PrivCom takes part in 2025 Global Privacy Enforcement Network (GPEN) Sweep
- privcombermuda
- 24 hours ago
- 5 min read
Media Contact
Communications Team
PRESS STATEMENT
FOR IMMEDIATE RELEASE
25 March 2026
PrivCom takes part in 2025 Global Privacy Enforcement Network (GPEN) sweep of websites and apps used by children
Hamilton, Bermuda - 25 March 2026 – The Office of the Privacy Commissioner for Bermuda (PrivCom), along with 26 other privacy enforcement authorities from around the world, is today issuing the findings of the 2025 Global Privacy Enforcement Network (GPEN) sweep of almost 900 websites and mobile applications used by children.
The 2025 GPEN Sweep
The GPEN Sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation and enhancing co-operation between international privacy enforcement authorities. Each year, data protection authorities select a theme and examine the privacy communications of the particular product or service under that theme. The 2025 sweep was coordinated by the Office of the Privacy Commissioner of Canada, the United Kingdom Information Commissioner’s Office, and the Office of the Data Protection Authority of the Bailiwick of Guernsey. It took place between 3 to 7 November 2025.
The theme selected for the 2025 sweep was the protection of children's privacy. Regulators examined the mechanisms and practices on platforms which related to the collection of children’s personal information and considered whether they were transparent about their privacy practices, had age-assurance mechanisms in place to verify a user’s age to protect children and enforce age-appropriate access, and had employed privacy protective controls to limit the collection of children's personal information. A children’s privacy sweep had been conducted by GPEN in 2015 and, by replicating the sweep in 2025, participating authorities were able to compare how online services protected children then and now.
The results of the latest GPEN sweep highlight how child-friendly practices on websites and mobile applications can protect or undermine children’s privacy online. Global regulators evaluated the websites and mobile applications based on five indicators, which largely mirrored those from the 2015 sweep.
For each indicator, the sweep found the following:
Age assurance: For 72% of websites and mobile applications reviewed, participants were able to circumvent age assurance measures, most often where self-declaration was used.
Collection of children’s personal information: More than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of personal information compared to 2015.
Protective controls: 71% of the websites and mobile applications did not have information about protective controls and privacy practices that were tailored to children.
Account deletion: More than one third (36%) of the websites and mobile applications did not provide an accessible way to delete accounts.
Inappropriate content and high-risk design features: Only 35% of the websites and mobile applications identified as having high-risk use of personal information and design features for children had privacy information, such as a pop-up, actually directed a young person to seek permission from their parents to continue using the website or app.
Overall, the global regulators participating in the GPEN sweep observed good practices to protect children and their personal information, such as notifications advising children not to use their real names or upload images, as well as having location sharing disabled by default.
However, the sweep participants also noted practices that raised concerns about children’s privacy, and that some risks may have increased over the last 10 years.
For example, compared to 2015, more of the online services used by children now require users to provide their personal information to access the full functionality of the platform. In addition, more platforms indicated in their privacy policies that they may share personal information with third parties.
As relates to the use of age assurance mechanisms to restrict children’s access or interaction with online services, participants noted that these had increased, but that such measures could be easily circumvented – a particular concern in instances where websites and apps had inappropriate content or high-risk data processing and design features for children.
Media Links:
Statement of the Privacy Commissioner for Bermuda
Commissioner Tucker reflected on PrivCom's participation in GPEN sweeps in both 2024 and 2025 and observed:
In this modern era of near-instantaneous communications and constant cross-border transfers of personal information via information society services, protecting children online must be prioritised and this requires regulatory collaboration.
PrivCom receives valuable information on global data protection trends, risks and regulatory perspectives from engaging in the annual cross-border GPEN sweep. That information is then used by PrivCom to shape and inform the undertaking of its own annual local sweep, its corresponding assessments of organisations understanding of and adherence to Bermuda's overarching statutory privacy framework and delivery of guidance to stakeholders.
The 2025 GPEN sweep theme, which focuses on the protection of children’s privacy in the digital sphere, falls directly within the statutory mandate of the Personal Information Protection Act 2016 (PIPA). Section 16 of the legislation imposes a specific obligation upon an organisation to obtain consent from a parent or a guardian before personal information is collected or otherwise used if the following criteria is met:
1. The organisation is relying on consent to use personal information;
2. The personal information in question is about a child (defined by PIPA as an individual under the age of 14);
3. That use is occurring within the context of the provision of an information society service (defined by PIPA as a service which is delivered by means of digital or electronic communications); and
4. The service is targeted at children or the organisation has actual knowledge that it is using personal information about children.
Section 16 of PIPA further requires that if an organisation is delivering an information society service to a child, it must provide a privacy notice that is easily understandable and appropriate to the age of the child.
It is imperative that local organisations using children’s personal information within this context familiarise themselves with these PIPA requirements to ensure that they are fully meeting their legal obligations to protect children.
Organisations are reminded that Section 38 of PIPA establishes the right of any individual to initiate a complaint to the Commissioner with respect to any of the following matters:
1. An obligation imposed on an organisation by PIPA has not been performed;
2. A right set out in PIPA has not been observed;
3. Personal information has been used by an organisation contrary to PIPA
4. An organisation is not in compliance with PIPA.
-END-
About the Office of the Privacy Commissioner for Bermuda (PrivCom)
The Office of the Privacy Commissioner for Bermuda is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA). The mission statement of the authority is to protect the rights of individuals in Bermuda in relation to their personal information. As a Non-Ministry Office, funding for the office is provided by way of an allocation of funds appropriated by the Legislature for that purpose.
The general contact details of the regulatory authority are:
Maxwell Roberts Building
1 Church Street, 4th Floor
HM 11, Bermuda
543-7748
