Using an “automatic evaluation of the privacy behaviours of Android apps,” a team of university researchers and computer scientists concluded that of 5,855 apps in the Play Store’s Designed for Families program, 28 percent “accessed sensitive data protected by Android permissions” and 73 percent of the applications “transmitted sensitive data over the internet.” Though the survey noted that simply collecting that information did not necessarily violate the Children’s Online Privacy Protection Act (COPPA), a federal law limiting data collection on children under 13, “none of these apps attained verifiable parental consent” as required under the law since their automated tool was able to activate them.
Among the most concerning findings was that approximately 256 apps collected geolocation data, 107 shared the device owner’s email address, and 10 shared phone numbers.
1,100 shared persistent identifiers, which can be used for behavioural advertising techniques that are banned for use on children by COPPA. 2,281 transmitted Android Advertising IDs, which Google requires developers and SDKs to use as the sole persistent form of ad tracking and allows users to clear their use histories, alongside other information in a method that could “completely negate” AAID privacy protections. That means those apps appear to be in violation of Google policy.
The authors wrote the results show that many apps are likely playing fast and loose with both Play Store policy and the law:
We identified several concerning violations and trends: clear violations when apps share location or contact information without consent (4.8%), sharing of personal information without applying reasonable security measures (40.0%), potential noncompliance by sharing persistent identifiers with third parties for prohibited purposes (18.8%), and ignorance or disregard for contractual obligations aimed at protecting children’s privacy (39.0%). Overall, roughly 57% of the 5,855 child-directed apps that we analyzed are potentially violating COPPA
Again, this was all done via automated methods, and it’s possible that some of the apps in question were not collecting data in ways that violate COPPA. But the authors contest that the sheer number of apps with tracking functions indicated that non-compliance was widespread, and that the their sample was large enough to be representative of the wider app economy. And though platforms like the Play Store and Apple’s App Store are exempt from COPPA, this sample came from the Play Store’s pool of vetted family-friendly apps.
Per Engadget, the sheer number of apps flooding into the Play Store (over 2,700 a day) means many may not be undergoing manual review. It may well be that some app developers are simply not aware of COPPA rules, especially when apps are intended for audiences of variable ages. The study did not include any iOS apps.
In recent months, activists have been pressuring the Federal Trade Commission to take action against a number of big corporations they allege are illegally directing ad-targeting tools at children, including Disney and YouTube. In the past, Engadget notes, the FTC has settled with companies including Yelp for COPPA violations, and New York state settled with Hasbro, JumpStart Games, Mattel, and Viacom over COPPA violations in 2016. But as this study shows, it’s likely attempts to dodge regulations to deliver targeted ads to kids remain rampant online. [Privacy Enhancing Technologies Symposium via Engadget]