Skip to content
Naked Security Naked Security

Children’s apps and websites raise privacy concerns

Members of the Global Privacy Enforcement Network say many kids' websites and apps collect and share too much personal information.

Girl. Image courtesy of Shutterstock

Earlier this year the UK Information Commissioner’s Office (ICO), along with 28 other data protection regulators from around the world, announced an investigation into how websites and apps – squarely aimed at children – were collecting and sharing personal information.

The results are now in.

In an announcement yesterday, the ICO explained how the overall picture painted by the international investigation was not a pretty one.

The collection of watchdogs, collectively known as the Global Privacy Enforcement Network (GPEN), said 41% of the 1494 apps and websites it examined raised concerns over how data was being collected and shared with third parties.

The privacy sweep found many apps and websites were playing fast and loose with personal information – with just over 2 in 3 collecting childrens’ names and email addresses.

The ICO and its partners also discovered how only 31% of sites and apps were taking proactive measures to limit data collection from children.

Especially alarming, it said, were the number of child-centric services that passed off a failure to implement additional safeguards against collecting kids’ data by waiving responsibility through privacy policies that stated they were not designed for use by minors.

Given the publicity attracted by recent high-profile data breaches and the consequences for those whose personal information was subsequently leaked, it may, perhaps, concern parents to learn that around half of the sites examined by GPEN were happily and willingly sharing their children’s data with third parties.

Also, considering the occasionally dark nature of the world we live in, anyone with responsibility for a child’s welfare may well not like the revelation that just under 1 in 4 sites and apps gave kids the opportunity to upload their photo or add video clips. 22% of the services looked at also allowed youngsters to hand over their phone numbers.

Sadly, despite the potential problems posed by allowing children to share too much data, only 24% of the tested apps and websites encouraged any sort of parental oversight.

What’s more, should a concerned adult discover that their offspring is revealing too much personal information, the options for remedying the situation are few and far between – with 71% of the investigated services making it difficult or impossible to delete accounts.

Adam Stevens, head of the ICO’s intelligence hub said:

These are concerning results. The attitude shown by a number of these websites and apps suggested little regard for how anyone's personal information should be handled, let alone that of children.

Fortunately, it’s not all bad news – the ICO says the project did find some examples of websites and apps offering effective controls. The privacy regulator observed examples of good practice including parental dashboards, pre-configured usernames and avatars (which remove the temptation to enter identifying images and real names), as well as chat rooms which control the range of language permissible on the site, in addition to offering warnings when children attempted to input personal information.

Speaking for the ICO, Stevens said he hopes letters sent to the offending UK websites and app developers will be sufficient to persuade them to make the required changes. Should that not be the case, the Commissioner has not ruled out enforcement action where necessary – a breach of the Data Protection Act and its eight principles for data use, retention, storage and transfer could land a firm with a fine of up to £500,00 (approx $764,000).

The US Federal Trade Commission (FTC), another member of GPEN, is also making efforts to protect kids from unwarranted data collection and sharing.

In 2012, the FTC published a report which said that many kids’ apps were collecting far more data than necessary and then sharing it with third parties. This, it said, all took place without parents’ knowledge or consent.

More recently, in January 2014, the FTC came to a $32.5 million settlement with Apple after arguing that its app-buying process could have been much clearer.

In a similar settlement in September 2014, Google handed over $19 million to the FTC over claims that it was too easy for children to make in-app purchases.

If stories about child privacy concern you – and, if you are a parent, they probably should do – there is much you can do to protect your kids both on the internet and through the apps that they use.

A good place to start would be by educating yourself on where your kids go online.

Familiarise yourself with these 7 popular apps and websites that parents should be aware of. Also, while Facebook may not be the go-to place for teenagers, it is still worth checking out our safety tips for the world’s largest social network.

And, given the popularity of smartphones and tablets, these 10 tips for keeping devices secure may also prove useful.

Image of young girl at laptop courtesy of


I think it’s a mistake to be distracted into looking only at children’s apps and Web sites. Privacy is a huge problem generally and it is becoming increasingly difficult to preserve even a modicum of personal privacy if you go online at all. You only need to look at the things that apps demand to have access to on your phone and how difficult it is to find apps that don’t.


True… if we ask ourselves why we’re so interested in protecting children’s data, isn’t the obvious answer that they don’t know enough to protect themselves and don’t understand the ramifications of sharing PII?

…isn’t that the same for the vast majority of people?


I agree, although this is a subset of the general issue of permissions that (for example) Android M should allow us to take more control of. The article covers the more intentional collection and sharing of information, but we can exercise some basic behaviours and measures to limit their impact, so I’m less worried by this.

As a parent, I see lots of opportunities to fail much more fundamentally. My children aged 7 and 5 are very ‘tablet literate’ and love playing games such as Minecraft together. On holiday very recently we used the local resort WiFi to let them link their tablets only to find a very mixed (and surprisingly large) ‘community’ of others poised to enter their games and communicate in, let’s say, non age-appropriate ways. Luckily the vandalism of their ‘worlds’ was quick and sufficient for them to switch off within a couple of minutes and not want to go back online.

All this was predictable from a technical / security point of view, but it goes to show that even the more innocuous of apps poses a real risk when taken out of the safer home WiFi environment. Had there been no destructive penalty in the game, how long would they have read the screen for, would they have replied, and how long would it have taken to realise what was going on…

We vet and install everything they use ourselves, with great (I thought!) care. Better dashboards are very welcome, user-selectable permission approvals individual to functions should be the minimum standard for every app, including system ones, but I’m also left considering putting my children’s tablets on a VPN back home so I can better look after their internet access myself, wherever they take their tablets as they grow up. At least until either regulation or the public will drives a better compromise with the information farming advertisers, or we start choosing to pay for apps with cash rather than information.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!