Consumer advocacy groups call on FTC to investigate kids’ apps on Google Play

A coalition of twenty-two consumer and public health advocacy groups, led by Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD), have today filed a complaint with the Federal Trade Commission asking them to investigate and sanction Google for how its Google Play Store markets apps to children. The complaint states that […]

A coalition of twenty-two consumer and public health advocacy groups, led by Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD), have today filed a complaint with the Federal Trade Commission asking them to investigate and sanction Google for how its Google Play Store markets apps to children. The complaint states that Google features apps designed for very young children in its Play Store’s “Family” section, many of which are violating federal children’s privacy law, exposing kids to inappropriate content, and disregarding Google’s own policies by luring kids into making in-app purchases and watching ads.

Google Play ‘Family’ Section

Google first introduced its “Designed for Families” program back in 2015, which gives developers of kid-friendly apps meeting certain guidelines additional visibility in the Play Store. This includes a placement in the Family section, where apps are organized by age appropriateness.

To qualify, “Family” apps must abide by specific content policies, Google’s Developer Distribution Agreement, and the Designed for Families DDA Addendum. The apps must also meet the Designed for Families program requirements. Legal compliance with federal privacy laws, including COPPA (Children’s Online Privacy Protection Rule), are among the requirements.

COPPA is designed to protect children under the age of 13 by giving parents control over what information sites and apps can collect from their kids.

Above: Google Play store showcases children’s content in its own dedicated sections

COPPA Violations

But the new FTC complaint claims that Google is not verifying COPPA compliance when it accepts these apps and, as a result, many are in continual violation of the law.

“Our research revealed a surprising number of privacy violations on Android apps for children, including sharing geolocation with third parties,” said Serge Egelman, a researcher at the University of California, Berkeley, in a statement shared by the group. “Given Google’s assertion that Designed for Families apps must be COPPA compliant, it’s disappointing these violations still abound, even after Google was alerted to the scale of the problem,” he added.

TechCrunch asked the coalition if it had some idea about how many apps were in violation of COPPA, and were told the groups don’t know an exact number.

“From our survey – and more comprehensive analyses like the PET Study – it seems fairly prevalent,” Lindsey Barrett, Staff Attorney at Georgetown’s Institute for Public Representation, told us.

“The PET Study found that 73% of the kids apps in the Play store transmitted sensitive data over the internet, and we saw apps sending geolocation without notice and verifiable parental consent, and sending personal information unencrypted,” Barrett said. “Further, under COPPA, children’s PII cannot be used for behavioral advertising. Yet, many of the children’s apps we looked at were sending information to ad networks which say their services should not be used with children’s apps,” she added.

Other Harms

The apps also engage in other bad behaviors like regularly showing ads that are difficult to exit or showing those that require viewing in order to continue the current game, according to the complaint. Some apps pressure kids into making in-app purchases – in one example, the game characters were crying if the kids didn’t buy the locked items, it notes. Others show ads for alcohol and gambling, despite those being barred by Google’s Ad Policy.

Above: disturbing images from TabTale apps

The coalition additionally called out some apps for containing “graphic, sexualized images” like TutoTOONS Sweet Baby Girl Daycare 4 – Babysitting Fun, which has over 10 million downloads. (The game has a part where kids change a baby’s diaper, wipe their diaper area, then rub powder all over the baby’s body.) Others model harmful behavior, like TabTale’s Crazy Eye Clinic, which teaches children to clean their eyes with a sharp instrument, and has over one million downloads. (The game is currently not available on Google Play and its webpage is down.)

The complaint also broadly takes issue with apps that use common SDKs like those from Unity or Flurry (disclosure: Flurry and TechCrunch share a corporate parent) to collect device identifiers from the children’s apps.

“Nearly three-quarters of the apps in the Family section transmit device identifiers to third parties,” reads the complaint. “There is no way for us to know for sure what the device identifiers are used for. Since many of the apps send device identifiers to third parties that specialize in monetizing apps and/or engaging in interest-based (behavioral) advertising, it seems unlikely that this information is being used solely to support internal operations,” it says.

Above: Strawberry Shortcake Puppy Palace was called out for aggressive monetization efforts. Strawberry tells kids to buy things to keep the puppy happy – the implication is if you don’t pay, you’re making puppies sad.

The groups say that Google has been aware of all these problems for some time, but hasn’t taken adequate steps to enforce its criteria for developers. As a result, the consumer advocacy groups are urging the FTC to investigate the Play Store’s practices.

The coalition had previously asked the FTC to investigate developers of children’s apps aimed a preschoolers who were using manipulative advertising. But today’s complaint is focused on Google.

“Google (Alphabet, Inc.) has long engaged in unethical and harmful business practices, especially when it comes to children,” explained Jeff Chester, executive director of the Center for Digital Democracy. “And the Federal Trade Commission has for too long ignored this problem, placing both children and their parents at risk over their loss of privacy, and exposing them to a powerful and manipulative marketing apparatus. As one of the world’s leading providers of content for kids online, Google continues to put the enormous profits they make from kids ahead of any concern for their welfare,” Chester said.

Apple was not similarly called out because a similar analysis has not yet been done on its app marketplace, Josh Golin, Executive Director at CCFC told us. In Google’s case, he explained, two major studies found widespread issues with the Play Store apps for kids. One from Berkeley researchers found widespread COPPA non-compliance; the other, by University of Michigan researchers, found children’s play experience was often completely interrupted and undermine by aggressive marketing tactics.

