Nearly 1 in 4 children’s Google Play Apps breach COPPA

According to data collected by our researchers, more than 1 in 4 children’s apps available on Google Play don’t adhere to COPPA rules. This is a significant decline in compliance since the same analysis we conducted two years ago, which found that 1 in 5 didn’t abide by COPPA’s rules.

COPPA, imposed by the Federal Trade Commission (FTC), enforces a number of requirements on operators of websites or online services that are aimed at under 13s. It also applies to operators of other websites and online services that have actual knowledge they’re collecting personal information from under 13s.

Searching through 400 of the most popular children’s apps available through Google’s Play Store, our team reviewed each app’s privacy policy to see whether or not it met the key areas of COPPA regulations. We also established what personal information (PI) could be collected by the app and whether it included a clear and comprehensive section on collecting children’s data.

Just over 32 percent of all the apps we studied had some kind of COPPA violation. The majority of these apps discuss the safeguarding of children’s information but fail to put the right measures in place to do so. More worrying still, nearly 5 percent of all the apps we investigated declared that their services aren’t targeted toward or do not address children–including apps with “kids” and “toddler” in their name.

Furthermore, to see whether these potential violations are eventually picked up, we revisited all of the non-compliant apps we found in our 2021 study. Of the 101 we highlighted as possibly infringing COPPA rules*, only four had updated their privacy policies to comply with the standards. Around one-quarter had updated their policies but not enough to ensure COPPA compliance.

*In 2021, we looked at 500 apps, but due to changes in Google Play’s kids’ app display page, only 400 were possible this time around–see methodology.

We contacted Google about our findings and a spokesperson provided us with the following:

Google Play takes the protection of children on its platform seriously. Play has policies and processes in place to help protect children on our platform and has invested significant resources into related features. Apps that target children must comply with our Google Play Families Policy, which requires developers to adhere to all relevant laws and all of Play’s Developer Program Policies, plus imposes additional privacy, monetisation, and content restrictions like prohibiting access to precise location data. Developers are responsible for ensuring their apps are compliant with all relevant laws and appropriate for their target audiences, including children.

Key findings

  • Over 1 in 4 (129) children’s apps have privacy policies that suggest COPPA violations
  • These have been downloaded by over 415 million users
  • 98% of the apps that violate COPPA have received a “teacher-approved” badge
  • Nearly 5 percent (19) of all the company privacy policies we reviewed contained claims that the respective apps were not intended for children, despite being within the “Everyone” age category on Google Play
  • Of all the apps we studied, 29 percent of free apps and 51 percent of paid apps could violate COPPA
  • Only 4 percent of the apps we found in potential violation of COPPA in 2021 have improved their policies to comply with the regulations

How are 32% of children’s apps violating COPPA?

As mentioned above, and as we can see from the below chart, almost 40 percent of the apps that are possibly violating COPPA are collecting data without having the right protocols in place (e.g. obtaining parental consent). A further 34 percent don’t have any form of child data collection policy but collect PI. If the privacy policy indicates that any PI is collected, COPPA stipulates a separate section on how the developers ensure children’s safety should be included. If the app didn’t collect any data whatsoever, this wouldn’t be necessary.

Google Play children's app COPPA violations

Another 15 percent claim their apps aren’t intended for children, despite the fact the app falls under the “Everyone” age limit on Google Play. These apps would also fall under section 312.2 of COPPA (which we explore in more detail below). This section discusses subject matter, visual content, and other child-orientated features that all of these apps contain.

3 percent of the apps don’t collect data themselves but work with third parties that potentially do (these are primarily third-party adverts and analytics). For example, one app suggests that the game is linked with a social network without describing how children’s data is safeguarded. Another describes how it shares IP addresses with third parties but doesn’t mention how children’s data is dealt with. In these cases, a child-specific section and parental consent are necessary, as is in-depth detail about each third party. It is also likely that many of the 34 percent of app developers that collect PI themselves without having a child’s policy also work with third parties that collect PI, too.

