A new study titled Proceedings on Privacy Enhancing Technologies has found that more than half of Android apps directed toward children under 13 potentially violate the US Children’s Online Privacy Protection Act (COPPA), as reported by The Guardian. Additionally, the study — led by researchers at the International Computer Science Institute at the University of California, Berkeley — says the apps that are improperly collecting and sharing data are all included in Google’s Designed for Families program.
The study looked at 5,855 child-directed apps, and the researchers said they “Identiﬁed several concerning violations and trends.” According to the study, 4.8 percent had clear violations surrounding sharing location or contact information without consent, 18 percent shared identifiers for ad targeting, 40 percent shared personal information without proper security protocols, and 39 percent disregard “contractual obligations aimed at protecting children’s privacy.”
In total, 28 percent of the apps accessed sensitive data protected by Android permissions, and 73 percent of the apps transmitted said sensitive data over the internet. Some of the apps named in the report include KidzInMind, TabTale’s “Pop Girls–High School Band,” and Fun Kid Racing.
While Google’s Designed for Families program provides developers with information on COPPA and says it requires they certify compliance, enforcement appears to not be thorough. The report notes that while developers and SDKs have financial incentive to ignore violations (restricting data collection results in lower revenue), they suspect that “many privacy violations are unintentional and caused by misunderstandings of third-party SDKs.”
COPPA was enacted by Congress in 1999 and was created in order to protect the privacy of children online. The act requires that companies designing apps for children under the age of 13 obtain consent from parents before collecting personal information. In 2013, the FTC revised COPPA to also include geolocation markers, IP addresses, and a mandate that third-party advertisers comply with these rules as well.
This is far from the first time child-directed apps have been found in violation of COPPA. Last year, a federal class action lawsuit was filed against Disney, alleging that 42 of its apps were collecting and sharing data with advertisers without parental consent. A similar complaint about selling information on underage users to advertisers was also levied against YouTube last month. In January, VTech Electronics — the parent company of popular educational brand LeapFrog — agreed to settle for a fine of $650,000 after charges that it violated children’s privacy.