Last week, it was revealed that YouTube might be knowingly violating COPPA, the Children's Online Privacy Protection Act. This law, which was enacted in 1998 and expanded in 2012, ensures that online services are not allowed to collect information about children or their activities online without the consent of their parents or guardians. It is the reason why many sites require a person to be 13 years old to sign up - to keep themselves far away from the issue.
In the wake of the Facebook privacy issues, a number of organizations have begun looking into other areas in which privacy might be a concern. In a report released this week, Google Play is filled with apps that could potentially violate COPPA. The researchers who wrote the report designed an automated tool and scanned 5,855 popular apps in the store, looking for violations. The results of the study were... not good.
Some apps collected the type of information you would expect, especially the Android Advertising ID, which is a user resettable key that is designed to track user behavior for advertising purposes. Because this ID is resettable without having to reset your phone, it is not guaranteed identifiable and therefore is less important. In the report, you can see a list of the most common services receiving the Android Advertising ID. The types of data being collected and transmitted to third parties that are a real concern are things like GPS location.
Obviously physically tracking a child without permission is not only a problem, it is creepy. Some of the apps tested, which are targeted exclusively to children, did just that. Included in this group was Disney with their Where's My Water? Free, which transmitted the Wi-Fi name to a third party for geolocation purposes.
Many of the third party APIs that received inappropriate data from these apps explicitly prohibit exactly what the apps are doing - transmitting unapproved child data. Again, Disney is in violation of one of these Terms of Service, along with other high profile apps, like Minion Rush from Gameloft and Duolingo, the language learning platform. In the report, you can see a list of the most common services receiving data.
While the report gives a lot of data on a lot of issues, there is one that remains at the forefront: COPPA itself. As the law stands right now, COPPA does not exactly apply to mobile apps. In fact, it specifically applies to web-based products. That does not exactly mean that there is no legal remedy available, or that by making consumers aware of COPPA-style violations, there is no direct remedy available. It's always possible that, through market pressure, companies will fix these issues on their own, or, failing that, COPPA might be expanded to cover non web-based products.