If Children’s Data Are Delivered to Strangers, Who’s to Blame?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ayanna Alexander

More than half the mobile applications in Alphabet Inc.'s Google Play store targeted at kids allegedly don’t adequately protect children’s data, according to researchers. But protecting children’s privacy isn’t just a job for app stores and developers.

Geolocation data, email address, and other personally identifiable information of children under 13 can be shared without parental consent with third-party advertisers through apps on the Google Play store, the researchers said.

One of the researchers, Serge Egelman, director of usable security and privacy at the University of California, Berkeley, told Bloomberg BNA, that Google should be doing more to ensure that mobile apps in its store protect children’s privacy. App developers may not be aware they are liable for violations of the federal Children’s Online Privacy Protection Act (COPPA), which requires websites and apps targeted at children to gain parental consent to collect and use the personal information of children under 13, so app stores need to play a “greater role” in protecting privacy, he said.

Meanwhile, the Federal Trade Commission and state attorneys general could do more to investigate potential COPPA violations to hold app stores, such as Google Play and Apple Inc.’s iTunes Store, accountable for leaving children’s data unprotected, Egelman said.

But placing the blame entirely with Google and the FTC may not be fair, privacy analysts, mobile app developers, and privacy advocacy groups told Bloomberg BNA. Ensuring that mobile apps protect the privacy of children is a shared responsibility of the FTC and other regulators, mobile apps developers, and companies that run app stores, they said.

Allison Fitzpatrick, a privacy partner at Davis & Gilbert LLP in New York, said that all parties involved have responsibility to eliminate COPPA violations. “COPPA has gotten too big for just the FTC to enforce,” she said. “We need app developers, Google Play, Apple to do more,” she said. “Yes, I think we’re going to see more compliance, as more attorneys general get involved, but I also think that privacy advocacy groups should continue to call out violators.”

Alexandra Cooke, director of membership for ACT | The App Association, told Bloomberg BNA that “the FTC has a role as a governing agency to enforce, but the app developers and app stores also have to be educated and understand what should and should not be included in their apps directed at children.” The responsibility shouldn’t fall in one place, she said.

N. Cameron Russell, executive director of the Center on Law and Information Policy at Fordham Law School, told Bloomberg BNA that parents share responsibility for protecting children’s data. “It’s important to view the privacy policy and also vet the companies that your kids will be using,” he said.

Google, which operates the Google Play store, didn’t respond to Bloomberg BNA’s requests for comment.

Better Enforcement Needed?

Six researchers affiliated with the International Computer Science Institute in Berkeley, Calif., reviewed thousands of the most popular Google Play Android apps that target children through age 12.

Through an analysis that began nearly eight months ago, the researchers found that more than 3,000 Google Play apps transmitted some sort of identifier for child users. Approximately 310 apps send children’s personal data to third-party advertisers, Egelman said. Overall, more than 50 percent of Google Play apps reviewed by researchers were found lacking when it came to sufficiently protecting children’s privacy.

An FTC spokesman told Bloomberg BNA that the agency has examined Egelman’s analysis but had no further comment.

Peder Magee, a senior staff attorney in the FTC’s privacy and identity protection division, told Bloomberg BNA that, “Children’s data privacy is a priority to the FTC” and the commission “vigorously” enforces alleged COPPA violations.

New York Attorney General Eric Schneiderman (D) reached settlements with Viacom Inc., Mattel Inc., and Hasbro Inc., and others last year. The office’s COPPA enforcement efforts are ongoing, Rachel Shippee, spokeswoman for the attorney general’s office, told Bloomberg BNA.

Fitzpatrick said that the data underlying the research report should be examined before reaching conclusions about the alleged COPPA violations and the need for enforcement.

More research data will be released later, Egelman told Bloomberg BNA.

To contact the reporter on this story: Ayanna Alexander in Washington at aalexander@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security