2025 global privacy sweep examined websites and apps used by children

25 March 2026

This year’s annual Global Privacy Enforcement Network (GPEN) Sweep examined how online services protect children’s privacy. This exercise replicated a children’s privacy sweep that was conducted in 2015 with the purpose of comparing how online services protected children then and now.

This exercise took place between 3 November and the 7 November 2025. It involved participants, or “sweepers”, from 27 privacy enforcement authorities, from around the world, and almost 900 websites and apps have been examined.

The Information and Data Protection Commissioner of Malta (IDPC) participated in this exercise, targeting both websites and apps specifically designed for children, as well as websites and apps offered in Malta that are intended for the general population but popular among children.

The sweepers, impersonating children of different age groups, examined these online services’  mechanisms and practices relating to the collection of users’ personal data, as well as those relating to transparency, age-assurance, and the limitation of data collection.

Overall, sweep participants observed good practices to protect children and their personal data, such as notifications advising children not to use their real names or upload images, as well as having location sharing disabled by default.

That said, participants also noted practices that raised concerns about children’s privacy, and that some risks may have increased over the last 10 years. For example, compared to 2015, more of the online services used by children now require users to provide their personal data to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal data with third parties.

With regard to the use of age-assurance mechanisms to restrict children’s access to, or interaction with online services, participants noted an increase in the use of such measures. However, it was also observed that these mechanisms could be easily circumvented, which is particularly concerning when websites and apps contain inappropriate content or involve a high-risk processing activity.

Participants evaluated the websites and apps based on 5 indicators, which largely mirrored those from the 2015 sweep.

For each indicator, the sweep found:

• Age assurance: For 72% of the websites and apps reviewed, participants were able to circumvent age assurance measures, most often where self-declaration was used.
• Collection of children’s data: More than half (59%) of the websites and apps required the collection of an email address to access the full functionality of the platform, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015.
• Protective controls: 71% of the websites and apps did not have information about protective controls and privacy practices that were tailored to children.
• Account deletion: More than one third (36%) of the websites and apps did not provide an accessible way to delete accounts.
• Inappropriate content and high-risk design features: Only 35% of the websites and apps identified as having high-risk data processing and design features for children provided privacy information, such as a pop-up, directing young users to seek parental permission before continuing to use the website or app.   

What is next?

GPEN, together with the IDPC, encourage website or app operators to design their online services, in a manner that protect children’s privacy online. Organisations are encouraged to offer online experiences that are safe for children by adopting these best practices:

• implement multi‑factor age assurance mechanisms;
• apply data minimisation by design;
• provide child-friendly privacy notices;
• add a simple, prominent “Delete Account” function;
• implement content-filtering and safety layers.

Related link: GPEN Sweep Report: Children’s Privacy