Over 2 in 5 children’s Google Play Apps breach Children’s Online Privacy Protection Act (COPPA) rules

According to data collected by our researchers, more than 2 in 5 children’s apps available on Google Play might not adhere to COPPA rules. This is yet another decline in compliance following our reports in 2022 (1 in 5 apps) and 2023 (1 in 4 apps).

COPPA, imposed by the Federal Trade Commission (FTC), enforces a number of requirements for operators of websites or online services that are aimed at those under 13. It also applies to operators of other websites and online services who have actual knowledge that they’re collecting personal information from people under 13.

Searching through 498* of the most popular children’s apps available through Google’s Play Store, our team reviewed each app’s privacy policy to see whether or not they met key COPPA regulations. We also established what personal information (PI) could be collected by the app and whether its privacy policy included a clear and comprehensive section on collecting children’s data.

Nearly 45 percent of all the apps we studied had some kind of COPPA violation. The majority of these apps discuss the safeguarding of children’s information but fail to put the right measures in place to do so. More worrying still, over six percent of all the apps we investigated declared that their services aren’t targeted toward or do not address children–including apps with “kids” and “toddler” in their name.

In this update, we analyzed the permissions requested by the apps after download. This enables us to see how many apps request potentially invasive permissions that could put children’s privacy and safety at risk** and whether the possible violations of the privacy policy are mirrored in the actual permissions requested by the app. We also find out whether or not apps with COPPA-compliant privacy policies omitted any permissions requested by the apps.

*Two apps were no longer available on Google Play after we collated our data.
**Invasive permissions are those that request access to certain data and settings on the device that could pose a threat to children’s privacy and safety. For example, some apps may require access to the camera for the functionality of the app but if the app is granted permission to use the camera at all times (e.g. when the app isn’t in use), hackers could turn on the camera and take pictures without the user being aware.

We contacted Google about our findings and a spokesperson provided us with the following:

Google Play takes the protection of children on its platform seriously. Play has policies and processes in place to help protect children on our platform and has invested significant resources into related features. Apps that target children must comply with our Google Play Families Policy, which requires developers to adhere to all relevant laws and all of Play’s Developer Program Policies, plus imposes additional privacy, monetization, and content restrictions like prohibiting access to precise location data. Developers are responsible for ensuring their apps are compliant with all relevant laws and appropriate for their target audiences, including children.

Key findings

  • Over 2 in 5 (222) children’s apps have privacy policies that suggest COPPA violations
  • These have been downloaded by over 1.53 billion users
  • ALL of the apps that violate COPPA have received a “teacher-approved” badge
  • Over six percent (31) of all the company privacy policies we reviewed contained claims that the respective apps were not intended for children, despite being within the “Everyone” age category on Google Play
  • Each app requested, on average, 8.2 permissions. 5.7 permissions per app could be deemed invasive e.g. requesting access to personal data, network and/or system settings, and even media stored on the device
  • Of the 40 apps that request the ‘CAMERA’ permission, only two mentioned access to photos in their privacy policies, and one of these had no child-specific data protection section within its privacy policy

How are 45% of children’s apps violating COPPA?

As mentioned above, and as we can see from the below chart, 53 percent of the apps that are possibly violating COPPA are collecting data without having the right protocols in place (e.g. obtaining parental consent). A further 15 percent don’t have any form of child data collection policy but collect PI. If the privacy policy indicates that any PI is collected, COPPA stipulates a separate section on how the developers ensure children’s safety should be included. If the app didn’t collect any data whatsoever, this wouldn’t be necessary.

Another 14 percent claim their apps aren’t intended for children, despite the fact the app falls under the “Everyone” age limit on Google Play. These apps would also fall under section 312.2 of COPPA (which we explore in more detail below). This section discusses subject matter, visual content, and other child-orientated features that all of these apps contain.

18 percent of the apps we flagged try to place the onus on parents or children, asking children to refrain from submitting PI to the app or for parents to monitor their child’s app usage. Apps should request parental consent from the onset if they’re to collect PI. They shouldn’t expect parents to look into this themselves, and they certainly shouldn’t expect children to read privacy policies before submitting data.

One app that didn’t have a child-specific section said it didn’t collect data but potentially worked with third parties that do (e.g. third-party adverts and analytics). In this case, a child-specific section and parental consent are necessary, as is in-depth detail about each third party.

ALL of the apps that violate COPPA are “teacher approved”

As a parent, you’d be forgiven for assuming a Google Play app displaying the “teacher approved” badge (a medal with a tick in it) has been through rigorous checks to ensure full compliance and child safety for the recommended ages. For example, the app below (which is suitable for all ages) has a teacher-approved badge.

Expert Approved Google Play

Google’s “Teacher Approved” program requires apps to go through an additional layer of review (the first is for the submission into family/children categories–as we explore in more detail below). In this review, teachers and specialists evaluate the apps based on multiple criteria, including design quality, appeal to children, and age appropriateness (including in-app adverts, purchases, and cross-promotions).

