Jon Fingas, writing for Engadget:
There’s little doubt that mobile apps sometimes overstep their bounds by collecting more data from kids than the law allows. But how often does that happen? It might be more than you think. Researchers using an automated testing process have discovered that 3,337 family- and child-oriented Android apps on Google Play were improperly collecting kids’ data, potentially putting them in violation of the US’ COPPA law (which limits data collection for kids under 13). Only a small number were particularly glaring violations, but many apps exhibited behavior that could easily be seen as questionable.
Of the 5,855 total apps included in the study, 281 of them collected contact or location data without asking for a parent’s permission. Needless to say, those are red flags for any app targeted at kids. A further 1,100 shared persistent identifying info with third parties for restricted purposes, while 2,281 of them seemed to violate Google terms of service forbidding apps from sharing those identifiers to the same destination as the Android Advertising ID (which gives you control over tracking). About 40 percent of apps transmitted info without using “reasonable security measures,” and nearly all (92 percent) of the 1,280 apps with Facebook tie-ins weren’t properly using the social network’s code flags to limit under-13 use (though they may not have realized they were using this info for law-breaking purposes).
The researchers are adamant that they’re not showing “definitive legal liability.” These apps may be running afoul of the law, but it’s up to regulators at the FTC to decide if they are. Without iOS data, it’s also unclear how common this problem is across platforms. We’ve asked Google for comment on the findings as well.