Beyond fun and games: Exploring privacy risks in children’s apps
Home » Blog » Beyond fun and games: Exploring privacy risks in children’s apps
12 July, 2024
No Comments
Should children’s apps come with ‘warning labels’? Here’s how to make sure your children’s digital playgrounds are safe places to play and learn.
Our children spend more time on their phones than ever. Some 80% of European 9-16-year-olds access the internet from their phones every day. In the UK, 91% of children have a mobile phone by the age of 11. And in the US, the same share has a smartphone by 14. While these devices, and the apps installed on them, can be a great tool for entertainment, socializing and learning, they also present risks.
As parents, we often buy these devices primarily as a means for our kids to stay connected with us, to be safe when they’re away from home and, perhaps to a lesser extent, to connect with their friends. But how many of us factor in the potential online safety implications? Much of the problem lies with a lack of transparency around data usage and app developers who, unlike you, don’t always have the best interests of your children in mind.
Read on to discover the main safety risks associated with child-targeted apps, and how to mitigate them.
Should apps come with safety warnings?
Smartphone apps are the gateway to the digital world for our kids. But they could also expose them to exploitative advertising, inappropriate content, and security and privacy risks. The challenge for parents is compounded by complex privacy settings, opaque privacy policies, regulatory loopholes, weak enforcement and our own lack of awareness.
That there is a risk here is in no doubt. A study from Incogni analyzed 74 “child-targeted Android apps” used worldwide. It found that:
Nearly half (34/74) collect at least some user data, with a third of these collecting at least seven data points including location, email addresses, purchase history and app interactions
Developers claimed the reason for this data collection was mainly for analytics, app functionality, fraud prevention, and advertising or marketing
Only 62% of data-collecting apps allowed users to request that their data be deleted
A separate study into iOS apps labelled for children under 12 found that all shared user data with varying degrees of sensitivity outside the app. And 44% sent at least one piece of personal information to third parties. Some 65% shared data with third parties that provide advertising or analytics for commercial purposes.
What the law says
Lawmakers have enacted specific legislation to protect children from excessive data collection and use.
In the US, COPPA was passed in 1998 to force developers to obtain parental consent before collecting personal information from under 13-year-olds. They must also provide a clear privacy policy detailing how any collected info is used, and offer parents the option to review, modify or delete this data.
In the EU, the GDPR-K demands that developers collect only the minimum data necessary to provide an app’s services, and to obtain parental consent for processing personal data in most cases. It also requires age-appropriate privacy settings that are easy for kids to understand, and that developers regular assess and mitigate data protection risks.
Enforcement action over the years has been limited. TikTok was a notable exception – being hit with a €345m ($368m) GDPR fine and a $5.7m FTC settlement. But just because more children’s app developers aren’t being fined, it doesn’t mean nothing is wrong. It may rather point to a lack of regulatory capacity for enforcement. So what should you be concerned about?
Top app risks to be aware of
Excessive data collection: Personal information such as age, email address and locations and app activity can be a gold mine for advertisers. If it is shared by the developers via third-party trackers, it raises concerns over exploitative advertising and represents a data security risk; i.e., the possibility that a third-party could be breached.
Unscrupulous advertising: Ads targeted at young children in particular may exploit their inability to discern that they are being marketed to. Ads could also include inappropriate content.
In-app purchases: Some apps – especially in the gaming world – enable users to make purchases during a session. Children may be more susceptible to developers nudging them towards spending money – which could ultimately cost you dear as a parent.
Limited parental oversight: Some kids’ apps lack adequate parental controls, making it difficult for you to minimize risk exposure for your children when using the app.
Limited privacy information: Despite regulatory requirements in many jurisdictions, kids’ apps can feature opaque privacy/security policies which make it unclear how your child’s data will be used and protected. As the UK privacy regulator states: “Bad privacy information design obscures risks, unravels good user experiences, and sows mistrust between children, parents and online services.”
Oversharing: Some apps may offer limited obvious means for kids to restrict the amount of information they share with other users, putting them at risk from cyber-bullies, data thieves and fraudsters.
Inappropriate content: Apps might enable your children to access content unsuitable for their age range, including that shared by other users. Social media sites are particularly risky given the potentially large pool of users sharing images and videos. It can take time for moderators to catch up and take down anything deemed unsuitable.
Security risks: Mobile apps also pose significant security risks. Those not designed with security in mind might include vulnerabilities, misconfiguration and other risks – such as a lack of data encryption. These holes can be exploited by threat actors to steal your child’s data, including app log-ins, sign them up to premium-rate services, or hijack their social media and gaming accounts. Alternatively, they could use access to your child’s device to engage in cyber-extortion.
How to mitigate app safety risks
As a parent, you have a critical role to play in protecting your child’s privacy and security when they’re using smartphone apps. Here’s how:
Speak to your kids: Educate your children about the importance of protecting their personal information and the potential consequences of security and privacy risks. A policy of openness will help to reassure them that you should be the first port of call before they take any decisions about sharing info online. It’s good to talk.
Do your research: Always review any app your child wants to download before allowing them to do so. Check their privacy policies and reputation for privacy and security.
Stay in control: Be respectful of your child’s privacy, but let them know that you will check in from time to time to monitor their app usage and permissions. Consider using parental control software to limit what they can download and which features they will be able to access (e.g., disabling messaging or social features). Such software will also enable safe browsing and provide internet usage reports.
Focus on security: Download anti-malware software from a reputable vendor to your child’s device. And ensure it is always up-to-date with the latest app and OS version, and password protected. Switch on multi-factor authentication (MFA) for any apps that support it. And ensure your child only downloads apps from the official Google/Apple app stores.
Block advertising: Switch off ad tracking on your child’s smartphone by going into the relevant settings on Android or iOS.
Choose child-friendly apps: For Android devices, search for “Teacher approved” apps on Google Play under a Kids tab. Apps are rated according to “age-appropriateness, quality of experience, enrichment, and delight.”
We all want our kids to get the most out of their smartphones. But first and foremost, we want them to be safe. Navigating this digital minefield was never going to be easy. But the more you know about the risks, the better informed your decisions will be.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.