All but one of the apps we reviewed received this teacher-approved tick and, ironically, the one outlier had a COPPA-compliant privacy policy. The rest of the non-compliant apps and their privacy policies have been through two layers of review and have still passed quality control despite being in breach of COPPA’s standards.

What data are the COPPA-violating apps collecting?

According to what is stipulated in the apps’ privacy policies, the apps that aren’t adhering to COPPA guidelines collect the following information from child users (some apps may describe the data collected from adults but this hasn’t been included in the below):

IP addresses (or other persistent identifiers) are the biggest downfall for the majority of apps. This may be due to these often not being seen to be “PI” unless they are collected alongside other personal data. However, IP addresses are often easily attributed to individuals (or, at the very least, Wi-Fi routers). And, the Amended Rule applied to COPPA from July 1, 2013, stipulates that persistent identifiers, such as customer numbers held in cookies or IP addresses, are classified as PI.

This time around, 181 of the apps in potential violation of COPPA rules collected persistent identifiers. This is a significant increase from the 99 we found in the last study.

But how does what’s stipulated in the privacy policy compare to the actual permissions requested by the app upon download?

Children’s Google Play Apps request 5.7 potentially dangerous permissions on average

In an update to our report this year, we’ve analyzed 385 of the apps within this study to see which permissions they request when downloaded. According to our findings, each app (compliant or not) requests 8.2 permissions on average. Each app requests 5.7 potentially invasive permissions–on average.

Apps with COPPA-compliant privacy policies request 7.9 permissions on average and 5.6 invasive permissions on average. Non-compliant apps request 8.7 permissions on average and 5.8 invasive permissions on average. So while the privacy policies implemented may vary significantly, it appears the typical permissions requested do not.

The top 5 invasive permissions requested by children’s apps on Google Play

According to our analysis, the following are the top five invasive permissions requested by children’s apps on Google Play:

  1. INTERNET – Permission to access the Internet and perform network operations.
  2. ACCESS_NETWORK_STATE – Permission to access the Internet and perform network operations.
  3. WAKE_LOCK – Permission to prevent the phone from going into sleep mode
  4. BIND_GET_INSTALL_REFERRER_SERVICE – Used by Firebase to recognize where the app was installed from
  5. FOREGROUND_SERVICE – Notifies users that the app is continuing to run in the background

The most common permissions like INTERNET and ACCESS_NETWORK_STATE were found in the vast majority of apps. These permissions give apps the ability to transmit data online, which can lead to significant privacy issues if mishandled. And with such a high number of apps not detailing how they safeguard children’s data in their privacy policies, the risk of exploitation is exceptionally high.

Worse still, we found 393 invasive permissions across all of the apps that granted access to some form of personal data/phone data (one app may have more than one of these permissions).

For example:

  • WRITE_EXTERNAL_STORAGE – permission requested by 121 apps (46 non-compliant apps)
  • READ_EXTERNAL_STORAGE – permission requested by 106 apps (45 non-compliant apps)
  • CAMERA – permission requested by 40 apps (21 non-compliant apps)
  • RECORD_AUDIO – permission requested by 33 apps (15 non-compliant apps)
  • READ_MEDIA_IMAGES – permission requested by 22 apps (13 non-compliant apps)
  • READ_MEDIA_VIDEO – permission requested by 20 apps (11 non-compliant apps)
  • READ_MEDIA_AUDIO – permission requested by 18 apps (11 non-compliant apps)

If we look at the apps that request access to media files and/or the camera, we can see that even those with compliant COPPA privacy policies often omit crucial details about their app permissions. Of the 19 COPPA-compliant apps that had the CAMERA permission, just one had detailed that media may be collected in its privacy policy. Only one app with the RECORD_AUDIO had stipulated access to media in its privacy policy and none of the apps with READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, or READ_MEDIA_AUDIO included this in their privacy policy.

This suggests that the lack of COPPA compliance within children’s apps on Google Play runs a lot further than an inadequate privacy policy. One could even suggest that an app that appears to have a good privacy policy but requests permissions beyond those stipulated within this policy is worse than an app with a poor privacy policy.

Why?

Parents may be more likely to allow their children to play on apps that have clear and seemingly comprehensive privacy policies. But if these policies aren’t 100% clear on what the app has access to, this leaves their children’s data open to exploitation, particularly when the vast majority of these apps request access to the internet.

The technical details, the gray areas, and the legal jargon

To better understand how so many apps appear to be in violation of COPPA, it’s important to point out the technicalities of the legislation, how it has been interpreted, and what additional safeguards Google has in place.

What is COPPA?

In 1998, Congress enacted the Children’s Online Privacy Protection Act. The Federal Trade Commission (FTC) was given authority to issue and enforce the act, which became effective on April 21, 2020. In 2012, the FTC amended the COPPA rule (with these changes coming into effect on July 1, 2013).

Who does COPPA apply to?

