2025 Global Privacy Sweep examined Websites and Apps used by Children

An international privacy ‘sweep’ which involved 27 data protection and privacy authorities from around the world, including the Jersey Office of the Information Commissioner, has found implementing child friendly practices when designing websites and mobile applications can strengthen the protection of children’s privacy online.

The global sweep, carried out by the Global Privacy Enforcement Network (GPEN), examined almost 900 websites and apps that are used by children. While some are designed for children’s use more specifically, others are used by the general population but are popular with children.

Those taking part in the sweep looked at the mechanisms and practices relating to the collection of personal information, as well as transparency, age-assurance and data collection. By replicating a children’s privacy sweep that was conducted by the GPEN in 2015, participating authorities were able to compare how online services protected children then and now.

Overall, sweep participants observed good practices to protect children and their personal information, such as notifications advising children not to use their real names or upload images, as well as having location sharing disabled by default. However, participants also noted practices that raised concerns about children’s privacy, and that some risks may have increased over the last ten years. For example, compared to 2015, more of the online services used by children now require users to provide their personal information to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal information with third parties.

With regard to the use of age assurance mechanisms to restrict children’s access or interaction with online services, participants noted that these had increased, but that such measures could be easily circumvented, a particular concern in instances where websites and apps had inappropriate content or high-risk data processing and design features for children.

The privacy sweep is not an investigation, nor is it intended to conclusively identify compliance issues or legal contraventions. However, concerns identified during the sweep could support targeted advice and engagement with organisations or enforcement actions in the future.

This year’s sweep was coordinated by the Office of the Privacy Commissioner of Canada, the United Kingdom Information Commissioner’s Office, and the Office of the Data Protection Authority of the Bailiwick of Guernsey.

Jersey Information Commissioner Paul Vane said: “Championing and protecting children’s privacy sits at the very heart of the Jersey Data Protection Authority’s strategic priorities. Joining forces with international partners for this global privacy sweep reinforces our commitment to helping to foster a safer digital environment to protect children’s personal information by setting clear standards for organisations, promoting responsible design of digital services, and taking strong enforcement action where risks to children are identified.

Furthermore, our strategic priorities for 2026 to 2028 also set clear standards for the responsible local use, development and deployment of AI-driven technologies by setting clear standards in terms of our expectation of compliance with data protection laws and principles as well as helping to strengthen organisations’ personal data security and cybersecurity protections through clear guidance to ensure the ongoing privacy and safety of Islanders' personal data.”

Sweep participants evaluated the websites and mobile applications based on five indicators, which largely mirrored those from the 2015 sweep.

For each indicator, the sweep found:

• Age assurance: For 72% of websites and mobile applications reviewed, participants were able to circumvent age assurance measures, most often where self-declaration was used.
• Collection of children’s data: More than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015.
• Protective controls: 71% of the websites and mobile applications did not have information about protective controls and privacy practices that were tailored to children.
• Account deletion: More than one third (36%) of the websites and mobile applications did not provide an accessible way to delete accounts.
• Inappropriate content and high-risk design features: Only 35% of the websites and mobile applications identified as having high-risk data processing and design features for children had privacy information, such as a pop-up, directing a young person to seek permission from their parents to continue using the website or app.

The Global Privacy Enforcement Network was established in 2010. The network’s aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of more than 80 data protection and privacy authorities from around the world.

The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international data protection and privacy authorities.

You can read the full Global Privacy Enforcement Network’s Sweep Report here.