An academic study published this week reveals that thousands of kids’ apps are collecting and transmitting personal information to third parties, in possible breach of COPPA (and soon, GDPR-K).
The research from academics at the University of California at Berkeley is the most comprehensive ever done to assess the data collection and sharing practices of the most popular kids’ games and apps, and the results were covered in The Guardian and elsewhere.
It demonstrates how hard it is to comply with COPPA using existing ad technology built for the adult market, vs kidtech that is based on zero-data collection. And it usefully highlights the lack of common frameworks and standards between the regulators, the app stores and developers.
The researchers analysed 5,855 Android apps listed in Google‘s Designed for Families (DFF) section of the Play Store. They found that well over half appeared to be breaching COPPA by collecting and sharing personal information (such as email, or device ID, or geo-location) without first obtaining parental consent.
Does kidtech make a difference?
Well, the SuperAwesome SDK is also present in hundreds of the apps analysed in this research piece. It delivers premium, contextually-targeted advertising without collecting or sharing any persistent identifiers or other personal data. Any apps which were solely using SuperAwesome would not have ended up on this list.
This research is not perfect. Many of the tests on age-gated apps were likely done in ‘adult mode’. This explains why some of the apps called out in the report, which are age-gating in accordance with COPPA, look like they are breaching the law when in fact the test framework was not running in an environment subject to COPPA.
However, the authors draw attention to some very important issues:
- Many apps’ data collection practices do not match their privacy policies. This is easy and important to fix.
- Many apps still don’t use basic technical means to secure data transmission (eg TLS) – also easy to fix.
- Google does not properly enforce its own terms on using the Android Advertising ID, which is not meant to be combined with other persistent identifiers.
- In a majority of cases, technology designed for the adult market is improperly or not at all configured for the compliance requirements of the kids market. Signaling systems (COPPA flags) are ineffective.
- COPPA could (a) be more rigorously enforced by the FTC, and (b) be updated to reflect modern practices. For example, children have grown accustomed to circumventing age gates, and regulators should work with industry to come up with better approaches to ensure under-13s don’t access inappropriate services without parental consent.
And finally, if we’re talking about protecting children’s data privacy and online safety, a much greater problem than apps ‘designed for families’ are those clearly marketing themselves to kids when they are blatantly non-compliant with COPPA and often include unsavoury content.
By not joining Google Play’s DFF program, operators like these breach Google’s terms (‘apps primarily directed to children must list in the DFF’), harvest children’s personal data for almost certainly illegal profiling, and sully the reputation of all children’s digital content.