A report by fraud detection platform Pixalate claims that a number of apps aimed at children are violating COPPA (Children’s Online Privacy Protection Act) by unknowingly sharing data signals.

Over 70% of the top 1,000 popular apps directed at children on Apple’s App Store and Google Play share people’s GPS signals or IP addresses with advertisers, potentially violating COPPA, according to the report.

The COPPA law prohibits advertisers from knowingly collecting user data like IP addresses and geolocation information from app users unless they have parental consent.

Pixalate, which creates services for app developers, found many apps did not request parental consent, meaning a higher rate of children’s data is potentially illegally shared with advertisers, the report alleges.

FORMER TWITTER HEAD OF SECURITY PEITER ‘MUDGE’ ZATKO BLASTS COMPANY IN SEC COMPLAINT

Both Google and Apple’s app store have seen a 4% increase in transmitting GPS signals to advertisers from the first quarter of 2022 to the second quarter.

While 9%of Apple App Store apps (152,000) and 8%of Google Play Store apps (271,000) are likely child-directed, most advertisers run the risk of selling ads on these apps since the tech platforms often don’t disclose the app’s target audience.

Furthermore, Pixalate was unable to locate privacy policies, or policies were not declared, for 16% (24,209) of the apps on Apple’s store that are child-directed and 10% (27,427) of the apps on Google’s store that are child-directed. The report found a total of 66 U.S. registered apps continue to share geolocation data with advertisers, thereby, further violating COPPA.

A complicated law to follow

But the issue goes beyond seeking parental consent and issuing privacy policies.

More often than not, “[advertisers] don’t even know which apps are child-directed in the first place,” said Tyler Loechner, director of research, ad fraud and compliance at Pixalate. This makes COPPA “a complicated law to follow for advertisers,” he said.

Every time an app developer features their app on either Google or Apple app store, they are required to disclose the app’s target audience to these companies. However, neither Google nor Apple make that information publicly available in the app, according to Allison Lefrak, a former FTC exec and current svp of public policy, ads privacy and COPPA compliance at Pixalate.

More so, app developers intentionally don’t collect information on their users, making them ignorant of whether preteens use their services, according to Redniss.

“Therefore, it’s okay for [app developers] to harvest preteen data and use it for targeted advertising,” said Seth Redniss, general counsel and co-founder at Qonsent.

Although there is no wrongdoing by Apple and Google, the lack of transparency in the intended audience is frustrating for parents who don’t have the necessary information to determine data consent. At the same time, ad-tech vendors on the supply side run the risk of illegally collecting children’s data from these apps.

Apple, however, disagrees with the premise and methodology of Pixalate’s report.

“Pixalate’s definition of ‘child-directed’ is overly broad, confusing and inconsistent,” Apple said. For example, it classifies Duolingo and Calculator apps, which are apps used by the general public, as kids’ apps, but Pixalate doesn’t classify Minecraft, which is used predominately by young people, as such, the company said. However, Pixalate told Adweek it does classify Minecraft as likely a child-directed app.

Apple added that the App Store requires developers to adhere to Age Rating guidelines for every app. Furthermore, apps in the Kids Category or any app that collects, transmits, or has the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, the ability to chat, other personal data, or persistent identifiers used in combination with any of the above) from a minor must include a privacy policy and must comply with all applicable children’s privacy statutes.

“These apps must meet a higher bar than the bar for the rest of the store,” Apple said.

Google did not respond to a media request.

Meanwhile, advertisers can access, free of charge, a list of 1,000 likely child-directed apps that have programmatic ads, reviewed by Pixalate’s Trust and Safety Advisory Board of educators, and compare it with the list of apps they currently buy or sell ads on to determine any COPPA violations, according to Loechner.

Pixalate analyzed over 5 million apps available for download on the Apple App Store and Google Play Store during the second quarter of this year. The study also found that there are 422,000 child-directed apps across the two stores. There were 392,000 child-directed apps found in the previous quarter.

“This means that over the last three months, about 30,000, new child-directed apps entered the marketplace,” said Loechner.

Pixalate’s estimates also found programmatic advertisers spent over four times more per app on child-directed apps, compared to general audience apps in the second quarter 2022.

TRISHLA OSTWAL

• @trishlaostwal
• trishla.ostwal@adweek.com

Trishla is an Adweek staff reporter covering tech policy.