1 in 4 Apple App Store kids’ apps breach Children’s Online Privacy Protection Act (COPPA) rules

Following our recent study which found that more than 1 in 4 children’s Google Play Apps breach Children’s Online Privacy Protection Act (COPPA) rules, we’ve taken a look to see how things compare on the Apple App Store.

Our findings suggest the same number of apps (1 in 4) are in potential violation of COPPA rules.

COPPA is governed by the Federal Trade Commission (FTC) and imposes a set of rules on developers/operators of online services and/or websites that are targeted toward children under the age of 13.

To find out how many of the top 400 children’s apps on the App Store comply with COPPA, our team looked at each app’s privacy policy (which is linked to from the App Store listing). We looked to see how it did or did not comply with COPPA and what types of personal information (PI) were collected.

Nearly 26 percent of the apps we studied had a potential COPPA violation. Most of these failed to follow the right protocols, e.g. having clear and comprehensive information on how parental consent is obtained. We also found that 16 apps didn’t have a privacy policy to review due to broken links, out-of-date websites, and links to other areas of the website that didn’t feature clear links to a privacy policy. A further 26 apps didn’t have a child policy at all, leaving data collection open to interpretation.

We’ve contacted Apple for a comment about our study and will update this article with any response.

Key findings

  • 1 in 4 (104 of 403*) children’s apps have privacy policies that suggest COPPA violations
  • Nearly half of the apps that could violate COPPA do so because they fail to implement the right processes when it comes to data collection, e.g. automatically collecting IP addresses
  • 16 apps fail to link to a working privacy policy
  • Five apps claim not to be targeted toward children despite two of them having “kids” in the title
  • 70 percent of the apps with possible COPPA violations were within the main “education” category

*To collate the list of top apps we used the top 20 in each category (e.g. ‘draw and paint,’ ‘for little creatives,’ and ‘new apps we love’ as well as the top 50 paid and free apps) while removing any duplicates. This gave us 403 apps to review in total.

How are 26% of kids’ apps violating COPPA?

As we have already seen, most of the apps (47%) that could be violating COPPA do so because they don’t have the correct protocols in place for processing children’s data. In many cases, this is a failure to provide clear information on how parental consent is obtained (if at all) and/or the automatic processing of IP addresses without parental consent.

App Store COPPA Violations

A large number of apps (21%) also collect some form of PI but don’t have a child policy to explain how under 13s’ data is treated. This suggests it is treated the same as adults. Another four percent of apps don’t have a child policy but share PI with third parties (something most of the 21 percent directly collecting PI will probably do, too).

15 percent of the apps with COPPA violations fail to link to a working privacy policy. Most of these are broken links (e.g. a 404 message or websites that no longer exist) while some link to a homepage without a privacy policy link clearly displayed. If the link was to a homepage but a privacy policy link was clearly displayed there (as was the case with five apps), these weren’t classed as violating COPPA if the privacy policy met the requirements.

In eight percent of cases, the apps placed responsibility on the children and/or parents to not send data. Finally, 5 percent of apps claimed not to be targeted toward children despite having “kids” in the app name or child-specific themes/images in the App Store.

What data are the apps with COPPA violations collecting?

According to the privacy policies of each of the apps that may not be adhering to COPPA, persistent identifiers (e.g. IP addresses) are frequently collected from children. Names, addresses, and online contact information (e.g. email addresses) are often collected from children, too.

PII Collection App Store

As some apps’ privacy policies were very vague and/or non-existent, these figures only represent some of the data collection conducted by these COPPA-violating apps.

The biggest problem for many apps is the collection of persistent identifiers as they often deem this piece of data as “non-personal.” However, individuals (or, their WiFi router at least) can be identified by IP addresses. And COPPA rules clearly state that persistent identifiers are PI.

What is COPPA and how does it apply to app developers?

According to the FTC, “COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.”

The “actual knowledge” wording is where there is some lack of clarity within COPPA as there isn’t a specific definition for this. This is also why a lot of privacy policies will use the wording “We do not knowingly collect data from under 13s,” for example.

However, the inclusion of this statement within a privacy policy doesn’t necessarily exempt them from COPPA’s requirements. For example, in late 2022, Fortnite video game maker, Epic Games, was ordered to pay a record-breaking $275 million penalty for its violation of COPPA.

The FTC suggested Epic was “aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent.”

What requirements does Apple place on children’s app developers?

According to section 5.1.4 of Apple’s App Store Review Guidelines:

“Apps in the Kids Category or those that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, the ability to chat, other personal data, or persistent identifiers used in combination with any of the above) from a minor must include a privacy policy and must comply with all applicable children’s privacy statutes. For the sake of clarity, the parental gate requirement for the Kid’s Category is generally not the same as securing parental consent to collect personal data under these privacy statutes.”

It also suggests the app metadata (such as app names, subtitles, screenshots, and previews) should not include terms like “for kids,” “for children,” or any other wording that implies the main audience is children unless the app is intended for the Kids Category.

Of the 104 apps we found to be in potential violation of COPPA:

  • 31 contained ‘kids,’ ‘children,’ or similar in the title
  • 12 contained ‘kids,’ ‘children,’ or similar in the game icon
  • 32 contained ‘kids,’ ‘children,’ or similar in the subtitle
  • 40 contained ‘kids,’ ‘children,’ or similar in the screenshots
  • 104 contained ‘kids,’ ‘children,’ or similar in the description

Is Apple liable under COPPA, then?

As the operator of an online service that’s targeted toward children, yes. And it can’t just argue that the developers should ensure their apps are suitable for children, either. Google tried to do something similar in the Attorney General of New Mexico vs. Tiny Lab Productions case when it argued that it was the developers’ responsibility to ensure their apps are suitable for children as they’ve contractually said they are. But the court dismissed this.

Unfortunately, there are still some gray areas when it comes to COPPA enforcement and the responsibilities of both app owners and app stores. However, when so many apps aren’t just violating COPPA rulings but Apple’s guidelines, too, it could be said that the current steps and regulations in place (from both COPPA and app stores) aren’t doing enough to safeguard children’s data. One app even says in its privacy policy that it isn’t “familiar with all of the above acronyms” when answering whether it is compliant with various rules including COPPA.

How did we score whether or not an app potentially violated COPPA rulings?

Based on COPPA’s guidelines, we looked at the privacy policies for the list of 403 apps listed in the App Store to see whether it:

  • Was clear, comprehensive, and detailed what PI was collected from under 13s
  • Gave parents clear information on the data collection, use, and disclosure practices of children’s data
  • Described the need for parental consent before collecting any PI
  • Allowed parents to review the PI collected from their children with ease
  • Clearly described what data was collected for/by third parties, how this data was shared with them, and who each of the operators was (including name, address, and email address)

According to COPPA, PI is:

  • A first and last name
  • A physical address
  • Online contact information
  • A screen or user name that functions as online contact information
  • A telephone number
  • A Social Security number
  • A persistent identifier, such as an IP address, a unique device identifier, or a customer number held in a cookie
  • A photo, video, or audio file which contains the child’s image or voice
  • Geolocation data

Methodology and limitations

We searched through the top 20 apps in each category on the Apple App Store (e.g. ‘draw and paint,’ ‘for little creatives,’ and ‘new apps we love’ as well as the top 50 paid and free apps) while removing any duplicates. This gave us 403 apps to review in total. We then reviewed each of these apps’ privacy policies (based on the link provided in the App Store).

As our focus is on privacy policies, some apps may provide the right parental protections via parental gates or emailed consent forms even though their privacy policy was found to be inadequate. Equally, privacy policies can change at any time so some may have been altered since our research was conducted.