Most Apps Do Not Bother With Child Protection Image Source: Bogdan Ioan Stanciu on Flickr

I was 18 years old when I bought my first computer. As a child, I spent most of my free time at the playground. My parents were lucky too. All they had to worry about was the occasional playground injury. This, however, is not the case for today’s parents. In the EU, the proportion of households with dependent children that have access to the Internet is over 90%. At this point, one could enumerate the countless benefits of widespread Internet use. But this article will discuss one of the many risks that modern children face while surfing on the Internet. And that is the risk to their personal data.

On May 11, 2015, twenty nine data protection authorities from around the world agreed to cooperate in an international project that reviewed the privacy and data protection practices of websites and applications whose target group is children. The project was implemented under the umbrella of the Global Privacy Enforcement Network (GPEN), an informal network of privacy enforcement authorities that was created by OECD governments, in an effort to promote international cooperation in privacy matters. The results of this cross-border review are discouraging and they must serve as a reminder that raising a child in a technologically oriented world can be very challenging.

A. Collection of Personal Information

The Data Protection Authorities in various countries reviewed 1,494 websites and applications that were targeting children or were popular among them. On the bright side, 33% of them did not gather personal information at all. This is a strong indication that many websites and applications can offer their services without interfering with the children’s personal information. On the other side, 67% of them collected personal data, either as a compulsory or an optional requirement. In most cases, that data included the name of the young user. But a significant percentage would collect the address, phone number or even pictures. A particularly worrying feature that was observed through this review, however, was that 28% of the websites or applications included a chat function. This enables for the uncontrolled collection of any kind of personal data from children that engage with it. The anonymity of the visual environment often creates an artificial sense of security, which urges them to behave differently from real life. Hence, children might expose information about themselves that they normally wouldn’t, and very often they might not be aware of the identity of the person they are sharing this information with.

B.  Protective Controls to Limit the Collection of Personal Information

The small percentage (31%) of websites and applications that had effective controls in order to limit the collection of personal information is of real concern. As the UK Information Commissioner’s Office explains, an important number of websites or applications that were clearly popular among children, claimed in their privacy notices that they were not aiming at children, and thus avoided to implement further protective controls for the collection of personal data from young users. But where do parents stand in all of this? Apparently, only 24% of websites and applications requested some form of parental involvement. This is particularly alarming. The active engagement of parents in the online activities of children is being sidelined, when it should be encouraged. Parental involvement will limit the child’s exposure to unknown risks, which in turn will guarantee that the child enjoys an overall positive experience with the web. 

C. Deleting Account Information

An important point sometimes overlooked refers to the erasure of data. In this respect, the practices of the overwhelming majority of websites and applications are nothing but reassuring. According to the review, 71% of them did not offer a simple means for deleting account information. This is particularly problematic, since modern children use a plethora of websites and applications and they should be able, once they are no longer interested in their content or services, to delete their personal information. If they are not offered an easy way to do so, they are likely to abandon the effort soon. In this context, it is vital that children understand that their personal data are valuable, and that they should be removed from the web when the reason for providing them ceases to exist.

The results of this international audit have revealed that modern children are particularly vulnerable when it comes to the protection of their personal data. Admittedly, national Data Protection Authorities worldwide are taking effective steps to raise awareness towards this issue and their actions are welcomed. But their role should not end here. They have to promote the education of both children and parents on data protection matters, influence policy-making, and ensure that data controllers, such as websites and applications, are aware of their obligations.

At this point, it is worth noting that the draft General Data Protection Regulation (GDPR), whose final text has yet to be adopted,  includes a specific mention to children, according to which “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data”. This is a step forward, since Directive 95/46, which is currently in force, does not refer to children at all. However, no matter how many articles or recitals of the draft GDPR are especially dedicated to children, the protection of their personal data will not be guaranteed if we do not raise awareness among children. The ultimate protection of their personal data, after all, rests on them.