On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.
In addition to the CNIL and the ICO, 27 other DPAs that are members of the GPEN will participate, including four German DPAs (the Federal Commissioner for Data Protection and Freedom of Information, the Data Protection Supervisory Authority of Bavaria, the Berlin Data Protection Commissioner and the Data Protection Commissioner of Hessen). View the full list of participating DPAs.
The joint effort will run from May 11 to 15, and will target child-directed websites and apps, such as gaming websites, social networking websites and educational websites. Specifically, the participating DPAs will verify whether the targeted websites and apps:
- Seek parents’ consent before allowing children to use the services offered or provide personal data;
- Raise public awareness regarding privacy;
- Provide a privacy notice tailored to younger audiences (e.g., clear language, animated images, etc.); and
- Facilitate the erasure of personal data provided by children.
As in prior years, the participating DPAs will use an analysis grid to obtain (1) a global picture of the privacy practices of child-directed websites and (2) details about practices common to particular jurisdictions. The DPAs intend to publish a combined report in Fall 2015.
The CNIL and the ICO have stressed that they could conduct further inspections and launch enforcement proceedings if their initial findings reveal serious breaches of applicable data protection law. Other DPAs participating in the joint audit may take similar action.