Report: Google Lags Apple on Child Privacy Compliance

The Pixalate report analyzed over 4.2 million apps and found that likely child-directed apps are 50% more likely to transmit GPS and IP address data in the open programmatic ad stream compared to other apps. Across both Google and Apple stores, over 192,000 apps likely directed at children have no detected privacy policy but still request access to personal information. The Children's Online Privacy Protection Act (COPPA) is a US federal law enacted in 2000 that requires operators of online services directed to children under 13 to obtain verifiable parental consent before collecting personal information. The Federal Trade Commission (FTC) enforces COPPA, and violations can lead to significant fines. Historically, the FTC has taken major enforcement actions for COPPA violations. In 2019, Google and YouTube paid a record $170 million to settle allegations of illegally collecting personal data from children without parental consent by using cookies to deliver targeted ads to viewers of child-directed channels. The issue persists at scale, with one study of 5,855 children's apps finding that 57% may be violating COPPA by collecting and sharing personal data with third parties without parental consent. Another analysis of 1,149 US-registered, child-directed apps found a 99% non-compliance rate with verifiable parental consent requirements under COPPA. Discrepancies exist between the two major app stores' stated privacy labels. An analysis of 822 apps available on both platforms found that 66.5% showed differences in their privacy disclosures, suggesting potential compliance issues. For example, the same app may disclose different data collection practices on iOS versus Android. While both Apple and Google have policies for apps targeting children, critics argue they are not stringent enough. Advocacy groups have filed complaints with the FTC against both Apple and Google, alleging widespread COPPA violations and a failure to adequately police their app stores. The problem extends beyond the app stores themselves. Third-party Software Development Kits (SDKs) used for analytics and advertising within apps often collect data that is not disclosed by the primary app developer. Major ad platforms like Google Ad Exchange are frequently found in the majority of likely non-compliant apps. Looking ahead, the FTC is in the process of reviewing and updating the COPPA Rule for the first time since 2013. These updates are expected to broaden the definition of personal information and add stricter requirements for data retention and transparency.