According to data collected by our researchers, 1 in 5 children’s apps available on Google Play don’t adhere to COPPA rules.
COPPA, imposed by the Federal Trade Commission (FTC), enforces a number of requirements on operators of websites or online services that are aimed at under 13s. It also applies to operators of other websites and online services that have actual knowledge they’re collecting personal information from under 13s.
20 percent of all the apps we studied had some kind of COPPA violation. The majority of these apps collect data but fail to include a child-specific section, suggesting that children’s data is collected and used the same as adult data. More worrying still, over 5 percent of all the apps we investigated declared that their services aren’t targeted toward or do not address children–including apps with “kids” and “toddler” in their name.
- 1 in 5 (101) apps have privacy policies that suggest COPPA violations
- These have been downloaded by almost 492 million users
- 50 percent of all the apps that violate COPPA have received a “teacher-approved” badge
- Over 5 percent (27) of all the company privacy policies we reviewed contained claims that the respective apps were not intended for children, despite being within the “Everyone” age category on Google Play–10 of these are “teacher-approved”
- 18 percent of “teacher-approved” apps violate COPPA
- 21 percent of free apps and 20 percent of paid apps violate COPPA
- 38 percent of all the apps that violate COPPA are classed as “educational”
How are 20% of children’s apps violating COPPA?
A further 27 percent claim their apps aren’t intended for children, despite the fact the app falls under the “Everyone” age limit on Google Play (two are aimed at those aged 10 years and older – the rest have no age limit). These apps would also fall under section 312.2 of COPPA (which we explore in more detail below). This section discusses subject matter, visual content, and other child-orientated features that all of these apps contain.
9 percent of the apps don’t collect data themselves but work with third parties that potentially do (these are primarily third-party adverts and analytics). For example, one app suggests geographic location may be used through Google Analytics, and other third-party ad networks may collect various pieces of data, including geographic location and device ID. In this case, a child-specific section and parental consent are necessary, as is in-depth detail about each third party. It is also likely that many of the 50 percent of app developers that collect PI themselves also work with third parties that collect PI, too.
Another 9 percent try to place the onus on parents or children, asking children to refrain from submitting PI to the app or for parents to monitor their child’s app usage. Apps should request parental consent from the onset if they’re to collect PI (they shouldn’t expect parents to look into this themselves, and they certainly shouldn’t expect children to read privacy policies before submitting data).
50% of the apps that violate COPPA are still “teacher-approved”
As a parent, you’d be forgiven for assuming that a Google Play app that has the “teacher-approved” badge (a medal with a tick in it) has been through rigorous checks to ensure full compliance and child safety for the recommended ages. For example, the app below has a teacher-approved badge for children aged 9 and over.
Google’s “Teacher Approved” program requires apps to go through an additional layer of review (the first is for the submission into family/children categories–as we explore in more detail below). In this review, teachers and specialists evaluate the apps based on multiple criteria, including design quality, appeal to children, and age appropriateness (including in-app adverts, purchases, and cross-promotions).
274 of the apps we reviewed had received this teacher-approved tick and 50 of these (18%) were found to be in violation of COPPA guidelines. This means the apps and their privacy policies have been through two layers of review and have still passed quality control despite being in breach of COPPA’s standards.
What data are the COPPA-violating apps collecting?
According to what is stipulated in the apps’ privacy policies, the apps that aren’t adhering to COPPA guidelines collect the following information from all users:
IP addresses (or other persistent identifiers) are the biggest downfall for the majority of apps. This may be due to these often not being seen to be “PI” unless they are collected alongside other personal data. However, IP addresses are often easily attributed to individuals (or, at the very least, Wi-Fi routers). And, the Amended Rule applied to COPPA from July 1, 2013, stipulates that persistent identifiers, such as customer numbers held in cookies or IP addresses, are classified as PI.
The technical details, the gray areas, and the legal jargon
To better understand how so many apps appear to be in violation of COPPA, it’s important to point out the technicalities of the legislation, how it has been interpreted, and what additional safeguards Google has in place.
What is COPPA?
In 1998, Congress enacted the Children’s Online Privacy Protection Act. The Federal Trade Commission (FTC) was given authority to issue and enforce the act which became effective on April 21, 2020. In 2012, the FTC amended the COPPA rule (with these changes coming into effect on July 1, 2013).
Who does COPPA apply to?
Operators of commercial websites and online services (including mobile apps) that are directed toward children and collect, use, or disclose personal information (PI) from under 13s. General websites/online services with actual knowledge of the collection, use, or disclosure of PI from under 13s. And operators with actual knowledge that they are collecting under 13s’ PI from users of other websites or online services (e.g. plug-ins, advertising networks, and other third parties).
