Office of the Privacy Commissioner for Personal Data
Office of the Privacy Commissioner for Personal Data
03/25/2026 | Press release | Distributed by Public on 03/24/2026 21:17
Privacy Commissioner’s Office Joins Global Privacy Enforcement Network in Examining Websites and Apps Used by Children
Date: 25 March 2026
Privacy Commissioner's Office Joins Global Privacy Enforcement Network
The participating authorities encourage websites and mobile apps, particularly those designed for, or popular with, children to adopt child-friendly and privacy-protective practices to contribute to children's well-being online, including the following:
(i) limiting the collection of personal data;
(ii) designing the services to be privacy-protective by design and by default; and
(iii) using age assurance mechanisms appropriate to the level of risk on their platforms.
Download the Sweep report:
https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/GPENSweep2026.pdf
About Global Privacy Enforcement Network (GPEN)
Founded in 2010, the GPEN aims to facilitate cross-border cooperation among privacy enforcement authorities. The PCPD has been a member of the GPEN since 2014 and has continued to be a member of the Executive Committee of the GPEN since 2016.
Privacy Commissioner's Office Joins Global Privacy Enforcement Network
in Examining Websites and Apps Used by Children
The Office of the Privacy Commissioner for Personal Data (PCPD) collaborated with 26 privacy enforcement authorities around the world in carrying out the 2025 Global Privacy Enforcement Network (GPEN) Sweep earlier under the theme of "Children's Privacy". The exercise examined almost 900 websites and mobile applications (apps) used by children, and a global joint report was issued today. The participating authorities included those from Australia, Canada, France, Macao SAR China, New Zealand and the United Kingdom.
The purpose behind the GPEN Sweep is to encourage organisations to comply with privacy and data protection legislation, while promoting cooperation between privacy enforcement authorities across the globe.
During the Sweep period between 3 and 7 November 2025, participating authorities examined 876 websites and mobile apps designed specifically for children or popular with them across multiple sectors, including education, gaming, social media, shopping, video streaming, health and fitness, music streaming, and photo editing. The Sweep evaluated these websites and mobile apps based on five indicators, namely (i) age assurance; (ii) collection of children's data; (iii) protective controls; (iv) account deletion; and (v) inappropriate content and high-risk design features, and compared the results to a similar sweep conducted by the GPEN in 2015.
The Sweep found that some platforms adopted good practices to protect children and their personal data, such as providing notifications advising children not to use their real names or upload images. However, some practices raised concerns about children's privacy, and that some risks may have increased, compared with 2015. For example, more online services used by children now require users to provide their personal data to access the full functionality of the platform. Compared with 2015, there was an increase in the mandatory collection of certain types of children's personal data, including names (from 29% to 41%) and phone numbers (from 12% to 18%). Most platforms also indicated in their privacy policies that they may share children's personal data with third parties (from 51% to 85%).
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, fully supports closer collaboration of the global privacy protection community to protect the fundamental rights of children. Ms CHUNG said, "As the cognitive abilities of children are still developing, they may not fully understand their personal data privacy rights and are therefore more vulnerable to privacy risks arising from less privacy protective settings and design features of websites and mobile apps. Organisations should therefore ensure that the best interests of the child is the primary consideration in the collection, processing and use of children's data, and adopt privacy by design and by default to ensure that privacy protection measures are embedded from the very beginning of the design and development stages of products and services, with a view to enabling children to use online services safely."
The salient findings of the Sweep based on five indicators include the following:
The purpose behind the GPEN Sweep is to encourage organisations to comply with privacy and data protection legislation, while promoting cooperation between privacy enforcement authorities across the globe.
During the Sweep period between 3 and 7 November 2025, participating authorities examined 876 websites and mobile apps designed specifically for children or popular with them across multiple sectors, including education, gaming, social media, shopping, video streaming, health and fitness, music streaming, and photo editing. The Sweep evaluated these websites and mobile apps based on five indicators, namely (i) age assurance; (ii) collection of children's data; (iii) protective controls; (iv) account deletion; and (v) inappropriate content and high-risk design features, and compared the results to a similar sweep conducted by the GPEN in 2015.
The Sweep found that some platforms adopted good practices to protect children and their personal data, such as providing notifications advising children not to use their real names or upload images. However, some practices raised concerns about children's privacy, and that some risks may have increased, compared with 2015. For example, more online services used by children now require users to provide their personal data to access the full functionality of the platform. Compared with 2015, there was an increase in the mandatory collection of certain types of children's personal data, including names (from 29% to 41%) and phone numbers (from 12% to 18%). Most platforms also indicated in their privacy policies that they may share children's personal data with third parties (from 51% to 85%).
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, fully supports closer collaboration of the global privacy protection community to protect the fundamental rights of children. Ms CHUNG said, "As the cognitive abilities of children are still developing, they may not fully understand their personal data privacy rights and are therefore more vulnerable to privacy risks arising from less privacy protective settings and design features of websites and mobile apps. Organisations should therefore ensure that the best interests of the child is the primary consideration in the collection, processing and use of children's data, and adopt privacy by design and by default to ensure that privacy protection measures are embedded from the very beginning of the design and development stages of products and services, with a view to enabling children to use online services safely."
The salient findings of the Sweep based on five indicators include the following:
- Age assurance: 45% of websites and apps reviewed deployed some forms of age assurance, which represented an increase of 30% from 15% in 2015. For 72% of websites and mobile apps reviewed, age assurance measures could be circumvented, most often where self-declaration was used;
- Collection of children's data: 96% of websites and mobile apps had privacy policies in place, while only 56% had the personal data collected set to private by default. More than half (59%) of the websites and mobile apps required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, there was an increase in the collection of certain types of personal data, such as names (from 29% to 41%) and phone numbers (from 12% to 18%), compared with 2015;
- Protective controls: 71% of the websites and mobile apps did not provide information about protective controls and privacy protective practices that were tailored to children;
- Account deletion: More than one third (36%) of the websites and mobile apps did not provide an accessible way to delete accounts; and
- Inappropriate content and high-risk design features: Bullying, abusive or hateful content was found in 15% of services, while sexual content appeared in 11% of services. Only 35% of the websites and apps identified as having high-risk data processing and design features for children had privacy communications, such as pop-up messages, directing children to seek permission from their parents to continue using the website or mobile app.
The participating authorities encourage websites and mobile apps, particularly those designed for, or popular with, children to adopt child-friendly and privacy-protective practices to contribute to children's well-being online, including the following:
(i) limiting the collection of personal data;
(ii) designing the services to be privacy-protective by design and by default; and
(iii) using age assurance mechanisms appropriate to the level of risk on their platforms.
Download the Sweep report:
https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/GPENSweep2026.pdf
The PCPD participated in a joint operation of the Global Privacy Enforcement Network (GPEN), and a global joint report was issued.
About Global Privacy Enforcement Network (GPEN)
Founded in 2010, the GPEN aims to facilitate cross-border cooperation among privacy enforcement authorities. The PCPD has been a member of the GPEN since 2014 and has continued to be a member of the Executive Committee of the GPEN since 2016.
Office of the Privacy Commissioner for Personal Data published this content on March 25, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on March 25, 2026 at 03:17 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]