Worried that toy stores, fast food chains, and other retailers are tracking your kids online this holiday season? A landmark 2013 law aimed at protecting the privacy of America’s youngest mobile consumers hasn’t stopped app developers from collecting vast amounts of data, including a person’s location and even recordings of their voice, according to privacy researchers and consumer advocates.
Whether mobile app developers seek parental consent first – as required by law – or pass the information on to advertisers isn’t entirely clear. But if you prefer to stay anonymous, your options are limited: Wade through each mobile app’s privacy policies to make sure you are OK with the terms, or stick the phone on “airplane mode” to shut off the wireless connection and risk losing functionality.
“Kids are such a lucrative market, especially for apps,” said Jeff Chester, executive director of the Center for Digital Democracy. “Unfortunately, there are still companies out there that are more concerned about generating revenue than protecting the privacy of kids.”
Americans have traded vast amounts of personal data in exchange for the ease and functionality of fun mobile applications on their phones. But how is industry using that information? Chester and other consumer advocates allege that fast food chains are increasingly focusing advertising dollars on digital media, targeting blacks and Hispanics. They also warn that data from phones can be combined with offline information like home prices, race or income in ways that could violate fair lending laws. And a new site, PrivacyGrade.org, found that many popular kids’ apps like Talking Tom and Fruit Ninja collect information in ways parents wouldn’t necessarily expect.
Concerned in particular about industries’ focus on kids online, the Federal Trade Commission in July 2013 expanded the Child Online Privacy Protection Act, or COPPA, to require app developers to get parental consent before collecting personal data on anyone younger than 13. That includes information like the unique identifying device on a phone, a person’s phone number or a device’s location.
“It’s upped the ante for companies deciding whether they are going to market to kids,” said Michelle De Mooy of the Center for Democracy and Technology. “And that’s a good thing.”
But with the number of smartphones expected to reach 3.5 billion in the next five years, according to Forrester Research, the mobile app and advertising industry has exploded. Regulators don’t have an easy, automated way of analyzing the hundreds of mobile apps popping up each day.
Since the updated regulation went into effect, the FTC has brought about only two enforcement actions against mobile apps. Last September, the commission announced that Yelp Inc. agreed to pay $450,000 and TinyCo. $300,000 to settle separate charges that their companies knowingly collected information on young children through their mobile apps.
“Our ultimate goal is compliance,” said Kandi Parsons, an attorney in the FTC’s Bureau of Consumer Protection. But “that doesn’t undermine our desire to bring cases against companies that violate COPPA … where we find violations, we will bring cases against mobile apps.”
According to PrivacyGrade.org, which is run by computer scientists at Carnegie Mellon University, scores of apps that collect information are still aimed at kids.
For example, Fruit Ninja collects a phone’s location, which could be passed on to advertisers. And Talking Tom, where kids can talk to and “tickle” an alley cat using the touch screen, collects a child’s audio recordings along with other information that can uniquely identify a phone.
Whether these apps would violate COPPA would depend on a number of factors, including whether and how they seek parental consent. But because these apps collect information in surprising ways, PrivacyGrade.org gave them both D grades.
Outfit7, the developer behind Talking Tom, said in a statement that personal information and recordings are never shared with advertisers. The developer says its app also complies with COPPA by providing “appropriate gate protections … to distinguish adults from minors and restrict sharing on social media,” according to the statement.
Halfbrick Studios, which developed Fruit Ninja, said in a statement that it planned to release updates to Fruit Ninja and other apps to increase privacy protections.
“Parents and players are understandably cautious about the privacy aspects of online games, and the way their data is handled,” said company CEO Shainiel Deo. “Creating a safe and secure app is no longer enough to answer consumers’ needs for assurance. Developers must also ensure that permissions are clearly explained and easy to access at every applicable point in a game.”