International privacy regulators have released findings from the 2025 Global Privacy Enforcement Network Sweep, assessing how websites and apps handle children’s personal data.
The sweep examined 879 websites and mobile applications against five key indicators, including age assurance, data collection practices, transparency, protective controls, and inappropriate content.
Canada’s Office of the Privacy Commissioner, the UK Information Commissioner’s Office, and the Office of the Data Protection Authority of the Bailiwick of Guernsey coordinated the review.
Federal Privacy Commissioner Philippe Dufresne has framed the sweep as part of the OPC’s overarching commitment to champion children’s privacy, a long-standing strategic priority for Canadian regulators.
While the sweep carries no legal binding force, authorities have made clear its findings may inform future guidance, targeted outreach, and enforcement activity across participating jurisdictions.
One of the most striking findings concerns age assurance, with approximately 45% of reviewed platforms incorporating some form of age gating, a significant increase from a decade ago.
Despite that progress, regulators found that in 72% of those cases, age-assurance controls could be easily bypassed, most often where platforms relied solely on self-declaration of age.
More than half of all assessed websites and apps required users to provide an email address, while 50% required a username and 46% requested geolocation data to access full functionality.
Privacy authorities also found that 71% of reviewed platforms lacked protective controls and privacy information tailored specifically to children, raising serious concerns about age-appropriate design.
Inappropriate content, including material related to self-harm, bullying, abuse, and hate, was identified on 35% of reviewed platforms, frequently accompanied by high-risk design features such as behavioural profiling.
Behavioural profiling mechanisms were present alongside self-harm content in 60% of cases, and alongside eating disorder content in 58% of cases, a combination regulators described as deeply troubling.
Taken together, regulators said they were not comfortable with children using 41% of the reviewed platforms, up from 30% recorded in the 2015 sweep, signalling a worsening trend.
More than one third of reviewed platforms, 36%, did not provide an accessible or straightforward way for users to delete their accounts, a concern regulators highlighted as an ongoing issue.
The OPC’s enforcement record on children’s privacy has grown notably, with recent joint investigations into TikTok’s handling of minors’ data and, in 2026, a collaborative probe into OpenAI’s ChatGPT.
The ChatGPT investigation raised concerns about the overcollection of personal information, with children’s data found to be affected even though the platform is not explicitly targeted at younger users.
OpenAI committed to implementing additional privacy measures following the investigation, reflecting growing regulatory pressure on major technology platforms to strengthen youth protections.
During Privacy Awareness Week 2026, the OPC also introduced new age assurance guidance for websites, online service providers, and age assurance developers to help raise standards across the industry.
Public feedback on those guidance documents will be accepted until August 4, 2026, giving organisations an opportunity to shape the regulatory framework as it continues to develop.
Regulators stressed that self-declaration of age alone may be insufficient, particularly where content or data processing carries higher risk, and urged organisations to adopt more robust verification methods.
For any business operating digital services popular with younger audiences, the sweep serves as a clear signal that children’s privacy expectations are rising and enforcement attention is intensifying.

