Information Commissioner joins internal review of digital services used by young people

Global privacy sweep highlights risks and improvements in children’s online safety

A global review of websites and mobile applications used by children has identified both progress and ongoing concerns around how young people’s personal data is handled online.

The exercise, which was coordinated by the Global Privacy Enforcement Network, involved 27 data protection authorities including the Isle of Man Information Commissioner’s Office.

Nearly 900 digital services were assessed, ranging from platforms designed specifically for children to those aimed at general audiences but widely used by younger users.

The sweep examined how personal data is collected and used, the clarity of privacy information, the effectiveness of age-assurance measures, and whether organisations limit data collection to what is necessary.

It follows a similar study carried out in 2015, allowing regulators to compare how protections have evolved over the past decade.

The findings suggest some improvements, with many services now including prompts discouraging children from sharing real names or uploading photographs, while parental controls have become more common and location sharing is more frequently disabled by default.

However, the report also highlights several areas of concern.

Compared with 2015, a greater number of platforms now require users to provide personal information to access full features, and more indicate that data may be shared with third parties. Regulators say these trends could increase privacy risks if not properly managed.

Isle of Man Information Commissioner Dr Alexandra Delaney-Bhattacharya says: ““The Island’s children should be able to explore and enjoy the digital world with confidence and safety.

“Protecting children’s privacy is central to our strategic priorities - working alongside international partners in this global sweep strengthens our efforts to promote a safer digital environment.”

Across all jurisdictions, the review found that age-assurance measures were often ineffective, with 72 percent of services allowing users to bypass checks, particularly where self-declaration was used.

More than half - 59 percent - required an email address for full functionality, while half required usernames and 46 percent collected geolocation data.

In addition, 71 percent of platforms did not provide child-friendly explanations of privacy practices, and more than a third - 36 percent - did not offer an accessible way to delete accounts.

Among services identified as having higher-risk design features, only 35 percent provided prompts encouraging children to seek parental permission.

On the Isle of Man, the Information Commissioner’s Office reviewed 17 websites, including eight based locally.

All of the Island’s platforms with privacy policies stated they collect personal information, most commonly email addresses, names and geolocation data.

Five of the eight local services allowed users to delete their accounts, while six were found to include higher-risk design features such as complex language, public-by-default settings or location tracking enabled by default.

Most did not offer parental controls or provide information tailored to younger users.

The regulator says it will engage with organisations where improvements are needed, as part of ongoing efforts to strengthen online safety for children.