International privacy sweep 2015 – is your house in order?
May 19, 2015
Last week, the Information Commissioner’s Office (“ICO”) announced that it was starting a review of 50 websites and mobile applications “targeted at children as well as those frequently used by children” to see if they comply with data protection and privacy laws.
The review is part of the Global Privacy Enforcement Network’s (“GPEN”) International Privacy Sweep 2015 involving approximately 20 countries* and 29 data protection authorities. Participating authorities from around the world will take a coordinated approach and release a joint report of their findings later in 2015.
This is similar to last year’s sweep carried out by GPEN on mobile apps (involving 26 enforcement authorities) and the earlier sweep on privacy policies (involving 18 data protection authorities). The increased participation shows that global cooperation on privacy issues is building.
What is the focus of the sweep?
The 2015 sweep will focus on the type and amount of information organisations collect from children, how that is explained, what parental permission is sought and how easy it is to delete the information collected.
Who is affected?
Any organisation with websites or apps directed at children or popular amongst children may be affected by the sweep. Examples include children’s entertainment sites, gaming apps, social networks and educational sites.
What is the impact?
Any concerns identified in the sweep will result in follow up action by the relevant authorities. The ICO has said that it will “consider action against any website or app that it finds to be breaking the Data Protection Act”.
This is clear example of data protection authorities working together “as if” the enhanced cooperation regime set out in the General Data Protection Regulation (“GDPR”) is already here and is a reminder that organisations should not be waiting for the GDPR to come into force before working on this.
What you need to be doing
If your organisation has websites or mobile apps targeted at children or frequently used by children, you should take action now to ensure that:
- your apps and websites are not gathering more personal data than they require;
- you are upfront and transparent about how and why you collect information and how you use it;
- you obtain appropriate consents; and
- you have mechanisms in place to delete information if requested.
Any organisation that hasn’t already done so should start thinking about adjustments that will need to be made to comply with the enhanced requirements of the GDPR so the business is in a good position when the GDPR finally comes into force.
If you need further advice on your obligations or how to respond to any enquiries from data protection authorities, please contact a member of our team.
*The countries reported to be participating in the sweep are: Argentina, Australia, Belgium, Canada, China, Colombia, Estonia, France, Germany, Gibraltar, Hong Kong, Ireland, Israel, Italy, Macao, Mexico, The Netherlands, New Zealand, Norway, Republic of Macedonia, United Kingdom, United States.