Privacy experts have analyzed 5,855 child-directed Android apps and have found that more than half —57%— are potentially violating the Children's Online Privacy Protection Act (COPPA), a US law protecting children's private data online.

"We identified several concerning violations and trends: clear violations when apps share location or contact information without consent (4.8%), sharing of personal information without applying reasonable security measures (40.0%), potential non-compliance by sharing persistent identifiers with third parties for prohibited purposes (18.8%), and ignorance or disregard for contractual obligations aimed at protecting children’s privacy (39.0%)," the team said.

Researchers also found that 28% of the tested apps accessed sensitive data protected by Android permissions and 73% transmitted sensitive data over the Internet.

"Overall, roughly 57% of the 5,855 child-directed apps that we analyzed are potentially violating COPPA," privacy experts from multiple US universities wrote in a research paper they plan to present this summer at the Privacy Enhancing Technologies Symposium (PETS) in Barcelona, Spain.

Researchers tested all the Play Store DFF apps

All the apps analyzed in their study are part of the Google Play Store "Designed for Families" (DFF) program, a section of the Play Store that lists only apps that developers say are COPPA compliant, so at least in theory, these apps should not have had any violations.

The study's results are of concern for parents who think their children's data is protected, but in reality is not.

COPPA, a law approved in 1998 and revised in 2003, prohibits applications from collecting the private information of children under 13 without a parent's specific consent.

This not only includes name, usernames, and emails, but also geo-location data, IP addresses, and other identity markers that could be used to track children online and link them to advertising IDs.

SDKs are the main source for COPPA violations

Researchers said that based on their analysis, most applications didn't break COPPA directly, but mainly due to the inclusion of software development kits (SDKs), which often collected this data automatically for the SDK makers, sometimes without the parent app collecting any data at all.

"While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs," the research team points out.

Worse, researchers point out that around a fifth of all the tested apps used an SDK that specifically prohibited developers from using its library in child-directed apps, due to the nature of its data collection.

Such oversights can only be attributed to distracted app makers who paid little attention to the terms of service and privacy policies of the libraries they included in their code.

To help parents with assessing the apps their kids use on their phones, researchers made the results of their analysis for each of the 5,855 child-directed Android app available on AppCensus, a website that lists privacy assessments for Android applications.

The research team also suggested that Google adjusts its static and dynamic analysis tools for apps submitted to the Play Store's DFF section to search for COPPA-specific violations. This way, researchers hope Google would catch intrusive apps instead of relying on the "word" of app developers who submit their app to this section.

Image credits: Rozzie Sanders