13 October 2014

Kids’ app removed from app stores after investigation by Dutch Data Protection Authority

The Dutch Data Protection Authority has investigated the ‘Okki Gekke-bekken-club’ app for children and concluded that several features of the app violated the Dutch Data Protection Act.  The company responsible for the app has removed it from app stores.

Supervisory authorities increasingly coordinate joint privacy sweeps, including an international App Sweep in 2014. Apps are also a high priority for the Dutch Data Protection Authority. Companies that work with apps are advised to check that the use of personal data via the apps complies with privacy regulations. Where necessary, adjustments may need to be made.

 

Blink Uitgevers B.V. (Blink), the company behind the app, created the app to encourage children to brush their teeth. The app enabled young children to take a photograph of their teeth and send it to a website. They then had the option of masking their face by choosing a picture of an animal face instead. They could also submit an unmasked picture of their face. There was also an  option to enter their name, age, town, and e-mail address.

The Dutch Data Protection Authority (Dutch DPA) found that the website contained photographs of partially recognisable children, as well as their name, age and the town they lived in. Blink explicitly asked the children’s consent for submission and publication of their photograph on the website, but did not warn them that they needed parental consent for this. However, an unambiguous consent necessary for this kind of data processing can only be given by a legal guardian. In addition, there should be an option to withdraw parental consent.

Blink also acted in conflict with the information requirements under the Dutch Data Protection Act by failing to timely inform users about the purposes of processing their personal data. The Dutch DPA also found that the data had not been adequately protected against unlawful processing because the e-mail address and other data had not been encrypted.

Blink has now removed the app from stores. Photos and other personal data have also been deleted from the website.

International Privacy App Sweep

A recently conducted worldwide Privacy App Sweep has shown that most apps do not comply with applicable privacy regulations. In a large number of apps, personal data were collected without properly informing the app users. Only 15% of the apps surveyed complied with applicable privacy regulations. The Privacy App Sweep was carried out by 26 privacy supervisory authorities and coordinated by the Global Privacy Enforcement Network (GPEN).

Privacy supervisory authorities increasingly join forces to tackle cross-border privacy issues. GPEN coordinated an Internet Privacy Sweep in 2013, and European privacy supervisors held a Cookie Sweep Day in September 2014 to assess compliance with cookie rules on European websites.

Recommendation

Enforcement of privacy regulations in relation to apps is gaining national and international attention. Companies that provide apps would therefore do well to check that the use of personal data via the apps complies with privacy rules. Where necessary, adjustments may need to be made.