Hacked off

Jeremy Morton

By Jeremy Morton

January 23rd 2016 at 8:44AM
UPDATED February 1st 2016 at 12:14PM
Hacked off

In the wake of hackers targeting VTech’s Learning Lodge, Harbottle & Lewis’ Jeremy Morton asks if it’s time for toy firms dealing in apps, kids’ sites and online worlds to review how they handle data protection.

The UK Information Commissioner’s Office, reporting the findings of an international review of children’s websites and apps, says that it is considering enforcement action against several businesses under data protection laws.  

The announcement coincided with last autumn’s publication of findings by the Global Privacy Enforcement Network (GPEN), an organisation comprised of 43 countries’ privacy enforcement authorities.

The aim of GPEN’s ‘sweep’ of children’s privacy was to review the online collection of personal data from children, and the adequacy of protective controls.  

The exercise included the UK, France, Germany, Ireland, the US and 14 other countries, all of which protect children’s personal data by law.  

For example, in the US, controls are imposed under the Children’s Online Privacy Protection Act (COPPA). In the UK, the scope of data collection and processing must be fair and not excessive, and must be justified as necessary (unless covered by adequate consent, which is always tricky when it comes to children’s data).  

Information must also be kept securely, an issue highlighted when VTech recently announced that its app store database, Learning Lodge, had been hacked. Other recent data breaches have resulted in substantial fines.  

A new, EU-wide ‘General Data Protection Regulation’ is likely to be finalised in coming months, imposing additional controls.  

GPEN looked at almost 1,500 sites and apps, of which around 1,000 collected personal data.  

Whilst around 30 per cent of those had effective controls in place, more than 600 sites left the authorities ‘uncomfortable’.  These included sites expressly aimed at children and other sites that are popular with children.  
The concerns included:

  • Inadequate, non-existent or over-complex privacy policies.
  • Collection of unnecessary and wide-ranging information, including full birth date, phone number, and photos or videos.
  • Lack of monitoring to avoid children disclosing unnecessary personal information. For example, in the case of a website inviting children to share their drawings, failing to check that the drawings did not include information such as name and address.
  • Confusing language.
  • Lack of encouragement of parental involvement, and inadequate or non-existent age verification.  Also, some sites that are obviously popular with children merely claimed that they were not aimed at children, without implementing any controls.
  • Disclosing user information to third parties, often for ‘vague or unspecified purposes’.
  • Redirection of users to other websites via advertisements or contests, often appearing to be part of the original site. Many of the advertisements on sites popular with children were also inappropriate, such as ads for dating sites or alcoholic drinks.

Some sites were praised for their approach.

Best practice tips included the use of avatars to navigate sites, warnings to children against using their real names, or a chat function only allowing words and phrases from a pre-approved list.  

The better sites also provided straightforward means for deleting account information, which is strongly encouraged by data protection authorities.

Liability for compliance with data protection laws rests with the party controlling the use of the information, even if they outsource the collection or handling of data.  

It is important to build in data protection assurances when negotiating terms with any provider of data-handling services, as well as taking responsibility yourself for your customers’ data security.  

User terms and conditions should be clear about how and why you will use personal information. And data privacy best practice should be built into website and app design from the start.  

This often begins with allocation of responsibility to a senior individual in your organisation, and implementation of an appropriate data protection policy within the business.

With data protection authorities now considering action against specific sites and apps as a result of the recent sweep, is it time to review your data protection compliance?