A lawsuit by New Mexico’s attorney general accuses a popular app maker, as well as online ad businesses run by Google and Twitter, of violating children’s privacy law.

Shane Slingerland, 6, playing Fun Kid Racing, a game downloaded from the family section of the Google Play store. Bryce Meyer for The New York Times

Before Kim Slingerland downloaded the Fun Kid Racing app for her then-5-year-old son, Shane, she checked to make sure it was in the family section of the Google Play store and rated as age-appropriate. The game, which lets children race cartoon cars with animal drivers, has been downloaded millions of times.

Until last month, the app also shared users’ data, sometimes including the precise location of devices, with more than a half-dozen advertising and online tracking companies. On Tuesday evening, New Mexico’s attorney general filed a lawsuit claiming that the maker of Fun Kid Racing had violated a federal children’s privacy law through dozens of Android apps that shared children’s data.

“I don’t think it’s right,” said Ms. Slingerland, a mother of three in Alberta, Canada. “I don’t think that’s any of their business, location or anything like that.”

Kim Slingerland said she was troubled to learn that a game app she had downloaded for her son had shared personal data, including location information. Bryce Meyer for The New York Times

The suit accuses the app maker, Tiny Lab Productions, along with online ad businesses run by Google, Twitter and three other companies, of flouting a law intended to prevent the personal data of children under 13 from falling into the hands of predators, hackers and manipulative marketers. The suit also contends that Google misled consumers by including the apps in the family section of its store.

[Read the full complaint]

An analysis by The New York Times found that children’s apps by other developers were also collecting data. The review of 20 children’s apps — 10 each on Google Android and Apple iOS — found examples on both platforms that sent data to tracking companies, potentially violating children’s privacy law; the iOS apps sent less data over all.

These findings are consistent with those published this spring by academic researchers who analyzed nearly 6,000 free children’s Android apps. They reported that more than half of the apps, including those by Tiny Lab, shared details with outside companies in ways that may have violated the law.

Although federal law doesn’t provide many digital privacy protections for adults, there are safeguards for children under 13. The Children’s Online Privacy Protection Act protects them from being improperly tracked, including for advertising purposes. Without explicit, verifiable permission from parents, children’s sites and apps are prohibited from collecting personal details including names, email addresses, geolocation data and tracking codes like “cookies” if they’re used for targeted ads.

But the New Mexico lawsuit and the analyses of children’s apps suggest that some app developers, ad tech companies and app stores are falling short in protecting children’s privacy.

“These sophisticated tech companies are not policing themselves,” the New Mexico attorney general, Hector Balderas, said. “The children of this country ultimately pay the price.”

“This is as much a black eye on the federal government as the tech space,” Hector Balderas, New Mexico’s attorney general, said of a lawsuit he filed this week alleging that Google and Twitter violated children’s privacy law. Brent Lewis/The Denver Post, via Getty Images

Jessica Rich, a former consumer protection director at the Federal Trade Commission, called the findings “significant and disturbing.” They suggest, she said, “that the ‘safe spaces’ for kids in the apps stores aren’t safe at all.”

A Google spokesman, Aaron Stein, said that developers are responsible for declaring whether their apps are primarily for children, and that apps in the store’s family section “must comply with more stringent policies.”

A Twitter spokesman said that the company’s ad platform, MoPub, does not allow its services to be used to collect information from children’s apps for targeted advertising and that it suspended the maker of Fun Kid Racing in September of 2017 for violating its policies.

Jonas Abromaitis, founder of the Lithuania-based Tiny Lab, said he believed he had followed the law and Google’s requirements, because the app asked for users’ ages and tracked those who identified as over 13. “We thought we were doing everything the right way,” he said.

A Market for Tracking

Dozens of companies now track consumers on their phones to build behavioral profiles that help tailor the ads they see. Two of the largest are AdMob and MoPub.

To make money, app developers generally have two options: publish free apps supported by ads, or charge users. But children don’t have the money to make purchases, and under federal law they can’t be tracked for ad targeting.

How companies track children's personal data to target ads By Anjali Singhvi and Rich Harris | Source:

The app industry has had trouble adapting to children, said Dylan Collins, the chief executive of SuperAwesome, a technology firm that helps companies build apps for children without tracking them.

Mr. Collins said some top children’s app makers had started charging parents for subscriptions or showing ads that didn’t use tracking. But, he noted, small developers typically sell fewer subscriptions and don’t always sell enough ads using only child-friendly ad networks. “As a result, there’s still a huge amount of data being collected on kids,” he said.

In 2013 Apple introduced a children’s section in its App Store. It told developers that, to be listed there, they could “do no tracking across sites or across apps.” Apple tells parents that it reviews each app in the section “to make sure it does what it says it does.”

Google has said it developed the family section of its app store to help parents find “suitable, trusted, high-quality apps” for their children.

Google introduced a similar program, Designed for Families, in 2015. The company informed Android developers that apps that were “primarily child-directed must participate” in the program and that developers must confirm that their apps complied with the children’s privacy law. Google has said it developed its family section to help parents find “suitable, trusted, high-quality apps” for their children.

‘For Children’ vs. ‘for Families’

Mr. Abromaitis, the Tiny Lab founder, created Fun Kid Racing in 2013, after searching unsuccessfully for a racing game to play with his 3-year-old nephew. Other Tiny Lab apps include simple games with titles such as Run Cute Little Pony.