What is “actual knowledge” according to COPPA?
This is a gray area within COPPA as there is no specific definition. Rather, the FTC offers guidelines, such as: “An operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age.” And, “Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content.”
Not necessarily, no.
In 2014, TinyCo, Inc., an app developer for kids’ games like “Tiny Pets,” “Tiny Zoo,” and “Tiny Village,” was hit with a fine from FTC for violating COPPA regulations. It would request email addresses and social network details in exchange for game goodies. This, according to the FTC, enabled TinyCo to illegally collect children’s email addresses (something the company denied knowledge of).
However, the case provided clarification as to what apps or websites may be classed as “directed at children,” highlighting section 312.2 of COPPA:
“subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.”
It was this “directed at children” stance that the FTC took against TinyCo, but they had also received messages from parents who complained about the app’s collection of their child’s data. This direct contact from parents is now widely regarded as giving app developers “actual knowledge,” too.
Google’s requirements for children’s apps (and its liability for reviewing these apps)
Google’s Designing Apps for Children and Families policy (DFF) suggests that app developers must indicate the target audience for their app, prior to publishing, by selecting from the list of age groups provided. Age groups under 13 are classed as targeting children (in countries where children are defined as being over 13 years old, different laws may apply). After submitting, Google states that the developer’s “app will be reviewed for eligibility in the Designed for Families program.”
Google also has numerous requirements for children and family apps, including that they “must disclose the collection of any personal and sensitive information from children in your app, including through APIs and SDKs called or used in your app.” The apps must also comply with COPPA (among other things).
Whose responsibility is it to adhere to COPPA, then? Google’s? The app developers? Or both?
A recent case involving the Attorney General of New Mexico vs. Tiny Lab Productions and various big tech giants, including Google, gives us an idea as to what extent Google and app developers are liable under COPPA.
In this particular case, NM’s AG brought action against Tiny Lab, Google, and others in a bid to prevent them from observing children while they play online and from tracking them across their devices and the internet. It referenced two of Google’s services as an issue within the litigation–its SDK (or AdMod SDK) and its “Family” section on the Play Store.
Our study hasn’t looked at SDKs. But a previous study, “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale, conducted in 2018, suggested that 19 percent of children’s apps on Google Play collected identifiers or other PII via SDKs. However, our study does focus on those apps available within Google’s “Family” or children sections.
The court ruled that the automated exchange of data between an SDK and its server isn’t enough to substantiate “actual knowledge.” But a court may reasonably conclude that the steps taken to review the requirements for a child-directed app would give the party “actual knowledge.”
Google argued that only the app developers should be liable as they have contractually promised that their apps are suitable for children. But the court dismissed this notion. Nevertheless, TinyLab’s apps were removed from Google Play when the lawsuit was filed and remain off the store to this date.
Overall, then, even though there are still some gray areas, the above highlights how app developers could be found to violate COPPA violations if their apps show clear signs that they’re aimed at children and are submitted to app stores, like Google Play, under that guise. Furthermore, Google may be liable under COPPA when approving these apps for its store.
How did we deem whether or not an app potentially violated COPPA rulings?
Based on these rulings, we looked at the privacy policies of 500 apps that are marked as being suitable for children in various age groups. We looked to see whether or not the apps had:
- Made reasonable efforts to provide direct notice to parents of their practices regarding the collection, use, or disclosure of PI from children
- Provided a reasonable means for a parent to review the PI collected
- Established and maintained reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children
- Had a clear data retention policy for children’s PI, keeping it for only as long as is necessary to fulfill the purpose for which it was collected
- Listed the name, address, and email address of ALL operators collecting or maintaining PI (if applicable)
- Described what information the operator collects from children
According to COPPA, PI is:
- A first and last name
- A physical address
- Online contact information
- A screen or user name that functions as online contact information
- A telephone number
- A Social Security number
- A persistent identifier, such as an IP address, a unique device identifier, or a customer number held in a cookie
- A photo, video, or audio file which contains the child’s image or voice
- Geolocation data
Methodology and limitations
We searched through the top charts on Google Play (under children and family categories), looking at the top 300 free and top 200 paid apps (the heavier weighting in free apps is due to more being available). Then, we reviewed each of the listed privacy policies for the apps for the aforementioned details.
As our research is based on the privacy policies of these apps, we can’t guarantee that the protections listed are actually implemented by each of these app developers. Privacy policies are also subject to change at any time, so may have altered since our research was conducted.
Researcher: George Moody, Rebecca Moody