19 Sep 2016

Children’s Privacy Sweep yields positive changes


So whatever happened with that Children’s Privacy Sweep, you ask?

Before we delve into the results of the 2016 Internet of Things Sweep—look out for them very soon—we thought we should update you on the outcome of our discussions with developers behind the mobile applications (apps) and websites we raised concerns about in a blog post and/or letters issued last fall.

As you may remember, the Office of the Privacy Commissioner of Canada assessed the privacy practices of 172 mobile apps and websites either targeted directly at children, or considered popular among them as part of the Global Privacy Enforcement Network’s annual Privacy Sweep.

We raised concerns about the sheer volume of personal information being collected from children, including sensitive data such as photos, videos and location. We found many companies failed to provide adequate protective controls to limit collection and often provided links redirecting children to other sites with different privacy protection practices and sometimes questionable content.

We pointed to a number of best practices and areas for improvement and ultimately wrote to 13 targeted apps and websites and 16 popular ones to explain our concerns in a bid to effect positive change. We heard back from eight of those targeted at children while just four popular sites got back to us.

Of those targeted at children, three elaborated on their privacy practices and clarified that they were either not collecting information as described in their privacy communications or that they did indeed have parental controls.

Five targeted sites said they’d made positive changes as a result of our letter and their subsequent review of their privacy practices.

YTV.com is a prime example. The website belonging to the specialty TV channel raised concerns around collecting the full name, age, postal code, phone number and email address of children who sign up for a contest.

The company says it’s since stopped collecting the information from children and will instead ask for the parent or guardian’s particulars. The company said it would delete the information 120 days after the close of a contest.

ytv1

In response to our concerns that kids could be redirected to third-party sites with inadequate warning, the company has addressed that with a child-friendly drop-down message that’s hard to miss.

ytv3

Meanwhile, we didn’t even have to send a letter to one company that proactively made positive changes after seeing our blog post.

Santasvillage.ca originally made our naughty list for urging kids to hand over their full name and email address in order to receive contest details and other marketing materials. The company has since revised its site to make it clear that this section is for adults.

santa1     santa2

Before                                                                              After

Unfortunately, three targeted companies didn’t respond and two letters were returned to us unread.

But while the response rate for targeted apps and websites was a respectable 83 per cent, the same cannot be said for those sites that are considered popular among children, but are geared to all ages.

Only four of the 16 popular apps and websites we wrote to responded. Bell Media, which is responsible for MuchMusic.com, was among the few that gave us something to sing about.

After we raised concerns, the company wrote back indicating they’d made a number of changes.

Bell added a check box to ensure underage users seek parental consent and reviewed existing profiles, deleting those of users under the age of 13 and those with incomplete date of birth information.

much1

The company also added language explaining that usernames should not be real names and links to its Privacy Policy on all pages in which personal information was sought. The company is also now offering users a simple way to delete their profile.

much2

FIFA also got back to us with a plan to review its digital platforms and what information is being collected by next year. As you might remember, our Sweeper was able to post publicly his age and location despite a note in the Terms of Service that the site was moderated. We also had concerns at the time about language in its Terms of Service that put the onus on parents to supervise children on the site.

Pending the completion of its review, the company says it will block access to its FIFA Club to users under the age of 18.

Websites and apps cannot abdicate responsibility for children who are obvious users just because they are geared at a general audience. Developers should know their users and if children are among them, there is an expectation that developers will take responsibility for protecting their privacy.

We urge developers to find innovative and technical solutions to protect children’s privacy on their sites and apps. These efforts could include the use of protective controls such as moderated chat and message boards to prevent the inadvertent sharing of personal information and the use of parental dashboards.

We also expect developers, which may be subject to privacy laws, to provide a proper means for deleting an account to ensure personal information is not retained indefinitely.

While we haven’t re-swept all the sites, we have noticed that some made changes quietly and we appreciate those efforts. We remain confident that public education and outreach can lead to positive change.

Stay tuned for the results of the 2016 Internet of Things Privacy Sweep in the days ahead!


Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.





To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.