Children's privacy at greater risk as apps collect more personal data

More child-focused apps and websites are collecting personal data than around a decade ago, while key safeguards remain inconsistent, a global investigation joined by Hong Kong’s privacy watchdog finds.

Conducted from 3 to 7 November 2025, the 2025 Global Privacy Enforcement Network Sweep (GPEN)—together with Hong Kong’s Office of the Privacy Commissioner for Personal Data—examined 876 child-focused or child-popular websites and mobile apps across sectors, including education, gaming, social media, shopping, and video streaming.

The sweep evaluated these websites and mobile apps based on five indicators, including age assurance, collection of children’s data, protective controls, account deletion, and inappropriate content and high-risk design features, and compared the results with a similar sweep conducted by the GPEN in 2015.

The sweep found that some platforms adopted good practices to protect children and their personal data, such as providing notifications advising children not to use their real names or upload images. However, some practices raised concerns about children’s privacy, and that some risks may have increased, compared with 2015. 

For example, more child-friendly online services now require users to provide personal data to access full functionality. Compared with 2015, mandatory collection increased for children’s names and phone numbers. Many platforms also expanded their privacy policies to indicate they may share children’s personal data with third parties.

The sweep assessed five indicators. It found that 45% of the websites and apps reviewed used age assurance, up from 15% in 2015. However, for 72% of services, age checks could be bypassed, most often when users were allowed to self-declare. On data collection, 96% of services had privacy policies, but only 56% set children’s personal data to private by default. More than half required an email address to access full features, while 50% required usernames and 46% required geolocation. Compared with 2015, the mandatory collection of some data types increased, including children’s names and phone numbers.

The sweep also found that 71% of services did not provide information about privacy and protective controls tailored to children. For account management, 36% of websites and apps did not offer an accessible way to delete accounts. Finally, the review found inappropriate content in 15% of services for bullying, abuse, or hate, and in 11% for sexual content. Only 35% of services with high-risk design or data processing included clear privacy communications, such as prompts asking children to seek parental permission.

Participating authorities encourage child-focused or child-popular websites and mobile apps to adopt privacy-protective practices, including limiting personal data collection, building privacy by design and by default, and using age-appropriate assurance mechanisms based on the level of risk.

Don't miss: HK privacy watchdog raises alarm over Grok's potential for harmful content

The privacy commissioner for personal data, Ada Chung said: “As the cognitive abilities of children are still developing, they may not fully understand their personal data privacy rights and are therefore more vulnerable to privacy risks arising from less privacy protective settings and design features of websites and mobile apps.”

“Organisations should therefore ensure that the best interests of the child is the primary consideration in the collection, processing and use of children’s data, and adopt privacy by design and by default to ensure that privacy protection measures are embedded from the very beginning of the design and development stages of products and services, with a view to enabling children to use online services safely,” she added.

Mark your calendars for 24 June! #Content360 Hong Kong returns with a dynamic, one-day event dedicated to pivotal trends—from the silver economies to breakthrough IP collaborations, sports, and beyond. Let's dive into the art of curating content with creativity, critical thinking and confidence!

Related articles:

HK privacy watchdog raises alarm over Grok's potential for harmful content
HK privacy watchdog reminds LinkedIn users to review AI data terms
Hong Kong privacy watchdog opens probe into Qantas data breach