games, or join fan groups of their favourite stars, privacy is a growing concern.
In March, the OPC announced an investigation of the popular Webkinz.com website, and found it was not made clear enough to child users that their parents needed to agree to the terms of service before they could register. The Ontario-based company Ganz operates the website, and agreed to all of the OPC's recommendations to improve its privacy protections.
The problem is not limited to content aimed specifically at children. The OPC found that many of the most popular apps and sites frequented by kids were not designed with them in mind – such as sports-related websites.
"Companies that have sites not necessarily directed squarely at children know that children consult them, and they should behave accordingly," Mr. Therrien said. While parents should monitor their children's activities, he added, owners of apps and sites also need to take responsibility, whether or not they focus on children. "They should ensure that they take reasonable measures to protect the privacy of children. … To say that the responsibility belongs only to parents is simply not acceptable."
The OPC has published tips for companies on responsible ways to collect children's personal information, a tip sheet for parents and children, and a classroom lesson for teachers who want to educate students in digital privacy.
The organizations involved in this global sweep intend to instruct app and website operators on protecting children's privacy. In some cases, they may enforce changes.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the use of personal data in commercial activities. The federal law requires consent for organizations to collect personal information, use it in any way, or pass it on to others. It also requires that the people giving consent essentially understand what they are doing and how their information will be used.
"It is problematic to determine whether the child is providing informed consent for the collection of the information, and moreover for the use of the information – for instance, for advertising purposes," Mr. Therrien cautioned. "Companies that collect information about children, particularly young children, should have great doubts that they are collecting information – and then sharing it – with the consent of the child."
The good and the bad
The Office of the Privacy Commissioner of Canada provided examples of findings from its sweep that show some sites and apps are doing things right, and where there is room for improvement.
- Family.ca and Lego.ca: Both websites are targeted at children, and were lauded for moderating their message boards and filtering out personal information. The sweepers posted a message on Family.ca with details including a full name, age and hometown. One day later, the message was posted, but the user name was shortened so that the full name did not appear, and other sensitive details were removed. Lego.com’s moderator rejected the message, asking the user to resubmit it without personal information.
- PBSkids.org lets users create online identities, but offered only pre-set, generic avatars. Users could not upload personal photos.
- The Grimm’s Red Riding Hood app included a “parent centre” where parents could change settings to disallow certain features such as in-app purchases.
- Pottermore.com, a website for Harry Potter fans, had users choose from a list of screen names, and did not allow personal names. It also required parents’ approval before children could set up an account. (But the OPC questioned why it required entering a number of personal details in the process.)
- FIFA.com is not made for children, but is popular among them. It moderates its site, but sweepers were able to post a message with a full name, age (10) and home city.
- Santasvillage.ca, which appeals to children, offered a $5 coupon and a place on “Santa’s nice list” in exchange for a user’s full name and an e-mail where it could send advertising offers.
- Children love their pop stars. But both TaylorSwift.com and JustinBieberMusic.com – the stars’ official websites – made it very complicated to delete personal information once entered. The Biebs asked for a physical letter sent through the mail to do so; sweepers could not find the online form that the site said was another option. Sweepers also had trouble locating the personal information controls on Tay-Tay’s site.
By the numbers
- 1,494: Total number of apps and websites assessed in the global privacy sweep
- 172: Popular apps and websites assessed in Canada
- 62 per cent: Proportion of the websites and apps popular in Canada examined by the OPC that stated they might share users’ personal information with third parties
- 29 per cent: Proportion of the sites and apps that sought parental consent before collecting children’s information
- 13 per cent: Proportion of apps and sites that offered parents control over some privacy settings
- 62 per cent: Websites and apps that included links – such as in ads or notices of contests – that, if clicked, could take kids to other sites with a variety of privacy policies
- 30: OPC staff involved in the sweep
- 9: Children of OPC staff who were invited to share their feelings about the findings
- 77 per cent: Proportion of the websites and apps that were specifically aimed at kids, which sweepers said they would be comfortable allowing a child to use
- 46 per cent: Portion of the sites and apps not aimed specifically at kids, but still popular among them, about which sweepers said the same