Skip Page Banner  
Skip Navigation

FTC's Second Report on Mobile Apps for Kids Shows Scant Response to Privacy Concerns

Tuesday, December 11, 2012

Parents still do not have the information needed to make informed decisions about protecting their privacy and their children's privacy when it comes to data collection from kids' mobile applications, according to a Federal Trade Commission staff report, released Dec. 10.

Mobile Apps for Kids: Disclosures Still Not Making the Grade is a follow-up to a staff report issued nearly a year ago highlighting concerns about the data that are being collected from children using mobile apps, how the collected information is being shared, and who--including third parties--will have access to it.

The FTC staff examined the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores, and the staff concluded that little progress has been made in addressing privacy concerns in this area--children's data are still being collected, reviewed, and shared without parents' knowledge or consent.

The latest findings by the FTC staff indicate “that many of the apps surveyed included interactive features, such as connecting to social media, and sent information from the mobile device to ad networks, analytics companies, or other third parties, without disclosing these practices to parents.”

In the commission's Dec. 10 statement announcing the release of the report, FTC Chairman Jon Leibowitz posited that, although the agency believes that “most companies have the best intentions when it comes protecting kids' privacy, we haven't seen any progress when it comes to making sure parents have the information they need to make informed choices about apps for their kids. In fact, our study shows that kids' apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents.”

Leibowitz suggested that “[a]ll of the companies in the mobile app space, especially the gatekeepers of the app stores, need to do a better job,” and he anticipates improvement in future surveys.

Promoting Best Practices.

During a press conference, Jessica Rich, associate director of the Division of Financial Practices in the FTC's Bureau of Consumer Protection, explained that “both reports are designed to encourage best practices by companies in the kids app ecosystem.”

The first survey and report examined the disclosures provided to users about mobile app privacy practices and the availability of interactive features--such as connecting to social media. The staff reviewed apps from the two largest mobile app outlets: the Android market, currently Google Play; and the Apple App Store.

Rich noted that, in the first study, the staff found “little or no information … available to parents about these features for the mobile apps reviewed. As a result, the report called on all members of the kids app ecosystem--app stores, developers, and the third parties that collect data through the apps--to provide greater transparency about the data practices and interactive features of apps geared to children.”

While the follow-up survey repeated the methodology used in the first survey, Rich noted that the second survey went a bit further. “Specifically, in addition to examining the privacy disclosures of the apps, staff downloaded the apps in order to test their actual practices and compare them to the disclosures provided. What [the staff] found is cause for concern.”

The staff discerned seven major findings:

• Most of the apps examined failed to provide any privacy disclosures at all. Rich noted that “only 20 percent of the 400 apps … provided parents with a link to a privacy policy or other disclosure prior to download. This compares to 16 percent in the first survey, but the difference isn't statistically significant.”

• Of the disclosures that were provided, they generally failed to include “the critical information that parents need: what information is collected, how it will be used, and who will get access to the information.”

• Many of the apps reviewed sent information from the mobile device to third parties, or the apps included interactive features without first disclosing these practices to parents. Specifically, the staff's analysis showed 59 percent, or 235 of the apps examined, transmitted information from the mobile device to the developer or, in most cases, to an ad network, an analytics company, or other third party. The most common information transmitted was the users' device ID, which consists of letters or numbers that uniquely identify each mobile device. Rich reported that a device ID “allows you to link data collected from one app to data collected from other apps or through other mobile services and therefore, potentially enables you to develop a detailed profile of the user. In addition to sharing device IDs, some apps also shared users' precise geolocation and phone numbers.”

• “[A] relatively small number of third parties received information from a large number of apps.” Rich interpreted this to mean that “companies receiving the data could potentially develop detailed profiles of the children based on the behavior across many different apps.”

• Fifty-eight percent of the apps contained advertising, but only 15 percent disclosed this practice.

• Twenty-two percent of the apps contained links to social media, but only 9 percent disclosed this practice.

• Seventeen percent of the apps examined allowed children to purchase virtual goods within the app with prices that ran up to $30. “Although the app stores provided some indication when this feature was present,” Rich pointed out that “they didn't explain it clearly.”

 

Rich suggested that the findings “are troubling in a number of ways.”

As mentioned in the first report, and reiterated in the follow-up, prior to downloading apps for children, parents need specific information--including what data the app will collect, how that data will be used, and who will have access to the data.

Recommendations.

Based on the latest report findings, the FTC is calling on industry self-regulation--including accelerating efforts to ensure that parents receive “meaningful and accurate information about the apps they download for their kids.”

Rich emphasized that “industry” encompasses not just the app developer “but the app store and the third parties that collect data from the apps. They all play an important role in data collection and they all need to take responsibility.” She acknowledged that some industry efforts that may lead to improvements are progressing; however, to date, they have failed to yield the results desired by the FTC.

The commission is developing consumer education materials for parents so they can “avoid apps that fail to provide adequate information about how kids' data is collected.” Tips are provided on the agency's website.

The FTC also is launching a number of non-public investigations to determine whether certain practices offend the Children's Online Privacy Protection Act (COPPA) or whether companies are engaging in unfair or deceptive practices in violation of FTC Act § 5.

The staff report urges industry to implement recommendations in the recent FTC consumer privacy report including:

• incorporating privacy protections into the design of mobile products and services;

• offering parents easy-to-understand choices about the data collection and sharing through kids' apps; and

• providing greater transparency about how data are collected, used, and shared through kids' apps.

 

After giving the industry an opportunity to self-regulate, the commission plans to conduct another survey.

Need for Do Not Track Kids Act?

Reps. Joe Barton (R-Tex.) and Edward Markey (D-Mass.), co-chairs of the Congressional Bi-Partisan Privacy Caucus, commented in a Dec. 10 statement that the FTC's report “highlights the need for passage of the 'Do Not Track Kids Act' that updates [COPPA] and protect[s] children and teens in the 21st century online environment.”

If we were issuing a grade for mobile app privacy for children, it would be Incomplete. The FTC's report clearly reveals that more must be done to arm parents with the most effective tools to protect their children when they are online. Children's personal information should not be secretly siphoned off by mobile apps without parents' knowledge or permission. When it comes to kids and their use of the Internet in the new mobile environment, it is especially important that the strongest privacy protections are in place so that children do not have personal information collected or disclosed. We introduced the “Do Not Track Kids Act” to ensure that children and teens are protected and that sensitive personal information isn't collected or used without express permission. We look forward to the FTC's update of COPPA regulations and encourage the Commission to continue its aggressive enforcement of COPPA violations.  

 


The report developed by the agency's staff is available at http://www.ftc.gov/os/2012/12/121210mobilekidsappreport.pdf.

To view additional stories from Telecommunications Law Resource Center™ register for a free trial now