2025 global privacy sweep puts websites and apps used by children under the microscope

The results of the latest Global Privacy Enforcement Network sweep, published today, show risks to children's privacy have increased over the last decade.

The OAIC participated in the global sweep, which involved 27 data protection and privacy authorities from around the world, and examined almost 900 websites and apps that are used by children. While some are designed for children's use more specifically, others are used by the general population but are popular with children.

The sweep found that more than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015.

The sweep participants looked at these platforms' mechanisms and practices relating to the collection of users' personal information, as well as those relating to transparency, age-assurance, and to limiting data collection.

By replicating a children's privacy sweep that was conducted by this network in 2015, participating authorities were able to compare how online services protected children then and now. Compared to 2015, more of the online services used by children now require users to provide their personal information to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal information with third parties.

The sweep, which took place prior to the Social Media Minimum Age scheme coming into effect, also looked at age assurance mechanisms. Sweep participants noted that these had increased, but that such measures could be easily circumvented - a particular concern in instances where websites and apps had inappropriate content or high-risk data processing and design features for children.

Quick facts

Children's Online Privacy Code

All individuals should have their personal information protected, particularly children who navigate the digital space and use online services. By adopting child-friendly practices, such as limiting the collection of personal information, designing services to be privacy-protective by design and by default, and using age assurance mechanisms appropriate to the level of risk on their platforms, organisations can contribute to children's well-being online.

To ensure children's privacy is protected when engaging in the digital environment, the Office of the Australian Information Commissioner (OAIC) is delivering on its mandate under the Privacy and Other Legislation Amendment (POLA) Act 2024 to take action to protect children's privacy online through the development of a Children's Online Privacy Code (the Code).

The Exposure Draft of the Code, which has been developed through wide consultation with children, young people, parents and carers, as well as industry, government, civil society, academic and other interested parties, will be released for a 60-day public consultation period on the 31 March 2026.

These consultations will continue to seek the views of children, young people, parents and carers, as well as from academic, civil society, government, and industry stakeholders on the draft Code.

To keep up to date about developments on the Code and the upcoming public consultation, head to Children's Online Privacy Code.

About GPEN

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development (OECD). The network's aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of more than 80 data protection and privacy authorities from around the world.

The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international data protection and privacy authorities.

This year's sweep was coordinated by the Office of the Privacy Commissioner of Canada, the United Kingdom Information Commissioner's Office, and the Office of the Data Protection Authority of the Bailiwick of Guernsey.