On May 11th, 2015, several Data Protection Authorities ("DPAs"), including the French Data Protection Authority ("CNIL"), the UK's Information Commissioner's Office ("ICO") and Canada's Office of the Privacy Commissioner, issued a press release announcing an imminent Internet Sweep Day of websites and mobile apps specifically targeting minors.
When will the Internet sweep take place?
The Internet Sweep is due to take place from May 12 to 15 this year.
Who will carry out the sweep?
This Internet Sweep is an initiative of the Global Privacy Enforcement Network ("GPEN") and will be conducted in a combined and coordinated manner by 29 data protection authorities around the world in 20 different countries. This Internet Sweep follows previous actions that were taken by GPEN last year against websites and mobiles apps.
Each DPA taking part in the sweep will verify a number of websites available in their respective countries. For example, both the CNIL and the ICO announced that they would verify 50 websites and apps targeting a young audience.
Which websites and apps are being targeted?
The types of websites and mobile apps that will be audited are those that either target specifically minors and children, or are frequently used by individuals from this age group. For example, the CNIL announced that it would target specifically child-directed websites, such as gaming sites or mobile apps, social networking websites, educational websites and school tutoring websites.
What is the purpose of the Internet Sweep?
The purpose of the Internet Sweep is to assess whether such websites and mobile apps collect any personal data from children, and if so, what measures are put in place to protect their privacy.
The aim of the Internet Sweep is also to raise the public and businesses' awareness on privacy-related issues concerning minors, to encourage compliance with existing privacy legislation, to identify concerns that may be addressed through targeted education or enforcement programs, and to enhance cooperation among the DPAs.
In particular, what will DPAs verify?
The DPAs will verify the types of personal data that are collected and whether the websites/ mobile apps:
- provide notice and explain the purposes for collecting personal data;
- contain privacy communications that are tailored to the age group at which they are directed (e.g., simple language, large print, audio and animation);
- raise their audience's awareness to privacy-related issues;
- seek parental consent; and
- facilitate the deletion of personal data that is provided by children.
What is the expected outcome of the Internet sweep?
As with previous Internet Sweeps, the DPAs will use a common grid to analyse the results of the sweep. The DPAs are expected to release a report of this Internet Sweep in the Fall 2015, which will summarize the findings of the DPAs and provide a global overview of the privacy practises on websites/mobile apps, as well as specific issues in some countries.
Furthermore, the information gathered during this Internet Sweep may be used by the DPAs to conduct enforcement actions in their respective jurisdictions. The manner in which a DPA verifies compliance and carries out enforcements measures against companies (such as reaching out to a company or conducting an on-site inspection) will vary depending on the enforcement powers of each DPA under national law.
What this tells us is that DPAs are better organized and better coordinated at an international level to inspect companies. Although GPEN has no enforcement powers at a global level, it is being used increasingly as a platform by DPAs from all parts of the world to communicate amongst themselves, share information about privacy practices and coordinate their enforcement actions at a national level. This also tells us that online activities continue to be the number one priority for DPAs in terms of privacy compliance as illustrated by the increasing number of Internet Sweeps in the last two years, whether they involved websites, mobile apps or cookies.
What should companies do to remediate the risk of enforcement actions?
Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the privacy requirements:
- Audit your websites/apps to find out what types of personal data is being collected;
- Make sure the data is being processed for clearly defined and limited purposes;
- Make sure you obtain prior consent from a parent or legal guardian where a website/app is specifically targeting a young audience.
By Olivier Proust, Of Counsel (firstname.lastname@example.org)
For further information, the CNIL's press release is available (in French) here.
The ICO's press release is available here.
The Office of the Privacy Commissioner's press release is available here.