An international privacy ‘sweep’ has illustrated how simple, child‑friendly design choices on websites and mobile apps can make a real difference in protecting children’s personal information online.
It was carried out by the Global Privacy Enforcement Network (GPEN) and involved 27 data protection and privacy authorities, including the Office of the Data Protection Authority of the Bailiwick of Guernsey (ODPA) and the Jersey Office of the Information Commissioner (JOIC). The ODPA was a coordinator for the Sweep alongside the Office of the Privacy Commissioner of Canada and the UK Information Commissioner’s Office.
Nearly 900 websites and apps used by children were reviewed. Some of these services are designed specifically for children, while others are aimed at a general audience but are popular with children.
Participating authorities looked at how these websites and apps collect and use personal information, how clearly they explain their privacy practices, whether they use age‑assurance measures, and whether they limit the amount of personal data collected. The sweep repeated a similar exercise carried out in 2015, allowing authorities to compare how children’s privacy is being protected now compared with 10 years ago.
Overall, the sweep identified several positive practices, including:
- prompts discouraging children from using real names or uploading images;
- enhanced parental controls where offered; and
- location‑sharing settings being switched off by default.
However, the sweep also highlighted areas of concern. Compared with 2015, more online services now require users to provide personal information to access full functionality. More services also state in their privacy policies that they may share personal information with third parties. These developments can increase privacy risks for children if not carefully managed.
The use of age‑assurance mechanisms has increased since 2015, but the sweep found that these measures can often be easily bypassed. This was of particular concern where websites or apps contained inappropriate content or involved high‑risk data processing or design features for children.
Bailiwick of Guernsey Data Protection Commissioner Brent Homan said: “We were honoured to help coordinate this year’s global sweep, and the headline findings are striking. 41% of swept services were assessed by our participants as not suitable for children. Despite an increase in age assurance mechanisms – now used by 45% of services, the majority could be easily circumvented. That said, the results do reveal some positive practices including the limited use or collection of real names or photos by certain sites built for children”.
The ODPA reviewed 35 platforms, a mix of websites and apps used by children in the Bailiwick. Half were specifically targeted at children. A further 38% were platforms not designed for children but known to be popular with them.
“Our local sweep results track the global picture closely – and in some respects go further,” said Commissioner Homan. “Of the platforms we swept, which included both global and local sites, over half still collected geolocation data from children on a mandatory basis. Restricting location information to family and friends reduces the risk that our children’s location can fall in the hands of malicious actors.”
Jersey Information Commissioner Paul Vane said: “Championing and protecting children’s privacy sits at the very heart of the Jersey Data Protection Authority’s strategic priorities. Joining forces with international partners for this global privacy sweep reinforces our commitment to helping to foster a safer digital environment to protect children’s personal information by setting clear standards for organisations, promoting responsible design of digital services, and taking strong enforcement action where risks to children are identified.
Furthermore, our strategic priorities for 2026 to 2028 also set clear standards for the responsible local use, development and deployment of AI-driven technologies by setting clear standards in terms of our expectation of compliance with data protection laws and principles as well as helping to strengthen organisations’ personal data security and cybersecurity protections through clear guidance to ensure the ongoing privacy and safety of Islanders’ personal data.”