9 percent of the apps we flagged try to place the onus on parents or children, asking children to refrain from submitting PI to the app or for parents to monitor their child’s app usage. Apps should request parental consent from the onset if they’re to collect PI (they shouldn’t expect parents to look into this themselves, and they certainly shouldn’t expect children to read privacy policies before submitting data).

98% of the apps that violate COPPA are “teacher approved”

As a parent, you’d be forgiven for assuming a Google Play app displaying the “teacher approved” badge (a medal with a tick in it) has been through rigorous checks to ensure full compliance and child safety for the recommended ages. For example, the app below (which is suitable for all ages) has a teacher-approved badge.

Expert Approved Google Play

Google’s “Teacher Approved” program requires apps to go through an additional layer of review (the first is for the submission into family/children categories–as we explore in more detail below). In this review, teachers and specialists evaluate the apps based on multiple criteria, including design quality, appeal to children, and age appropriateness (including in-app adverts, purchases, and cross-promotions).

396 of the apps we reviewed had received this teacher-approved tick and 127 of these (32%) were found to be in violation of COPPA guidelines. This means the apps and their privacy policies have been through two layers of review and have still passed quality control despite being in breach of COPPA’s standards.

What data are the COPPA-violating apps collecting?

According to what is stipulated in the apps’ privacy policies, the apps that aren’t adhering to COPPA guidelines collect the following information from child users (some apps may describe the data collected from adults but this hasn’t been included in the below):

PII collected by children's apps that don't adhere to COPPA guidelines

IP addresses (or other persistent identifiers) are the biggest downfall for the majority of apps. This may be due to these often not being seen to be “PI” unless they are collected alongside other personal data. However, IP addresses are often easily attributed to individuals (or, at the very least, Wi-Fi routers). And, the Amended Rule applied to COPPA from July 1, 2013, stipulates that persistent identifiers, such as customer numbers held in cookies or IP addresses, are classified as PI.

The technical details, the gray areas, and the legal jargon

To better understand how so many apps appear to be in violation of COPPA, it’s important to point out the technicalities of the legislation, how it has been interpreted, and what additional safeguards Google has in place.

What is COPPA?

In 1998, Congress enacted the Children’s Online Privacy Protection Act. The Federal Trade Commission (FTC) was given authority to issue and enforce the act which became effective on April 21, 2020. In 2012, the FTC amended the COPPA rule (with these changes coming into effect on July 1, 2013).

Who does COPPA apply to?

Operators of commercial websites and online services (including mobile apps) that are directed toward children and collect, use, or disclose personal information (PI) from under 13s. General websites/online services with actual knowledge of the collection, use, or disclosure of PI from under 13s. And operators with actual knowledge that they are collecting under 13s’ PI from users of other websites or online services (e.g. plug-ins, advertising networks, and other third parties).

What is “actual knowledge” according to COPPA?

This is a gray area within COPPA as there is no specific definition. Rather, the FTC offers guidelines, such as: “An operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age.” And, “Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content.”

So, if an app developer states in its privacy policy that they “do not knowingly collect data from children under the age of 13,” (as over 5% do) are they covered?

Not necessarily, no.

In 2014, TinyCo, Inc., an app developer for kids’ games like “Tiny Pets,” “Tiny Zoo,” and “Tiny Village,” was hit with a fine from FTC for violating COPPA regulations. It would request email addresses and social network details in exchange for game goodies. This, according to the FTC, enabled TinyCo to illegally collect children’s email addresses (something the company denied knowledge of).

However, the case provided clarification as to what apps or websites may be classed as “directed at children,” highlighting section 312.2 of COPPA:

“subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.”

It was this “directed at children” stance that the FTC took against TinyCo, but they had also received messages from parents who complained about the app’s collection of their child’s data. This direct contact from parents is now widely regarded as giving app developers “actual knowledge,” too.

More recently, Fortnite (Epic Games) was ordered to pay a $275 million penalty for its violation of COPPA. The FTC alleged that Epic was aware that many of its players were under 13 but for the first two years it was in operation it failed to obtain parental consent before obtaining personal information from children.

