‘Privacy Sweep’ Finds EU Online Safety Measures Stagnating over Past Decade

The latest GPEN sweep underscores a troubling regression in child‑focused privacy across Europe. Compared with the 2015 benchmark, data collection has intensified: 59% of examined services now demand email addresses, half request usernames, and nearly half harvest geolocation. Age‑verification tools, once touted as a protective layer, proved ineffective in 72% of cases, often reduced to simple self‑declarations that children can easily sidestep. This erosion of safeguards not only heightens exposure to targeted advertising and profiling but also raises the specter of hefty GDPR fines for non‑compliant operators.

Amid the audit’s bleak portrait, EU legislators are wrestling with the technical and legal foundations of age assurance. Critics like digital‑identity researcher Nathalie Launay argue that current estimation‑based tools conflict with GDPR’s data‑minimisation principles, pointing to pending enforcement actions such as Spain’s fine against Yoti. Conversely, the Spanish data‑protection agency (AEPD) defends the European Commission’s draft guidelines, emphasizing that platforms should not be forced to collect additional personal data merely to confirm a user’s age. The agency promotes privacy‑preserving methods that verify age thresholds without revealing identities, aligning with the DSA’s Article 28 provisions.

The EU Digital Identity Wallet (EUDI), slated for rollout by the end of 2026, emerges as a potential game‑changer. Designed as a harmonised, privacy‑by‑design age‑gating solution, the wallet promises to streamline compliance for Very Large Online Platforms and public services alike, while opening new monetisation avenues for providers that integrate its verification APIs. If adopted widely, the wallet could shift the industry from ad‑hoc, easily bypassed checks to a standardized, auditable framework, thereby reducing regulatory risk and fostering greater consumer confidence in digital services targeting minors.