Many Apps Preschoolers Play May Violate Child Privacy Laws

By Anne Harding

September 14, 2020

NEW YORK (Reuters Health) - Most apps used by preschool-aged children collect and share their personal information in ways that could illegally violate their privacy, new findings suggest.

Two-thirds of apps played by 3- to 5-year-olds were sending their data to third-party companies, Dr. Jenny S. Radesky of University of Michigan C.S. Mott Children's Hospital, in Ann Arbor, and her colleagues found.

"The Children's Online Privacy Protection Act (COPPA) requires verifiable consent from a parent or guardian before collecting and sharing persistent identifiers," Dr. Radesky said by email. "These include the device ID, which can be traced back to the user, geolocation, or other things that can be used to map location such as Wi-Fi router numbers."

Third-party companies collect this type of information - and much more - to track users' behavior and create targeted advertising. Under U.S. law, this information can be collected on anyone, aside from certain protected groups. COPPA, passed in 1998, is intended to protect the online data of children under 13.

Dr. Radesky and her colleagues hypothesized that transmissions of persistent identifier data would occur more often in apps played by children from lower socioeconomic status homes. To investigate, they analyzed data from the Preschooler Tablet Study on a population-based sample of 124 preschoolers who used Android devices. Thirty percent had their own device.

Over nine days, 303 of the 451 apps the children used transmitted data to third-party domains. These apps transmitted to between one and 33 different third-party domains. The median number of data transmissions per child was five, and ranged from 0 to 614. The median third-party domain count per child was four, and ranged from zero to 399.

Older age was significantly tied to higher transmission and third-party domain rates. Children whose parents were less educated also had significantly higher rates of transmission (rate ratio, 2.29) and third-party-domain rates (RR, 2.05) per app, but there was no association with household income.

"Discussions with families need to go beyond the concept of 'screen time,' which is only one dimension for thinking about our children's media experiences," Dr. Radesky said. "Now that media are interactive, collecting our data and interacting with us in ways that are shaped by our prior online behavior, it's really important for families to be building digital literacy about these underlying mechanics of modern media."

She added: "There are many sources of structural inequality in children's environments. I think the design of the digital environment needs to be considered along with children's food environments, educational environments, etc. In our study, we found that children from lower-education households played apps with more data collection and sharing, which could lead to inequities in online profiling and marketing. It will be easier and more equitable to correct the structural sources of disparities, rather than asking each individual family to try to change all of their digital privacy behaviors."

In an accompanying editorial, Angela J. Campbell of Georgetown University Law Center in Washington, DC, writes, "US laws designed to protect children's privacy need to be updated to take account of rapid changes in technology and marketing techniques, and they need to be enforced."

COPPA, which was passed in 1998, only applies to apps specifically for children, or when an operator is aware that the data being gathered is from a child, Campbell noted in a phone interview with Reuters Health. "It's very hard to tell, even in good faith to tell, if something is covered."

Many apps use manipulative techniques to keep people playing, and even paying, she noted. "You can't progress in the game unless you actually purchase something, or have to watch a certain number of ads to build up points to do something in the game."

In her commentary, Campbell notes that the U.K.'s Age-Appropriate Design Code "mandates that the best interest of the child should be a primary consideration in designing and developing online services," and applies to any online service a child might access, not just those that explicitly target kids.

While the Federal Trade Commission has launched a review of COPPA, "it is unclear what, if any, changes will be made," she adds. "Some changes can only be made by Congress. Careful studies such as this one will help raise public concern and provide a sound basis for enacting better laws."

SOURCE: and JAMA Pediatrics, online September 8, 2020.