Nearly 1 in 4 children’s Google Play Apps breach the ICO’s age-appropriate design code

According to data collected by our researchers, 1 in 4 children’s apps available on Google Play don’t comply with the UK’s Information Commissioner’s Office age-appropriate design code.

The ICO’s age-appropriate design code, or children’s code, features 15 standards to which online services must adhere. This includes app developers targeting children under 18 as well as those that may appeal to children through imagery or terminology used by the app.

Searching through the apps listed under the children’s section on Google Play, our team reviewed the privacy policies of just over 400 apps to see whether or not the individual criterion stipulated by the ICO were being met. We also looked at what personal information the apps were gathering, including persistent identifiers like internet protocol (IP) addresses.

Almost 25 percent of the apps we reviewed were found to be in possible violation of the ICO’s guidelines in some way.

The vast majority collected some kind of personal data without a clear and comprehensive section on children’s data protection within their privacy policy. Perhaps even more concerning was that 5.5 percent of the apps we reviewed claimed not to be targeted toward children, despite being featured within the child-specific section on Google Play and sometimes featuring the word “kids” in the app name.

In June 2021, our team conducted a similar study but based on the US’ COPPA regulations and found that 1 in 5 children’s Google Play Apps breached these rules. With the ICO’s guidelines being quite similar to COPPA, the fact that 1 in 4 apps now appear to violate these codes suggests the problem is getting worse rather than better.

We contacted Google about our findings and a spokesperson provided us with the following:

Google Play takes the protection of children on its platform seriously. Play has policies and processes in place to help protect children on our platform and has invested significant resources into related features. Apps that target children must comply with our Google Play Families Policy, which requires developers to adhere to all relevant laws and all of Play’s Developer Program Policies, plus imposes additional privacy, monetisation, and content restrictions like prohibiting access to precise location data. Developers are responsible for ensuring their apps are compliant with all relevant laws and appropriate for their target audiences, including children.

Key findings

  • 1 in 4 (96) apps have privacy policies that suggest ICO violations
  • These apps were downloaded by more than 383 million users
  • 100 percent of apps that potentially violate the ICO have received an “expert-approved” badge
  • 5.5 percent of the privacy policies we reviewed suggested the services were not intended for children, even though all of them bar one had a PEGI 3 age rating (suitable for all ages). One had a PEGI 7 rating (suitable for 7-year-olds and over)
  • Over 11 percent of the apps’ privacy policies we studied either collected personal data without a child-specific policy or were vague, open to interpretation, or unclear. A further 4 percent have data collection practices without the right parental permission/protocols in place (e.g. clear consent)
  • 19 apps with good child data protection principles mentioned the collection of IP addresses as “non-personal” data, despite this being stipulated as personal data by the ICO and within the GDPR

How are 24% of children’s apps potentially violating the ICO?

To see how the apps may be violating the ICO’s code, we created six categories and placed each offending app into one of these categories. These were:

  • App claims not to be aimed at children (but collects personal data)
  • App has no child policy but collects some form of personal data/is open to interpretation (may also share with third parties)
  • App has no child policy or data collection but third parties may collect data
  • App contains some data privacy protections but asks children to get parental permission before downloading or to not submit PI, or it puts the onus on parents to monitor their child’s app use or requests them to contact for more information on privacy principles
  • App collects data without parental permission/without the right protocols. For example, some apps include data privacy sections and/or suggest that they are “COPPA compliant.” But as per the ICO rules, it should give a clear indication of its data protection principles when collecting certain data. Simply saying it adheres to COPPA or “protects children’s data” isn’t adequate
  • Privacy policy not working

As mentioned above, and as we can see from the below chart, nearly half of the apps that potentially violate the ICO are collecting data without having a comprehensive, child-specific privacy policy in place. When a privacy policy stipulates that the app is collecting certain PI, it should also include a separate, detailed section on how children’s data privacy is ensured. If absolutely no personal data was collected, such a section wouldn’t be required.