Operators of commercial websites and online services (including mobile apps) that are directed toward children and collect, use, or disclose personal information (PI) from under 13s. General websites/online services with actual knowledge of the collection, use, or disclosure of PI from under 13s. And operators with actual knowledge that they are collecting under 13s’ PI from users of other websites or online services (e.g. plug-ins, advertising networks, and other third parties).

What is “actual knowledge” according to COPPA?

This is a gray area within COPPA as there is no specific definition. Rather, the FTC offers guidelines, such as: “An operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age.” And, “Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content.”

So, if an app developer states in its privacy policy that they “do not knowingly collect data from children under the age of 13,” (as over 5% do) are they covered?

Not necessarily, no.

In 2014, TinyCo, Inc., an app developer for kids’ games like “Tiny Pets,” “Tiny Zoo,” and “Tiny Village,” was hit with a fine from FTC for violating COPPA regulations. It would request email addresses and social network details in exchange for game goodies. This, according to the FTC, enabled TinyCo to illegally collect children’s email addresses (something the company denied knowledge of).

However, the case provided clarification as to what apps or websites may be classed as “directed at children,” highlighting section 312.2 of COPPA:

“subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.”

It was this “directed at children” stance that the FTC took against TinyCo, but they had also received messages from parents who complained about the app’s collection of their child’s data. This direct contact from parents is now widely regarded as giving app developers “actual knowledge,” too.

More recently, Fortnite (Epic Games) was ordered to pay a $275 million penalty for its violation of COPPA. The FTC alleged that Epic was aware that many of its players were under 13 but for the first two years it was in operation it failed to obtain parental consent before obtaining personal information from children.

Google’s requirements for children’s apps (and its liability for reviewing these apps)

Google’s Designing Apps for Children and Families policy (DFF) suggests that app developers must indicate the target audience for their app, prior to publishing, by selecting from the list of age groups provided. Age groups under 13 are classed as targeting children (in countries where children are defined as being over 13 years old, different laws may apply). After submitting, Google states that the developer’s “app will be reviewed for eligibility in the Designed for Families program.”

Google also has numerous requirements for children and family apps, including that they “must disclose the collection of any personal and sensitive information from children in your app, including through APIs and SDKs called or used in your app.” The apps must also comply with COPPA (among other things).

Whose responsibility is it to adhere to COPPA, then? Google’s? The app developers? Or both?

A recent case involving the Attorney General of New Mexico vs. Tiny Lab Productions and various big tech giants, including Google, gives us an idea as to what extent Google and app developers are liable under COPPA.

In this particular case, New Mexico’s Attorney General brought action against Tiny Lab, Google, and others in a bid to prevent them from observing children while they play online and from tracking them across their devices and the internet. It referenced two of Google’s services as an issue within the litigation–its SDK (or AdMod SDK) and its “Family” section on the Play Store.

The court ruled that the automated exchange of data between an SDK and its server isn’t enough to substantiate “actual knowledge.” But a court may reasonably conclude that the steps taken to review the requirements for a child-directed app would give the party “actual knowledge.”

Google argued that only the app developers should be liable as they have contractually promised that their apps are suitable for children. But the court dismissed this notion. Nevertheless, TinyLab’s apps were removed from Google Play when the lawsuit was filed and remain off the store to this date.

Overall, then, even though there are still some gray areas, the above highlights how app developers could be found to violate COPPA violations if their apps show clear signs that they’re aimed at children and are submitted to app stores, like Google Play, under that guise. Furthermore, Google may be liable under COPPA when approving these apps for its store.

How did we deem whether or not an app potentially violated COPPA rulings?

Based on these rulings, we looked at the privacy policies of 400 apps marked as being suitable for children in various age groups. We looked to see whether or not the apps had:

  • A clear and comprehensive online privacy policy that details their practices for collecting PI from children under 13
  • Made reasonable efforts to provide direct notice to parents of their practices regarding the collection, use, or disclosure of PI from children
  • Provided a reasonable means for a parent to review the PI collected
  • Established and maintained reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children
  • Had a clear data retention policy for children’s PI, keeping it for only as long as is necessary to fulfill the purpose for which it was collected
  • Listed the name, address, and email address of ALL operators collecting or maintaining PI (if applicable)
  • Described what information the operator collects from children

According to COPPA, PI is:

  • A first and last name
  • A physical address
  • Online contact information
  • A screen or user name that functions as online contact information
  • A telephone number
  • A Social Security number
  • A persistent identifier, such as an IP address or a unique device identifier
  • Cookies
  • A photo, video, or audio file which contains the child’s image or voice
  • Geolocation data

Methodology and limitations

We searched through the top charts on Google Play (under children and family categories), looking at the top 500 apps. Our overall statistics used 498 of these apps as two of the apps were removed from the store during our research. Then, we reviewed each of the listed privacy policies and manifests for the apps for the aforementioned details.

We also downloaded and scanned the manifests of all 385 of these apps to see what permissions they requested.

Privacy policies are subject to change at any time, so may have altered since our research was conducted.

Researchers: Charlotte Bond, Rebecca Moody, Mantas Sasnauskas