A new study has found that more than two out of five apps on the Google Play app store are breaching the ‘COPPA 2.0 Rule’.
Parents in the U.S. who only recently welcomed the second version of the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) will undoubtedly be infuriated to know how weak the protections put in place by app developers and official app stores are.
Comparitech told Techopedia that a study of 500 popular children’s apps on Google Play found that two in five breached COPPA 2.0.
The apps have been downloaded more than 1.5 billion times, collect data from children under 13, and request access to their personal data, media, and even the camera.
On September 23, Comparitech contacted Techopedia to share research with us two days before it was published.
Comparitech researchers analyzed about 500 popular children’s apps available on Google’s Play Store. They said that about half of developers and the Google Play Store are not taking COPPA 2.0 seriously.
Many of the tested children’s apps collect personal information and track children’s behavior, to then target them with apps or pass the information to third-party providers. Some apps claim that they were not developed for children, trying to create loopholes in the COPPA 2.0 rule designed specifically to protect those under 13.
More concerningly, other developers’ privacy policies appear to be written to pass COPPA 2.0 standards but appear designed to breach them.
The yearly study warns that the situation is getting worse every year. In 2022, only 1 in 5 apps on Google Play breached COPPA 2.0, while in 2023, that number rose to 1 in 4. Today, that number settles at more than 2 out of 5.
About COPPA 2.0
According to Common Sense Research, 43% of tweens (ages 8 to 12) and 88% to 95% of teens (ages 13 to 18) have their own smartphone. Of these millions of teens and children, those under 13 are protected under COPPA 2.0.
The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) — a modernization of the 1998 COPPA — was enacted specifically to protect these kids and teens.
This new update establishes a wide range of protections and responsibilities for online companies, developers, and related industries. COPPA 2.0 not only establishes protections for kids under 13 but for teens under 17 as well.
Among other things, the rule prohibits apps, websites, and online companies from collecting personal information without parents’ or teen’s consent.
It also bans targeted advertising, demands an ‘erase my personal data button’ for parents and kids to eliminate personal information and online content, bans cross-tracking, requires data portability, and much more. Despite the clear language of the law, breaches are rampant in the kids´ app industry.
Rebecca Moody, Head of Data Research at Comparitech spoke to Techopedia about the findings of the study.
“This latest study highlights the growing number of children’s apps available on Google Play that are not only in potential violation of COPPA but also request permissions that aren’t covered in their privacy policy.
“This means that even with good, in-depth legislation and guidelines (COPPA and Google’s requirements for app developers) and due diligence from parents, children are still at great risk of being exposed to unsafe apps and/or having their data privacy violated.”
Researchers at Comparitech found that about half (45%) of all apps examined had some kind of COPPA violation. This signals a trend of app developers and App Stores breaching the law enacted to protect children in large numbers.
In this trend, apps are using a ‘double-personality’ strategy. On the one hand, they discuss the importance of children’s digital safety and even develop privacy policies to meet laws, but on the other hand, they integrate features into the app that breach the law.
Six percent of apps examined had the words “kids” or “toddler” in their name but still declared that their app was “not for children”.
All apps in violation of the COPPA Rule also received Google´s Teacher Approved badges. Having a Teacher Approved badge means that the app was reviewed by teachers and specialists at one point.
Ironically, of all the apps in breach, the only one without a Teachers Approved badge had a COPPA-compliant outliner.
181 apps were found to be gathering personal information from children, including IP addresses, cookies, and other personal data.
Additionally, each non-compliant app requests invasive permissions including:
- Permission to access the Internet (send data back and forth) and perform network operations.
- Permission to prevent a phone from going into sleep mode.
- Permission to notify users that the app is running in the background.
- Permission to read and write data in external storage.
- Permission to access the camera.
- Permission to record audio.
- Permission to read media images.
- Permission to read video and audio media.
Responding to Comparitech researchers’ questions, Google responded:
“Google Play takes the protection of children on its platform seriously. Play has policies and processes in place to help protect children on our platform and has invested significant resources into related features.”
The tech giant aimed its guns at developers at the end of its statement:
“Developers are responsible for ensuring their apps are compliant with all relevant laws and appropriate for their target audiences, including children.”
This Google statement is a familiar one. In court, platform or technology companies often turn to the strategy of blaming users or developers for things hosted on their channels, social media, or app stores.
For example, in the case of the Attorney General of New Mexico vs. Tiny Lab Production, against Tiny Lab, Google, and others for observing children while they play online and tracking them across their devices and the internet, Google argued that only app developers should be liable due to contractual obligations — a notion that the court dismissed,
The Bottom Line
The Comparitech study reveals a dangerous trend: app developers and Google Play Store are both failing to comply with laws designed to protect children.
The breaches found in this report show that developers are intentionally attempting to deceive parents and teens by issuing badges that should never have been issued and gathering data they should not be gathering.
Nearly half of the examined apps breached COPPA, which also reveals that many developers working in the children’s app sector have embraced the false perception that regulations like COPPA are just a box to tick in the approval process.
The problem may very well be the lack of enforcement and the government’s ability and political will to make sure legislation is followed.