Insights Header image
Insights Header image
Insights Header image

Shining Light in Dark Places: GPEN Sweep Targets Children’s Mobile Applications and Websites

Sep 13, 2015 Publications 4 minute read

On September 2, the Privacy Commissioner of Canada (OPC) released the findings of the third annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which took place May 11-15, 2015. The GPEN Privacy Sweep assessed 1,494 mobile applications and websites and involved sweepers from 29 privacy enforcement authorities in 21 countries, including Canada. In Canada, the OPC Privacy Sweep reviewed 172 mobile applications and websites.

The GPEN Sweep focused on mobile applications and websites targeted to and/or popular with children. In this context, the Sweep assessed whether and to what extent such apps and websites:

  • collected personal information, including sensitive information;
  • provided protective controls, such as direct parental involvement and/or parental dashboards, to limit collection of personal information;
  • provided a simple means for deleting account information; and
  • caused concern with respect to use of the app or website by a child, either because information could be disclosed to third parties through use of the app or website, or a child could be easily redirected from the app or website.

The GPEN Sweep revealed that most of the mobile applications and websites assessed were actively collecting personal information, including some sensitive information, from children such as full name, address, phone numbers, and photograph, video or audio information, and sharing it with third parties. Furthermore, many of the apps and websites assessed failed to provide adequate protective controls to limit the collection of personal information from children and often redirected children to extraneous sites with different privacy protection practices and, in some instances, inappropriate content.

In Canada, the OPC Privacy Sweep found that two-thirds of the websites and apps swept included links redirecting children to other sites with varied privacy protection practices, often by means of an advertisement or contest icon that sometimes appeared to be part of the original site. In addition, two-thirds of websites and apps mentioned that they may disclose personal information to third parties. Overall, websites and apps targeted directly at children presented more privacy protective environments than those that were popular among children. Sweepers reported that they felt comfortable allowing a child to use 77 percent of the apps and websites swept that were specifically targeted at children; however, only 46 percent of apps and websites that were popular with children provided the same level of comfort.

Federal Privacy Commissioner Daniel Therrien recently identified enhancing privacy protection for vulnerable groups such as children and youth as a key priority of the OPC over the next five years. Further, June 2015 amendments to PIPEDA arising from enactment of the Digital Privacy Act have clarified the fundamental requirement that meaningful consent for the collection, use and disclosure of personal information must be obtained through the addition of a new “valid consent” requirement, such that consent is considered valid only if it is reasonable to expect that an individual understands the nature, purpose and consequences of the collection, use or disclosure. In announcing the amendments, the government explained the addition of the new requirements as a means to “…establish stronger rules to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences when companies ask to collect and use their personal information. Companies will need to communicate these requests in clear and simple language for the target audience.” Given that PIPEDA has historically been silent on whether children can provide meaningful consent, recent government and regulatory interest in this area suggests that organizations collecting and using personal information from children, particularly in the digital space, must be increasingly and continuously vigilant in their consideration and communication of privacy issues.

The OPC’s blog identifies a number of mobile applications and website features and privacy practices that are appropriate for children and instructive in providing best practices examples and guidance to both those who use and those who develop mobile applications and websites:

  • Personal information should not be collected directly from children. Protective controls, like preset avatars, preset usernames, and chat functions that allow users to select words and phrases from a pre-approved list can be effective in preventing children from unintentionally divulging personal information online.
  • Moderated message/chat functions that ensure posts are screened for both content and personal information before they are published are preferred. Posts screened only for content but not for personal information can result in the inadvertent sharing of potentially sensitive information.
  • Parental dashboards, if used correctly and not as a vehicle for collecting additional personal information about the parent, child, or other household members, can be an effective means of controlling privacy settings by placing limits on the functionality of a mobile application or website.
  • Ease of deletion of account information is essential. Multistep deletion processes that involve multiple phone calls or e-mails, or privacy policies that are unclear regarding whether account information can or will be deleted are concerning, particularly if the information collected by the mobile app or website is sensitive or ubiquitous.
  • Redirection to external apps or websites through ads or contest icons that appear to be part of the originating app or website can be problematic, particularly if the external site employs different personal information collection practices or contains questionable content. Pop-up warnings displayed prior to redirection may also be helpful, depending upon the age group for whom the app or website is designed.

by Janine MacNeil, CIPP/C

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2015

Insights (5 Posts)

Featured Insight

Proposed Updates to Canada’s Anti-Money Laundering and Terrorist Financing Regime

Finance Canada's proposed changes relating to anti-money laundering and armoured car companies, mortgage lenders, and money service businesses.

Read More
Jun 7, 2023
Featured Insight

Net Benefit Reviews Under the Investment Canada Act – Some Practical Thoughts

Glencore plc’s recent approaches to the shareholders of Teck Resources has once again brought the Investment Canada Act into the spotlight.

Read More
Jun 6, 2023
Featured Insight

The Bureau Issues Final Enforcement Guidance on the New Criminal Prohibition on Wage-Fixing and No-Poaching Agreements

Providing insights on the Competition Bureau’s 2023 Guidelines describing the Bureau’s approach to wage-fixing and no-poaching agreements.

Read More
Jun 5, 2023
Featured Insight

The EU’s New Carbon Border Adjustment Mechanism in Action: Impacts on Canada and Beyond

The EU's new Carbon Border Adjustment Mechanism will take effect on October 1, 2023. McMillan explores the CBAM and its implications for Canadian trade.

Read More
Jun 5, 2023
Featured Insight

Competition Bureau Challenges Alleged Drip Pricing by Cineplex

The Competition Bureau commenced a proceeding against Cineplex for allegedly engaging in misleading advertising in the form of "drip pricing".

Read More
Jun 2, 2023