Your kids’ apps are spying on them
Apple and Google just look the other way. Here’s how we stop it.
Geoffrey A. FowlerJune 9, 2022 at 8:00 a.m. EDT
Imagine if a stranger parked in front of a child’s bedroom window to peep inside. You’d call the police.
Yet that happens every day online, and Big Tech looks the other way.
Apps are spying on our kids at a scale that should shock you. More than two-thirds of the 1,000 most popular iPhone apps likely to be used by children collect and send their personal information out to the advertising industry, according to a major new studyshared with me by fraud and compliance software company Pixalate. On Android, 79 percent of popular kids apps do the same.
Story continues below advertisement
Angry Birds 2 snoops when kids use it. So do Candy Crush Saga and apps for coloring and doing math homework. They’re grabbing kids’ general locations and other identifying information and sending it to companies that can track their interests, predict what they might want to buy or even sell their information to others.
Apple and Google run the app stores, so what are they doing about it? Enabling it.
Tech companies need to stop turning a blind eye when children use their products — or else we need laws to impose some responsibility on them. We the users want children’s privacy to be protected online. But parents and teachers can’t be the only line of defense.
This is why kids are at the center of one of America’s few privacy laws, the 1998 Children’s Online Privacy Protection Act, or COPPA. It said that companies aren’t supposed to gather personal information about kids under 13 without parental permission. Sounds pretty clear, right?
But even one of the authors of COPPA, Sen. Edward J. Markey (D-Mass.), thinks it needs a do-over. “It was pretty obvious when the bill was being originally drafted that there was going to be a real opportunity for unscrupulous corporations to take advantage of young people,” he told me. “Now the problems are on steroids.”
Apps and services are regulated from gathering data on kids' online activity. But a loophole in current rules lets them do it anyway. (Video: Jonathan Baran/The Washington Post)
By the time a child reaches 13, online advertising firms hold an average of 72 million data points about them, according to SuperAwesome, a London-based company that helps app developers navigate child-privacy laws.
Read more from the We The Users series
“COPPA was passed in a world where parents would be in the room with a child using a computer,” said Stacy Feuer, a senior vice president of the Entertainment Software Rating Board, or ESRB, who worked for two decades at the Federal Trade Commission. “Mobile and everything we have in 2022 present new challenges.” ESRB is the nonprofit, self-regulatory body for the video game industry.
Pixalate said it used software and human reviewers, including teachers, to attempt something that Apple and Google have failed to do: categorize every single app that might appeal to children. Pixalate identified more than 391,000 child-directed apps across both stores — far more than the selection in the stores’ limited kids sections. Pixalate’s methodology draws on the FTC’s definitions of “child-directed,” and it was designed by a former commission stafferwho was responsible for enforcing the law.
After identifying the child-directed apps, Pixalate studied how each handled personal information, most notably charting what data each sent to the ad industry. Of all the apps Pixalate identified, 7 percent sent either location or internet address data. But popular apps were much more likely to engage in tracking because they have an incentive to make money from targeted ads, it said.
Google and Apple said their app stores protect children’s privacy. Apple said it disagrees with the premise of the research from Pixalate, and said that company has a conflict of interest because it sells services to advertisers. Google calls Pixalate’s methodology of determining whether an app is child-directed “overly broad.”
A limitation of Pixalate’s study is that it didn’t check which apps seek parental permission like COPPA would require — but my spot checks found many, many do not.
This research is hardly the only indication of the problem. A recent study of 164 educational apps and websites found nearly 90 percent of them sent information to the ad-tech industry. A 2020 study found that two-thirds of the apps played by 124 preschool-aged children collected and shared identifying information. And a 2018 study of 5,855 popular free children’s appsfound a majority were potentially in violation of COPPA.
“They are placing their profits over the mental health and social well-being of every child in America, because that’s the power they have today,” Markey told me.
I wanted to know: How did it become open season on kids’ data when we have a privacy law for kids in America?
What I discovered is that Big Tech and app makers found a giant loophole in the law: They claim they don’t have “actual knowledge” they’re taking data from kids.
But if we have the will, we can tighten up the loophole.
Apple and Google just look the other way. Here’s how we stop it.