The complaint comes at a time where there is increased scrutiny as to how tech companies are misusing and abusing consumer data and violating privacy. Kids game have already been the subject of some of some concern. And this morning, an NYT investigation into Facebook revealed it had shared more of users’ personal data than disclosed with major tech companies, following a year of data scandals.

The issue of data privacy is an industry-wide problem. Tech companies’ failures on this front will likely lead to increased regulation going forward.

Google and the named developers were not immediately available to comment this morning. We’ll update if comments are provided.

The full complaint is below.

 

Verizon/AOL helped advertisers track kids online, must now pay $5M fine

AOL knowingly violated children’s privacy law with billions of targeted ads.

Enlarge (credit: Getty Images | Westend61)

Verizon-owned AOL helped advertisers track children online in order to serve targeted ads, in violation of a federal children's privacy law, and has agreed to pay a fine of $4.95 million, New York Attorney General Barbara Underwood announced today.

"The Attorney General's Office found that AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13," Underwood's announcement said. "Through these auctions, AOL collected, used, and disclosed personal information from the websites' users in violation of COPPA [Children's Online Privacy Protection Act], enabling advertisers to track and serve targeted ads to young children."

In addition to paying the largest-ever fine for violating COPPA, the Verizon-owned company "has agreed to adopt comprehensive reforms to protect children from improper tracking," the announcement said.

Read 14 remaining paragraphs | Comments

Oath agrees to pay $5M to settle charges it violated children’s privacy

TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay around $5 million to settle charges that it violated a federal children’s privacy law. The penalty is said to be the largest ever issued under COPPA. The New York Times reported the story yesterday, saying the […]

TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay around $5 million to settle charges that it violated a federal children’s privacy law.

The penalty is said to be the largest ever issued under COPPA.

The New York Times reported the story yesterday, saying the settlement will be announced by the New York attorney general’s office today.

At the time of writing the AG’s office could not be reached for comment.

We reached out to Oath with a number of questions about this privacy failure. But a spokesman did not engage with any of them directly — emailing a short statement instead, in which it writes: “We are pleased to see this matter resolved and remain wholly committed to protecting children’s privacy online.”

The spokesman also did not confirm nor dispute the contents of the NYT report.

According to the newspaper, which cites the as-yet unpublished settlement documents, AOL, via its ad exchange, helped place adverts on hundreds of websites that it knew were targeted at children under 13 — such as Roblox.com and Sweetyhigh.com.

The ads were placed used children’s personal data, including cookies and geolocation, which the attorney general’s office said violated the Children’s Online Privacy Protection Act (COPPA) of 1998.

The NYT quotes attorney general, Barbara D. Underwood, describing AOL’s actions as “flagrantly” in violation of COPPA.

The $5M fine for Oath comes at a time when scrutiny is being dialled up on online privacy and ad tech generally, and around kids’ data specifically — with rising concern about how children are being tracked and ‘datafied’ online.

Earlier this year, a coalition of child advocacy, consumer and privacy groups in the US filed a complaint with the FTC asking it to investigate Google-owned YouTube over COPPA violations — arguing that while the site’s terms claim it’s aimed at children older than 13 content on YouTube is clearly targeting younger children, including by hosting cartoon videos, nursery rhymes, and toy ads.

COPPA requires that companies provide direct notice to parents and verifiable consent parents before collecting under 13’s information online.

Consent must also be sought for using or disclosing personal data from children. Or indeed for targeting kids with adverts linked to what they do online.

Personal data under COPPA includes persistent identifiers (such as cookies) and geolocation information, as well as data such as real names or screen names.

In the case of Oath, the NYT reports that even though AOL’s policies technically prohibited the use of its display ad exchange to auction ad space on kids’ websites, the company did so anyway —  citing settlement documents covering the ad tech firm’s practices between October 2015 and February 2017.

According to these documents, an account manager for AOL in New York repeatedly — and erroneously — told a client, Playwire Media (which represents children’s websites such as Roblox.com), that AOL’s ad exchange could be used to sell ad space while complying with Coppa.

Playwire then used the exchange to place more than a billion ads on space that should have been covered by Coppa, the newspaper adds.

The paper also reports that AOL (via Advertising.com) also bought ad space on websites flagged as COPPA-covered from other ad exchanges.

It says Oath has since introduced technology to identify when ad space is deemed to be covered by Coppa and ‘adjust its practices’ accordingly — again citing the settlement documents.

As part of the settlement the ad tech division of Verizon has agreed to create a COPPA compliance program, to be overseen by a dedicated executive or officer; and to provide annual training on COPPA compliance to account managers and other employees who work with ads on kids’ websites.

Oath also agreed to destroy personal information it has collected from children.

It’s not clear whether the censured practices ended in February 2017 or continued until more recently. We asked Oath for clarification but it did not respond to the question.

It’s also not clear whether AOL was also tracking and targeting adverts at children in the EU. If Oath was doing so but stopped before May 25 this year it should avoid the possibility of any penalty under Europe’s tough new privacy framework, GDPR, which came into force in May this year — beefing up protection around children’s data by setting a cap of between 16- and 13-years-old for children being able to consent to their own data being processed.

GDPR also steeply hikes penalties for privacy violations (up to a maximum of 4% of global annual turnover).

Prior to the regulation a European data protection directive was in force across the bloc but it’s GDPR that has strengthened protections in this area with the new provision on children’s data.