Kids’ Apps on Google Play Rife with Privacy Violations

One in five of the most-popular apps for kids under 13 on Google Play don’t comply with COPPA regulations on how children’s information is collected and used.

About 20 percent of the Top 500 kids’ mobile apps in the Google Play store are collecting data on users in a way that likely violates the Children’s Online Privacy Protection Act (COPPA). These have been downloaded by a collective 492 million users, researchers said.

That’s according to an analysis from Comparitech, which reviewed each app’s privacy policy to see whether or not it met the key areas of COPPA regulations.

COPPA, imposed by the Federal Trade Commission (FTC), applies to online services, apps and websites that target children under 13, and it requires child-directed websites, apps and online services to provide notice of their data-collection practices and obtain parental consent prior to collecting personal information from children under 13. That includes the use of persistent identifiers for targeted advertising.

COPPA Requirements for Kids’ Privacy

The main requirements, according to Comparitech’s analysis, are:

  • A clear and comprehensive online privacy policy which details their practices for collecting PI from children under 13;
  • Reasonable efforts to provide direct notice to parents of their practices regarding the collection, use or disclosure of PI from children;
  • Reasonable means for a parent to review the PI collected;
  • Reasonable procedures to protect the confidentiality, security and integrity of the PI collected from children;
  • Clear data-retention policy for children’s PI, keeping it for only as long as is necessary to fulfill the purpose for which it was collected; and
  • Listing of the name, address and email address of all third parties (such as ad networks) collecting or maintaining PI from the app.

Top 500 Kids’ App Violations

The potential COPPA violations that the firm found when examining the apps varied, but the majority of them stem from apps collecting personal data without including a child-specific section in the privacy policy. This suggests “that children’s data is collected and used the same as adult data,” according to Comparitech’s Tuesday analysis. Researchers added, “A separate section on how the developers ensure children’s safety should be included. If the app didn’t collect any data whatsoever, this wouldn’t be necessary.”

Analysis from privacy policies. Source: Comparitech

Meanwhile, about 9 percent of the apps don’t collect data themselves but work with third-party advertisers and analytics companies that potentially do, researchers said.

“For example, one app suggests geographic location may be used through Google Analytics, and other third-party ad networks may collect various pieces of data, including geographic location and device ID,” according to the firm. “In this case, a child-specific section and parental consent are necessary, as is in-depth detail about each third party. It is also likely that many of the 50 percent of app developers that collect PI themselves also work with third parties that collect PI, too.”

Also problematic: More than 5 percent of the apps investigated claim they aren’t targeted toward children (and are therefore exempt from COPPA), despite many of them including the terms “kids” and “toddler” in their name, Comparitech found. All of these are listed under the “Everyone” age category on Google Play, and 10 of them are even listed as “teacher-approved.”

In fact, fully half of the apps that potentially violate COPPA are “teacher-approved,” the analysis revealed.

“Google’s Teacher Approved program requires apps to go through an additional layer of review (the first is for the submission into family/children categories),” researchers explained. “In this review, teachers and specialists evaluate the apps based on multiple criteria, including design quality, appeal to children, and age appropriateness (including in-app adverts, purchases, and cross-promotions).”

The firm also found that another 9 percent of apps recommend that children avoid giving their PI to the app or for parents to monitor the app’s usage. However, not providing a proactive way to obtain consent could be a COPPA violation.

“Apps should request parental consent from the onset if they’re to collect PI (they shouldn’t expect parents to look into this themselves, and they certainly shouldn’t expect children to read privacy policies before submitting data),” according to Comparitech.

And finally, another 6 percent of apps fail in partial ways: They don’t explain how a parent can consent or how they can can access their child’s data, for instance, or the privacy policy lacks clarity.

“For example, one app discusses child safety for those aged 6 and under but doesn’t address children aged 7 to 13,” the firm explained.

COPPA Fines and Lawsuits

The FTC has not been shy about doling out fines and lawsuits for violating COPPA. In June 2020 for instance, children’s app developer HyperBeard was slapped with a $150,000 fine after being accused of illegally collecting children’s data without parental consent.

TikTok was also hit with an FTC complaint in May of that year, which alleged that the platform continued to fail to adequately protect children’s privacy, despite paying a $5.7 million fine the year before relating to an earlier version of its app, called Musical.ly.

Meanwhile, in February of this year, a district judge ruled that a suit could proceed against Google and an app developer called Tiny Lab. The latter creates mobile game apps including Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, and GummyBear and Friends Speed Racing.

Google faces claims that apps it hosts in the “Designed for Families” section Google Play, with the specific example of TinyLab, know that they’re targeting and collecting children’s data, and are responsible for being COPPA-compliant when it comes to the behavior of any related ad networks.

“AdMob, Twitter/MoPub, InMobi/AerServ, Applovin and ironSource…sold their proprietary software development kits (SDKs) to Tiny Lab for installation and use in its gaming apps,” reads the complaint. “When a Tiny Lab app is downloaded onto a child’s device … the ad networks’ SDKs are also installed as app components. Once so embedded, while a child…plays one of the apps, the ad networks’ SDK collects personal information about that child and tracks the child’s online behavior to profile the child for targeted advertising. This activity is invisible to the child and her parents.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles