Miss a day, miss a lot. Subscribe to The Defender's Top News of the Day. It's free.

A new study showing tech companies are collecting data from Apple and Google apps — mostly used by children without parental consent — and sending it to advertisers has experts calling for laws that would make app developers responsible for determining if children are using their products.

“Apps are spying on our kids at a scale that should shock you,” according to The Washington Post, which reported on the study. “More than two-thirds of the 1,000 most popular iPhone apps likely to be used by children collect and send their personal information out to the advertising industry.”

The study, by Pixalate, a company that focuses on fraud protection and privacy, found 79% of Android apps do the same.

Researchers found popular apps like Angry Birds 2 and Candy Crush Saga spy on kids who use their apps — as do apps used for coloring and math homework.

Pixalate was able to identify more than 391,000 child-directed apps across both Apple and Google stores, and were able to identify the 1,000 most popular child-directed apps and analyze how sensitive data was handled.

Of all the apps identified by Pixalate, 7% sent either location or internet address data to the advertising industry.

The study also found popular apps had a greater incentive to track users because they make money from targeted advertising.

Both Google and Apple deny any wrongdoing and claim that their app stores protect the privacy of children, according to The Washington Post.

In another study by Pixalate, researchers found almost 90% of 164 educational apps and websites sent information to the ad-tech industry.

A 2020 study showed two-thirds of apps played by 124 preschool-aged children  collected and distributed identifying information.

A 2017 research report examining media literacy showed many children can’t differentiate ads from content, and tracking technology allows marketers to micro-target their minds.

“They’re grabbing the kids’ general locations and other identifying information and sending it to companies that can track their interests, predict what they might want to buy, or even sell their information to others,” wrote Geoffrey Fowler, The Washington Post’s technology columnist.

A loophole in the system

The Children’s Online Privacy Protection Act (COPPA) in 1998 was enacted to prevent tech companies from collecting personal information of children under age 13 without parental consent.

“It was pretty obvious when the bill was being originally drafted that there was going to be real opportunity for unscrupulous corporations to take advantage of young people,” Sen. Edward J. Markey (D-Mass.), one of the authors of COPPA, told The Washington Post. “Now the problems are on steroids.”

According to SuperAwesome, a London-based company that helps app developers navigate child-privacy laws, “by the time a child reaches 13, online advertising firms hold an average of 72 million data points about them.”

“They are placing their profits over the mental health and social well-being of every child in America, because that’s the power they have today,” Markey said.

According to Fowler, Big Tech and app makers found a giant loophole in the privacy law. “They claim they don’t have ‘actual knowledge’ they’re taking data from kids,” he said.

For example, Pixel Art: Paint by Number is a free coloring app developed by Easybrain for children ages 12 and up — but the app doesn’t ask for the child’s age nor does it obtain permission from a parent or guardian to use the app.

On opening the app, the user’s information, including general location, internet address, and identifying information, is sent to the ad industry, according to Pixalate. At no point does the app ask for the user’s age or permission.

Easybrain claims it doesn’t have to, because Pixel Art is not for children.

A spokesperson for Easybrain, Evan Roberts, said the company operates “a general-audience service, and do not generally have actual knowledge that the Pixel Art App is collecting, using or disclosing personal information from any child under 13.”

Even though the categories in the app, such as ice cream, unicorns and dinosaurs, look as if they would be geared toward children, the app maker states it is marketed toward adults.

In 2021, The Federal Trade Commission (FTC) settled a lawsuit with a self-identified “adult” coloring app called Recolor that had a “kids” section.

The maker of Candy Crush Saga says its “game and marketing are targeted to adult players, over the age of 18 in the U.S.” Yet, the game is listed as “Age: 4+.”

Frank List, CEO of Impala Studios, said the company’s Calculator and Math Solver app needs to do better.

“We will be more mindful of clearly marketing only to our intended targeted audience,” he told The Washington Post.

Apple and Google turn blind eye to children’s data privacy

Apple and Google appear to have more power than the U.S. government over how apps operate, as they are the ones that control the two largest app stores. Yet, when it comes to data privacy of young users, these tech giants turn a blind eye.

Google and Apple do not indicate whether their app stores are compliant with COPPA, and neither app store shows the parent or guardian a way to see which apps collect data on children.

There is a tab for kids’ apps in the Google store that labels apps as “Teacher Approved” and stringent standards apply. However, Pixalate said only 5% of popular children’s apps are properly labeled in the Google store.

The Apple store is a bit more complicated. If you want to find the child category, you have to dig for it at the bottom of the store — and there is no way to search for it. None of the children’s apps are labeled as having any privacy protection.

Parental controls in the Apple store are limited, with the parent or guardian having the ability only to approve app purchases once they set up a child’s iOS account.

“If you want to make sure your child’s privacy is respected, it’s going to take work,” Fowler said.

Advocates for children’s privacy believe the tech industry won’t change until there is a level of legal responsibility to take ownership of the problem.

It wasn’t until 2019 that YouTube started labeling child-directed videos on its service after it was hit with a lawsuit and was forced to pay $136 million to the FTC and $34 million to the state of New York for violating COPPA.

The complaint alleged that Google’s YouTube violated COPPA by “collecting personal information — in the form of persistent identifiers that are used to track users across the Internet — from viewers of child-directed channels, without first notifying parents and getting their consent.”

Markey said he and Rep. Kathy Castor (D-Fla.) drafted bills that would update COPPA. The revisions would cover teens up to age 16 and ban targeted advertising outright.

The bills, if passed, would require apps and websites to take responsibility for determining whether children are using their services.

Fowler said California is looking to create a version of the U.K. law known as the Age Appropriate Design Code. Companies would be required to establish the consumer’s age and maintain a high level of privacy for children.

So far, U.S. lawmakers have talked broadly about privacy but have failed to take action, according to Fowler.

“If we can’t do kids, then it just shows how broken our political system is,” Markey told The Washington Post. “It shows how powerful the tech companies are.”