Another 23 percent of the apps with possible ICO violations suggested that the app wasn’t targeted toward children. These privacy policies often include wording such as “Our services do not address anyone under 18” even though their app age rating (which is submitted by the app developers and reviewed by Google) was labeled as PEGI 3 (suitable for everyone) by all of the apps except one, which was labeled for 7-year-olds and older.

18 percent of the apps with possible violations fail to implement the correct protocols for collecting children’s data. This could be through a vague policy that fails to stipulate how children’s data is protected. For example, nine apps belonging to six different developers had the statement “We comply with the Children’s Online Privacy Protection Act (COPPA)” but failed to detail how they comply and what practices are in place. They also appeared to have incredibly similar sentences (word-for-word in many cases), suggesting that some of the text had been copied.

3 percent of the apps don’t collect data themselves but work with third parties that potentially do (these are primarily third-party adverts and analytics). The ICO indicates that, in such cases, a comprehensive privacy policy is required, as is in-depth detail on the third parties the data is being shared with. Developers should also ensure these third parties adhere to the ICO guidelines.

A further 5 percent of app privacy policies tried to suggest that parents or children should be responsible for ensuring the data privacy of the user. And three apps failed to display a working privacy policy, either due to the website being unavailable or the text being unavailable on the website link provided.

Finally, as mentioned above, 19 apps with good children’s data protection principles mentioned the collection of IP addresses as “non-personal” data, despite this being stipulated as personal data by the ICO and within the GDPR. We didn’t feel these were full violations of the ICO because the developers’ privacy policies would likely protect the use of IP addresses by the developers themselves or third parties, but it is still concerning to see the lack of understanding surrounding IP addresses as personal data–something we discuss in more detail below.

100% of the apps that could violate the ICO are “teacher-approved”

On the main landing page for children’s apps on the Play Store, Google stipulates that all of the apps and games listed there are expert-approved. When an app is expert-approved (also known as teacher-approved), it has a badge (a medal icon with a tick in it), indicating that it has reportedly received a high level of checks to ensure it meets Google’s standards for kids’ apps.

Google Expert Approved

In Google’s “Teacher Approved” program, apps that have already been through Google’s first layer of review—to ensure they fit in the right age category—go through an additional process to receive the expert-approved badge. During this stage, the apps are assessed on multiple things, including their appeal to children, how age-appropriate they are (e.g. with in-app adverts and purchases), and their design quality.

As all of the apps on this homepage receive the expert-approved badge, this means all of the ICO-violating apps we could have found also have this accolade. This, therefore, suggests that even apps that claim not to be aimed at children or have no child-specific protections in place have been through two quality control checks and have been approved as suitable for children.

What data are the apps collecting?

According to what information is stipulated in their privacy policies, the apps that could be violating the ICO collect the following data:

As we’ve already noted, the biggest issue for most apps is the collection of IP addresses (or other persistent identifiers). In many cases, these are categorized as “non-personal” information, especially if they aren’t used alongside any other personal data. However, IP addresses can often be used to pinpoint the locations of individuals, or Wi-Fi routers at least. And the ICO clearly stipulates in its guidelines, “What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.”

The technical details, the gray areas, and the legal jargon

In order to understand why so many kids’ apps appear to be in direct violation of the ICO’s guidelines, let’s take a look at what the guidelines enforce, how they’ve been implemented, and what steps Google takes to safeguard children’s app usage.

What is the ICO age-appropriate design code?

Under the Data Protection Act 2018, the ICO has to have four codes of practice. One of these is age-appropriate design. This statutory code contains 15 standards that online services (including apps, games, news services, and connected toys and devices) have to follow. This ensures these services are protecting children’s online data by complying with the relevant data protection laws.

Who does the ICO age-appropriate design code apply to?

According to the ICO, the code applies to “information society services likely to be accessed by children.” It also goes on to say that the majority of for-profit services are classed as “information society services” and are, therefore, obligated to comply with the code.

