Hundreds of mobile apps for children fail to provide parents with basic information on the kinds of sensitive information the apps collect and share about their children, said a new federal report Monday.
Only 20 percent of children's applications found on portable computers and smartphones provided disclosures about their data collection practices, according to a staff report from the Federal Trade Commission released on Monday. The apps that did offer disclosures often provided links to long, dense, technical privacy policies "filled with irrelevant information," according to the report. Other apps, it said, gave misleading information about their practices.
The agency's study examined the privacy policies of 400 popular children's apps -- half of them available through the Apple App Store and the other half through Google's Android Market -- and compared the apps' disclosures to their actual data collection practices.
"Most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data," the F.T.C. report said. "Even more troubling, the results showed that many of the apps shared certain information" -- like a device's phone number, precise location or unique identification code -- with third parties, according to the report.
More than half of the apps studied were transmitting children's data, often to marketers. The researchers also reported that most apps failed to tell parents when they involved interactive features like advertising, social network sharing or allowing children to make purchases for virtual goods within the app. For instance, while 9 percent of the children's apps disclosed to parents that they contained advertising, F.T.C. researchers found that 58 percent actually contained ads. Moreover, of the 24 apps that stated they did not contain in-app advertising, 10 actually contained ads, the report said.
The report added that some of these practices could violate the F.T.C.'s prohibition against unfair or deceptive practices. The practices could also violate a federal law, called the Children's Online Privacy Protection Act of 1998, known as Coppa for short. That law requires Web site operators to obtain parental permission before collecting or sharing the names, phone numbers, addresses or other personal information about children under 13.
Regulators said they were starting "numerous nonpublic investigations" to determine whether the discrepancies between the children's apps' disclosures and their actual practices violated the law.
The report is part of the F.T.C.'s preparations to strengthen the children's online privacy rule.
Over the last few months, however, some prominent media companies, app developers and advertising industry groups have pressed F.T.C. commissioners to water down the agency's proposed updates to the Coppa rule. The timing of the report suggests that the F.T.C. may be trying to lay the groundwork for broader children's online privacy protections.
The agency hopes to update them to keep up with developments in mobile apps, voice recognition, facial recognition and comprehensive online data collection by marketers. The agency has proposed, for example, a longer list of data about children that would require prior parental consent to collect: photos, voice recordings and unique mobile device serial numbers that could be used to track children and compile information about their activities across apps.
In the report, regulators said their concern was that marketers and data collection companies could potentially use information from children's apps to develop detailed profiles of children without their parents' knowledge or consent. Children's advocates have argued that such detailed profiling could potentially present a safety hazard -- like the ability for strangers to contact or locate a child -- as well as a risk that children could be unfairly discriminated against or influenced by marketers.
"The transmission of kids' information to third parties that are invisible and unknown to parents raises concerns," the report said. For example, agency researchers reported that 223 different apps in the study transmitted data to one of 30 advertising networks, analytics companies, or other third parties -- without explaining why those entities needed to amass the children's data. The data transmission to these companies, the report said, "illustrates why parents need clear and accurate privacy information in one easily accessible place."
This is the second F.T.C. study on the children's app ecosystem this year. A report in February, titled "Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing," reviewed information on data collection that a parent could easily locate about several hundred children's apps from an app store or from app developers' Web sites. But that study did not test the apps' actual practices.
Since then, state and federal regulators have made a variety of efforts to encourage app developers and data collectors to adopt more transparent practices. Kamala D. Harris, the attorney general of California, for example, signed an agreement this year with a number of leading app platforms to make sure apps available through their stores displayed privacy policies; she also recently sent letters to 100 companies whose apps, she said, did not comply with a California law requiring them to post privacy policies. Last week Ms. Harris sued Delta Air Lines for not warning users of its Fly Delta app that the app collected sensitive information like a user's full name, phone number, e-mail address, photographs and location.
The National Telecommunications and Information Administration, a division of the Commerce Department, has been overseeing a group of advocacy and industry groups that are trying to work out a code of conduct for transparency in mobile app data practices.
But the new F.T.C. report, titled "Mobile Apps for Kids: Disclosures Still Not Making the Grade," concluded that there had been little improvement for consumers.
"Despite many high-visibility efforts to increase transparency in the mobile marketplace, little or no progress has been made," the report said. It added: "Industry appears to have made little or no progress in improving its disclosures since the first kids' app survey was conducted, and the new survey confirms that undisclosed sharing is occurring on a frequent basis."
Agency researchers reported that almost 60 percent of the children's apps in the study transmitted a device's ID number, most commonly to an advertising network or another third party. But only 20 percent of the apps disclosed any information about these kinds of practices. One app cited in the report had a "troubling privacy disclosure" stating that it did not share information with third parties; yet researchers found that in fact the app transmitted a device's phone number, precise location and device ID to a number of advertising networks.
Not every parent may be concerned about advertising, data collection, social network sharing or the possibility that "free" apps may allow their children to purchase hundreds of dollars worth of virtual goods. Even so, the report said, apps should provide accurate information about their practices so that parents can decide whether to allow their children to use them.
First Published: December 10, 2012, 11:00 p.m.