Still, Mr. Abromaitis said in an interview, the company’s apps were directed at “mixed audiences,” with children under 13 forming only part of the market.

The distinction is important: Under privacy law, apps aimed at younger children are prohibited from tracking any users for ads without parental consent, but those intended for a general audience can ask players their age and track older users.

When Tiny Lab submitted apps to Google’s store, it indicated they were for families, not just children, and Google accepted the apps.

In The Times’s tests of Fun Kid Racing in July, the app asked that players select their birth year from a list. But with the default set between 2000 and 2001, a young child eager to get to the next screen could simply tap through quickly and be counted as a teenager. In the tests, the app didn’t collect location data if the player identified as under 13.

In early June, emails show, the academic researchers who had done the earlier study informed Google that app developers “seem to have an incentive to mischaracterize” their children’s apps as “not primarily directed to children,” freeing them to track users for targeted ads. They cited 84 apps from Tiny Lab as examples and said they had identified nearly 3,000 apps in all that appeared to be similarly mislabeled.

Jonas Abromaitis, founder of Tiny Lab Productions, says many of the company’s apps are intended for “mixed audiences,” not just young children. Andrej Vasilenko for The New York Times

In July, a Google manager responded that the company had investigated the Tiny Lab apps and had found they had not violated the privacy law. Google, he said, did not consider “these apps to be designed primarily for children, but for families in general.”

A month later, Google appeared to reverse course: The company told Mr. Abromaitis it had identified a Tiny Lab app that should be designated for children. Google gave Tiny Lab a week to change that app and any others like it. Tiny Lab labeled 10 of its apps for children and used ad networks in them designed for children’s apps. Google approved the updates but flagged more apps at the end of August, Mr. Abromaitis said, so he made another round of changes.

Then, this week, after inquiries from The Times, Google terminated Tiny Lab’s account and removed all of its apps from the Play store, citing multiple policy violations.

Asked about the earlier emails, Google said the statements were made in error and that it doesn’t certify whether apps in the Play store comply with the children’s privacy law.

Mr. Abromaitis said he hoped to work with Google to get back into the store.

Widespread Tracking of Children

The study this spring showed not only that more than half of children’s apps on Android were sharing tracking ID numbers but also that 5 percent collected children’s location or contact information without their parents’ permission.

To evaluate tracking on iOS as well as Android, The Times conducted a small study, looking at 10 apps on each platform. The Times chose a mix of the most popular children’s apps and smaller apps that had been flagged in the academics’ research for sharing data, to test whether the apps had problems on iOS and whether they had been fixed on Android.

Although it is difficult to know whether companies are actually violating the federal rules, six of the Android apps shared data such as precise location, IP addresses and tracking IDs in ways that could be problematic. On iOS, five apps sent IDs to tracking companies in questionable ways.

Serge Egelman, a researcher with the International Computer Science Institute and the University of California, Berkeley, helped lead the study of nearly 6,000 children’s Android apps. Jim Wilson/The New York Times

In addition to Fun Kid Racing, the tests showed one other Android app sending precise location data to other companies: Masha and the Bear: Free Animal Games for Kids, an animated game app with millions of downloads. The iOS version sent advertising ID codes to a company that generally prohibits children’s apps from using its network.

In an email, Indigo Kids, the Cyprus-based maker of the Masha app, said it was not responsible for harvesting children’s information because third-party companies collected the data. “We, as a company, do not collect or store any data of our users,” the company said.

Other apps with data practices that could violate the children’s privacy rules sent data to multiple tracking companies that don’t allow children’s apps, or sent the data with notes in the computer code incorrectly indicating that it hadn’t come from children.

Several apps reviewed by The Times also sent the advertising ID to other companies but said this was for specific purposes allowed under the law, such as preventing an ad from being shown too many times.

Tom Neumayr, an Apple spokesman, said that children’s privacy in apps “is something we take very seriously” and that developers must follow strict guidelines about tracking in children’s apps.

Enforcing the Law

Since the federal children’s online privacy law was enacted in 1998, the Federal Trade Commission has brought nearly 30 cases alleging violations by companies including Sony BMG Music Entertainment and Yelp. All of those firms ultimately settled with the agency.

“The F.T.C. has made enforcement of the Children’s Online Privacy Protection Act a high priority,” said Juliana Gruenwald, an agency spokeswoman.

But the New Mexico lawsuit is different. The state is not just going after a single app maker or ad company; it’s also implicating the ad platforms of Google and Twitter, and the vetting process of Google’s app store.

“Google knows that Tiny Lab’s apps track children unlawfully,” the complaint said. “Google’s bad acts are compounded because it represents to parents” that Tiny Lab’s apps comply with the children’s privacy law and are “safe for children.”

The case is particularly fraught for Google and Twitter, which are each already subject to federal settlements over consumer privacy or security violations. Those settlements prohibit the companies from misrepresenting their consumer data protections, and violations could trigger hefty fines.

“I don’t see any way that anything would change unless there are enforcement actions,” said Serge Egelman, a researcher at the University of California, Berkeley, who helped lead the study this spring.

New Mexico’s attorney general said he hoped the F.T.C. and others in Washington would follow his lead. “This is as much a black eye on the federal government as the tech space,” Mr. Balderas said. “I’m trying to get lawmakers at the federal level to wake up.”