Google’s requirements for children’s apps (and its liability for reviewing these apps)

Google’s Designing Apps for Children and Families policy (DFF) suggests that app developers must indicate the target audience for their app, prior to publishing, by selecting from the list of age groups provided. Age groups under 13 are classed as targeting children (in countries where children are defined as being over 13 years old, different laws may apply). After submitting, Google states that the developer’s “app will be reviewed for eligibility in the Designed for Families program.”

Google also has numerous requirements for children and family apps, including that they “must disclose the collection of any personal and sensitive information from children in your app, including through APIs and SDKs called or used in your app.” The apps must also comply with COPPA (among other things).

Whose responsibility is it to adhere to COPPA, then? Google’s? The app developers? Or both?

A recent case involving the Attorney General of New Mexico vs. Tiny Lab Productions and various big tech giants, including Google, gives us an idea as to what extent Google and app developers are liable under COPPA.

In this particular case, New Mexico’s Attorney General brought action against Tiny Lab, Google, and others in a bid to prevent them from observing children while they play online and from tracking them across their devices and the internet. It referenced two of Google’s services as an issue within the litigation–its SDK (or AdMod SDK) and its “Family” section on the Play Store.

Our study hasn’t looked at SDKs. But a previous study, “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale, conducted in 2018, suggested that 19 percent of children’s apps on Google Play collected identifiers or other PII via SDKs. However, our study does focus on those apps available within Google’s “Family” or children sections.

The court ruled that the automated exchange of data between an SDK and its server isn’t enough to substantiate “actual knowledge.” But a court may reasonably conclude that the steps taken to review the requirements for a child-directed app would give the party “actual knowledge.”

Google argued that only the app developers should be liable as they have contractually promised that their apps are suitable for children. But the court dismissed this notion. Nevertheless, TinyLab’s apps were removed from Google Play when the lawsuit was filed and remain off the store to this date.

Overall, then, even though there are still some gray areas, the above highlights how app developers could be found to violate COPPA violations if their apps show clear signs that they’re aimed at children and are submitted to app stores, like Google Play, under that guise. Furthermore, Google may be liable under COPPA when approving these apps for its store.

How did we deem whether or not an app potentially violated COPPA rulings?

Based on these rulings, we looked at the privacy policies of 400 apps that are marked as being suitable for children in various age groups. We looked to see whether or not the apps had:

  • A clear and comprehensive online privacy policy that details their practices for collecting PI from children under 13
  • Made reasonable efforts to provide direct notice to parents of their practices regarding the collection, use, or disclosure of PI from children
  • Provided a reasonable means for a parent to review the PI collected
  • Established and maintained reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children
  • Had a clear data retention policy for children’s PI, keeping it for only as long as is necessary to fulfill the purpose for which it was collected
  • Listed the name, address, and email address of ALL operators collecting or maintaining PI (if applicable)
  • Described what information the operator collects from children

According to COPPA, PI is:

  • A first and last name
  • A physical address
  • Online contact information
  • A screen or user name that functions as online contact information
  • A telephone number
  • A Social Security number
  • A persistent identifier, such as an IP address, a unique device identifier, or a customer number held in a cookie
  • A photo, video, or audio file which contains the child’s image or voice
  • Geolocation data

Methodology and limitations

We searched through the top charts on Google Play (under children and family categories), looking at the top 400 apps which consisted of 337 free and 63 paid apps (the heavier weighting in free apps is due to more being available). Then, we reviewed each of the listed privacy policies for the apps for the aforementioned details.

In our previous study we looked at 500 apps, but due to duplications within the various categories on Google Play’s kids’ app homepage (e.g. “enriching games,” “pretend play games”, and “educational games”), it was only possible to search through 400 this time around.

As our research is based on the privacy policies of these apps, we can’t guarantee that the protections listed are actually implemented by each of these app developers. Privacy policies are also subject to change at any time, so may have altered since our research was conducted.

Researchers: Charlotte Bond, Rebecca Moody