So, if an app is likely to be accessed by a child under the age of 18, even if it’s not specifically aimed at them, it probably has to comply with the code.

The code isn’t just for UK-based companies, either. Rather, any non-UK company that’s processing the data of UK children should comply.

What do app developers need to do to ensure they comply with the code?

To remain within the code, app developers should have:

  • A map of the personal data they are collecting from UK children
  • Age-verification
  • Geolocation services switched off as default
  • No nudge techniques that may encourage children to hand over more personal data
  • A high privacy level as default

Google’s requirements for children’s apps (and how it reviews these apps)

The Google Play Families Policies suggest developers must indicate who their target audience is by selecting one of the age groups provided before publishing the app. Equally, even if an app isn’t intended for children by the developers but contains terminology or imagery that may be considered as targeting children, this can have an impact on what audience Google Play believes the app is targeting.

If an app is targeting more than one age group, it must be ensured that the app is appropriate for all of these users. And where an app is deemed suitable for all age groups, it must have been designed to include and protect all ages.

Google also has a number of other stipulations for children and family apps. This includes the disclosure of any personal and/or sensitive information from children. The apps must also comply with relevant laws and regulations, including the U.S. Children’s Online Privacy and Protection Act (COPPA) and the E.U. General Data Protection Regulation (GDPR), upon which the ICO’s guidelines are based.

Whose responsibility is it to adhere to the ICO’s guidelines, then? Google’s? The app developers? Or both?

As the ICO’s guidelines are only just over a year old, there aren’t any specific case examples as of yet. However, on its one-year anniversary of the age-appropriate design code, the ICO did suggest it was “looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.”

Ultimately, the book starts with the developers creating the apps and their obligation to comply with the ICO’s statutory code. But in approving and reviewing each of these apps (and, in most cases, “expert approving” the apps), Google may have some liability under the ICO when publishing the apps to its Play Store.

The ICO’s enforcement powers mean it can issue fines of up to £17.5 million or 4 percent of an organization’s annual worldwide turnover–whichever is higher.

How did we establish whether or not an app potentially violated ICO guidelines?

Using the ICO’s list of fifteen standards, we looked at the privacy policies of 402 apps that appeared on the Google Play tab for “Children.” We assessed each app to see whether it:

  • Carries out data protection impact assessments
  • Has a transparent privacy policy, tailored to the targeted age group
  • Contains detrimental use of data
  • Has default settings that are high privacy (and opt-in is used for all privacy controls)
  • Offers minimal data collection
  • Shares data in a way that ensures the child’s best interests
  • Ensures third parties adhere to privacy protection principles
  • Collects a user’s geolocation
  • Describes the parental controls in place (tailored to the targeted age group)
  • Makes sure profiling is off by default and clearly described
  • Has a clear privacy policy surrounding connected devices/toys (if applicable)
  • Offers online tools to exercise data privacy rights, e.g. right to delete or alter data

According to the ICO and GDPR, personal data is information that relates to an identified or identifiable individual. This includes someone’s name, for example, but, as we’ve already highlighted, it also includes other identifiers, such as an IP address. It is in this area that so many apps fail to provide the correct provisions and are, therefore, in possible violation of the ICO’s guidelines.

Methodology and limitations

We searched through the Google Play Store tab for Children, selecting 50 apps from each individual category, e.g. “family apps,” “enriching games,” and “action games for children.” In some cases, apps may have been duplicated across more than one category or a category may not have had 50 apps within it, in which case, up to 50 or as many as were available were collated. Then, we reviewed each of the listed privacy policies for the 402 apps for the aforementioned details.

As our research is based on the privacy policies of these apps, we can’t guarantee that the protections listed are actually implemented by each of these app developers. Privacy policies are also subject to change at any time, so may have altered since our research was conducted. Equally, as all of the apps listed on this landing page are “expert-approved,” this label may be removed if the app is no longer listed on the page. However, all of the apps reviewed in January and February while conducting this research contained the “expert-approved” badge.

Data researcher: Charlotte Bond