Geoffrey A. FowlerJune 9, 2022 at 8:00 a.m. EDT
Imagine if a stranger parked in front of a child’s bedroom window to peep inside. You’d call the police.
Yet that happens every day online, and Big Tech looks the other way.
Apps are spying on our kids at a scale that should shock you. More than two-thirds of the 1,000 most popular iPhone apps likely to be used by children collect and send their personal information out to the advertising industry, according to a major new studyshared with me by fraud and compliance software company Pixalate. On Android, 79 percent of popular kids apps do the same.
Story continues below advertisement
Angry Birds 2 snoops when kids use it. So do Candy Crush Saga and apps for coloring and doing math homework. They’re grabbing kids’ general locations and other identifying information and sending it to companies that can track their interests, predict what they might want to buy or even sell their information to others.
Apple and Google run the app stores, so what are they doing about it? Enabling it.
Tech companies need to stop turning a blind eye when children use their products — or else we need laws to impose some responsibility on them. We the users want children’s privacy to be protected online. But parents and teachers can’t be the only line of defense.
Children’s privacy deserves special attention because kids’ data can be misused in some uniquely harmful ways. Research suggestsmany children can’t distinguish ads from content, and tracking tech lets marketers micro-target young minds.
This is why kids are at the center of one of America’s few privacy laws, the 1998 Children’s Online Privacy Protection Act, or COPPA. It said that companies aren’t supposed to gather personal information about kids under 13 without parental permission. Sounds pretty clear, right?
But even one of the authors of COPPA, Sen. Edward J. Markey (D-Mass.), thinks it needs a do-over. “It was pretty obvious when the bill was being originally drafted that there was going to be a real opportunity for unscrupulous corporations to take advantage of young people,” he told me. “Now the problems are on steroids.”
Apps and services are regulated from gathering data on kids' online activity. But a loophole in current rules lets them do it anyway. (Video: Jonathan Baran/The Washington Post)
By the time a child reaches 13, online advertising firms hold an average of 72 million data points about them, according to SuperAwesome, a London-based company that helps app developers navigate child-privacy laws.
Read more from the We The Users series
“COPPA was passed in a world where parents would be in the room with a child using a computer,” said Stacy Feuer, a senior vice president of the Entertainment Software Rating Board, or ESRB, who worked for two decades at the Federal Trade Commission. “Mobile and everything we have in 2022 present new challenges.” ESRB is the nonprofit, self-regulatory body for the video game industry.
Pixalate said it used software and human reviewers, including teachers, to attempt something that Apple and Google have failed to do: categorize every single app that might appeal to children. Pixalate identified more than 391,000 child-directed apps across both stores — far more than the selection in the stores’ limited kids sections. Pixalate’s methodology draws on the FTC’s definitions of “child-directed,” and it was designed by a former commission stafferwho was responsible for enforcing the law.
After identifying the child-directed apps, Pixalate studied how each handled personal information, most notably charting what data each sent to the ad industry. Of all the apps Pixalate identified, 7 percent sent either location or internet address data. But popular apps were much more likely to engage in tracking because they have an incentive to make money from targeted ads, it said.
Google and Apple said their app stores protect children’s privacy. Apple said it disagrees with the premise of the research from Pixalate, and said that company has a conflict of interest because it sells services to advertisers. Google calls Pixalate’s methodology of determining whether an app is child-directed “overly broad.”
A limitation of Pixalate’s study is that it didn’t check which apps seek parental permission like COPPA would require — but my spot checks found many, many do not.
This research is hardly the only indication of the problem. A recent study of 164 educational apps and websites found nearly 90 percent of them sent information to the ad-tech industry. A 2020 study found that two-thirds of the apps played by 124 preschool-aged children collected and shared identifying information. And a 2018 study of 5,855 popular free children’s appsfound a majority were potentially in violation of COPPA.
“They are placing their profits over the mental health and social well-being of every child in America, because that’s the power they have today,” Markey told me.
I wanted to know: How did it become open season on kids’ data when we have a privacy law for kids in America?
What I discovered is that Big Tech and app makers found a giant loophole in the law: They claim they don’t have “actual knowledge” they’re taking data from kids.
But if we have the will, we can tighten up the loophole.
