Do mobile apps for kids respect privacy rights?

The number of mobile applications for children is rapidly increasing. An entire market segment is taking shape to reach this target audience. Just like adults, the personal data issue applies to these younger audiences. Grazia Cecere, a researcher in the economics of privacy at Institut Mines-Télécom Business School, has studied the risk of infringing on children’s privacy rights. In this interview, she shares the findings from her research.

Why specifically study mobile applications for children?

Grazia Cecere: A report from the NGO Common Sense reveals that 98% of children under the age of 8 in the United States use a mobile device. They spend an average of 48 minutes per day on the device. That is huge, and digital stakeholders have understood this. They have developed a market specifically for kids. As a continuation of my research on the economics of privacy, I asked myself how the concept of personal data protection applied to this market. Several years ago, along with international researchers, I launched a project dedicated to these issues. The project was also launched thanks to funding from Vincent Lefrere’s thesis within the framework of the Futur & Ruptures program.

Do platforms consider children’s personal data differently than that of adults?

GC: First of all, children have a special status within the GDPR in Europe (General Data Protection Regulation). In the United States, specific legislation exists: COPPA (Children’s Online Privacy Protection Act). The FTC (Federal Trade Commission) handles all privacy issues related to users of digital services and pays close attention to children’s rights. As far as the platforms are concerned, Google Play and App Store both have Family and Children categories for children’s applications. Both Google and Apple have expressed their intention to separate these applications from those designed for adults or teens and ensure better privacy protection for the apps in these categories. In order for an app to be included in one of these categories, the developer must certify that it adheres to certain rules.

Is this really the case? Do apps in children’s categories respect privacy rights more than other applications?

GC: We conducted research to answer that question. We collected data from Google Play on over 10,000 mobile applications for children, both within and outside the category. Some apps choose not to certify and instead use keywords to target children. We check if the app collects telephone numbers, location, usage data, and whether they access other information on the telephone. We then compare the different apps. Our results showed that, on average, the applications in the children’s category collect fewer personal data and respect users’ privacy more than those targeting the same audience outside the category. We can therefore conclude that, on average, the platforms’ categories specifically dedicated to children reduce the collection of data. On the other hand, our study also showed that a substantial portion of the apps in these categories collect sensitive data.

Do all developers play by the rules when it comes to protecting children’s personal data?

GC: App markets ask developers to provide their location. Based on this geographical data, we searched to see whether an application’s country of origin influenced its degree of respect for users’ privacy. We demonstrated that if the developer is located in a country with strong personal data regulations—such as the EU, the United States and Canada—it generally respects user privacy more than a developer based in a country with weak regulation. In addition, developers who choose not to provide their location are generally those who collect more sensitive data.

Are these results surprising?

GC: In a sense, yes, because we expected the app market to play a role in respecting personal data. These results raise the question of the extra-territorial scope of the GDPR, for example. In theory, whether an application is developed in France or in India, if it is marked in Europe, it must respect the GDPR. However, our results show that among countries with a weak regulation, the weight of the legislation in the destination market is not enough to change the developers’ local practices. I must emphasize that offering an app to all countries is extremely easy—it is even encouraged by the platforms, which makes it even more important to pay special attention to this issue.

What does this mean for children’s privacy rights?

GC: The developers are the owners of the data. Once personal data is collected by the app, it is sent to the developer’s servers, generally in the country where they are located. The fact that foreign developers pay less attention to protecting users’ privacy means that the processing of this data is probably also less respectful of this principle.