Global Privacy Sweep Highlights Growing Expectations for Children's Privacy Online

Children's privacy is once again the focus of attention from privacy authorities. The Office of the Privacy Commissioner of Canada (OPC), along with data protection and privacy authorities from around the world, recently released the findings of the 2025 Global Privacy Enforcement Network (GPEN) Sweep (the Sweep). The Sweep examines how websites and mobile applications (apps) that are used by children handle personal information of minors. The findings of the report are compared to those illustrated in a 2015 sweep to show changes over the last decade and highlight the concerns of the privacy authorities. Although the Sweep is not a legally binding document, this report states that the identified concerns may inform future guidance, targeted outreach and enforcement activity.

Background

The OPC, the United Kingdom Information Commissioner's Office and the Office of the Data Protection Authority of the Bailiwick of Guernsey coordinated the Sweep. In total, 879 websites and apps were assessed against five indicators: (i) Age assurance; (ii) Collection of children's data; (iii) Protective controls; (iv) Account deletion; and (v) Other overall concerns. This Sweep builds on a 2015 GPEN sweep, allowing regulators to observe how practices relating to children's privacy have evolved.

Federal Privacy Commissioner Philippe Dufresne has framed the Sweep as part of the OPC's overarching commitment to champion children's privacy, which has been a key strategic focus for Canadian privacy authorities. This focus has been demonstrated through coordinated regulatory action, including a 2023 joint resolution adopted by federal, provincial and territorial privacy commissioners, which calls for prioritizing the best interests of young people in privacy matters.

In 2025, the OPC launched several initiatives aimed at strengthening youth privacy protections, including the creation of a Youth Council and a public consultation on the development of a children's privacy code. Key findings of the public consultation emphasized treating children's personal information as sensitive, the need to integrate privacy by design, implementing tailored consent mechanisms for children, enhancing transparency and strong privacy protections by default for digital spaces occupied by children.

The OPC's commitment to children's privacy has also been reinforced through enforcement activity. Most notably, in 2025, the OPC, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta conducted a joint investigation into TikTok. This investigation evaluated the platform's handling of children's personal information (please visit our previous blog post, Joint Privacy Commissioner Investigation of TikTok Key Take-Aways, for more information). In addition, in 2026, the OPC collaborated with provincial privacy authorities on a joint investigation into OpenAI's ChatGPT, highlighting concerns about the overcollection of personal information, including data relating to children. While ChatGPT is not explicitly targeted at children, the findings underscored that children’s personal information was still affected, prompting OpenAI to commit to implementing additional privacy measures, including strengthened protections specifically for children.

During Privacy Awareness Week 2026, the OPC introduced new age assurance guidance for websites and online service providers and for age assurance developers. These guidelines state that they are intended to foster a safer and more appropriate online experience for children. Public feedback on the guidance documents will be accepted until August 4, 2026.

Key Findings from the Sweep

Age Assurance

The use of age-assurance mechanisms is increasing significantly as compared to the past decade, with approximately 45% of the reviewed websites and apps incorporating some form of age gating. Despite this, the privacy authorities identify their concerns surrounding the effectiveness of these measures. In 72% of these websites and apps, reviewers were able to easily bypass age-assurance controls. This occurred most often when platforms relied on self-declaration of age. The privacy authorities flagged this practice as particularly troubling where platforms allowed access to inappropriate content or utilized high-risk data processing.

Collection of Children's Personal Information

A substantial portion of the reviewed websites and apps required children to provide personal information to access the full functionality of the platform. The most commonly collected information included email addresses (59%), usernames (50%), and geolocation information (46%). The privacy authorities observe an overall increase in the collection of certain types of personal information compared to 2015, such as names, phone numbers, addresses and photos or videos. At the same time, a significant number of platforms stated in their privacy policies that they did not knowingly collect children's personal information. This included services that were viewed as being targeted at children, as well as platforms not directed at children but reportedly widely used by them. Despite the statements regarding not knowingly collecting children's information, many of the websites and apps continue to mandate the collection of personal information such as names, email addresses, usernames and uploaded media.

Protective Controls and Design Safeguards

The privacy authorities assert that protective design measures were not evenly applied across platforms, particularly those that featured "high-risk processing activities" or design elements that were directed at children. Among the websites and apps which were viewed as having "high-risk data processing" and design features for children, only 35% included privacy communications that prompted parental involvement, and 25% offered parental dashboards. For the websites and apps that featured potentially inappropriate content, only 35% had privacy communications that prompted parental involvement and 27% had parental dashboards. The scope of what the privacy authorities consider in their categorization of "high risk" is identified in item #5 below. These findings suggest that, even where there are identifiable heightened risks, compensating safeguards may have been limited or absent.

Account Deletion

The privacy authorities note improvement in account deletion mechanisms since 2015. Approximately 64% of the reviewed websites and apps provided an accessible way for users to delete accounts, compared to 29% in 2015. However, the privacy authorities also highlight that clarity and ease of completing the deletion process continue to play an important role in assessing whether deletion tools are effective in practice.

Other Overall Concerns: Inappropriate Content and "High-Risk Data Processing"

The privacy authorities report inappropriate content (e.g., materials related to self-harm, bullying, abuse, or hate) on 35% of the reviewed platforms, and such content was often accompanied by high-risk design features (i.e., behavioural profiling mechanisms were present alongside self-harm content in 60% of cases and eating disorder content in 58% of cases). Taking these factors together, the privacy authorities expressed that they were not comfortable with children using 41% of the reviewed websites and apps, an increase from 30% in 2015. This finding underscores the growing concern that privacy and safety protections may not be keeping pace with digital service design and data practices.

Looking to the Future

For organizations offering digital products or services that are used by children or are popular with a younger audience, the Sweep offers several practical lessons:

• Age assurance should be meaningful: Self-declaration alone may be insufficient, particularly where content or processing carries higher risk. The above-noted age assurance guidance may help organizations align with best practices. These organizations should also consider participating in the consultation process to help shape the future regulatory landscape.
• Transparency must be accessible: Privacy communications should not only be understandable to children and their parents or guardians, but they should be easily accessible. This may include ensuring that there is a specific repository of information (e.g., parental dashboard).
• Utilizing account controls should not be laborious: Beyond ensuring that account controls are accessible, performing the function of the tool should not be a laborious or convoluted process (e.g., easy to use account deletion tool).

If you have any questions about how the findings of the Sweep or other recent developments relating to children's privacy in Canada that may affect your organization, the Bennett Jones Privacy & Data Protection group is available to assist.