Following our recent study which found that more than 1 in 4 children’s Google Play Apps breach Children’s Online Privacy Protection Act (COPPA) rules, we’ve taken a look to see how things compare on the Apple App Store.
Our findings suggest the same number of apps (1 in 4) are in potential violation of COPPA rules.
COPPA is governed by the Federal Trade Commission (FTC) and imposes a set of rules on developers/operators of online services and/or websites that are targeted toward children under the age of 13.
We’ve contacted Apple for a comment about our study and will update this article with any response.
- 1 in 4 (104 of 403*) children’s apps have privacy policies that suggest COPPA violations
- Nearly half of the apps that could violate COPPA do so because they fail to implement the right processes when it comes to data collection, e.g. automatically collecting IP addresses
- Five apps claim not to be targeted toward children despite two of them having “kids” in the title
- 70 percent of the apps with possible COPPA violations were within the main “education” category
*To collate the list of top apps we used the top 20 in each category (e.g. ‘draw and paint,’ ‘for little creatives,’ and ‘new apps we love’ as well as the top 50 paid and free apps) while removing any duplicates. This gave us 403 apps to review in total.
How are 26% of kids’ apps violating COPPA?
As we have already seen, most of the apps (47%) that could be violating COPPA do so because they don’t have the correct protocols in place for processing children’s data. In many cases, this is a failure to provide clear information on how parental consent is obtained (if at all) and/or the automatic processing of IP addresses without parental consent.
A large number of apps (21%) also collect some form of PI but don’t have a child policy to explain how under 13s’ data is treated. This suggests it is treated the same as adults. Another four percent of apps don’t have a child policy but share PI with third parties (something most of the 21 percent directly collecting PI will probably do, too).
In eight percent of cases, the apps placed responsibility on the children and/or parents to not send data. Finally, 5 percent of apps claimed not to be targeted toward children despite having “kids” in the app name or child-specific themes/images in the App Store.
What data are the apps with COPPA violations collecting?
According to the privacy policies of each of the apps that may not be adhering to COPPA, persistent identifiers (e.g. IP addresses) are frequently collected from children. Names, addresses, and online contact information (e.g. email addresses) are often collected from children, too.
As some apps’ privacy policies were very vague and/or non-existent, these figures only represent some of the data collection conducted by these COPPA-violating apps.
The biggest problem for many apps is the collection of persistent identifiers as they often deem this piece of data as “non-personal.” However, individuals (or, their WiFi router at least) can be identified by IP addresses. And COPPA rules clearly state that persistent identifiers are PI.
What is COPPA and how does it apply to app developers?
According to the FTC, “COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.”
The “actual knowledge” wording is where there is some lack of clarity within COPPA as there isn’t a specific definition for this. This is also why a lot of privacy policies will use the wording “We do not knowingly collect data from under 13s,” for example.
The FTC suggested Epic was “aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent.”
What requirements does Apple place on children’s app developers?
According to section 5.1.4 of Apple’s App Store Review Guidelines:
It also suggests the app metadata (such as app names, subtitles, screenshots, and previews) should not include terms like “for kids,” “for children,” or any other wording that implies the main audience is children unless the app is intended for the Kids Category.
Of the 104 apps we found to be in potential violation of COPPA:
- 31 contained ‘kids,’ ‘children,’ or similar in the title
- 12 contained ‘kids,’ ‘children,’ or similar in the game icon
- 32 contained ‘kids,’ ‘children,’ or similar in the subtitle
- 40 contained ‘kids,’ ‘children,’ or similar in the screenshots
- 104 contained ‘kids,’ ‘children,’ or similar in the description
Is Apple liable under COPPA, then?
As the operator of an online service that’s targeted toward children, yes. And it can’t just argue that the developers should ensure their apps are suitable for children, either. Google tried to do something similar in the Attorney General of New Mexico vs. Tiny Lab Productions case when it argued that it was the developers’ responsibility to ensure their apps are suitable for children as they’ve contractually said they are. But the court dismissed this.
How did we score whether or not an app potentially violated COPPA rulings?
Based on COPPA’s guidelines, we looked at the privacy policies for the list of 403 apps listed in the App Store to see whether it:
- Was clear, comprehensive, and detailed what PI was collected from under 13s
- Gave parents clear information on the data collection, use, and disclosure practices of children’s data
- Described the need for parental consent before collecting any PI
- Allowed parents to review the PI collected from their children with ease
- Clearly described what data was collected for/by third parties, how this data was shared with them, and who each of the operators was (including name, address, and email address)
According to COPPA, PI is:
- A first and last name
- A physical address
- Online contact information
- A screen or user name that functions as online contact information
- A telephone number
- A Social Security number
- A persistent identifier, such as an IP address, a unique device identifier, or a customer number held in a cookie
- A photo, video, or audio file which contains the child’s image or voice
- Geolocation data
Methodology and limitations
We searched through the top 20 apps in each category on the Apple App Store (e.g. ‘draw and paint,’ ‘for little creatives,’ and ‘new apps we love’ as well as the top 50 paid and free apps) while removing any duplicates. This gave us 403 apps to review in total. We then reviewed each of these apps’ privacy policies (based on the link provided in the App Store).