Washington, DC - What information are kids’ app developers collecting, who are they sharing it with, and what are they telling parents about their practices? The FTC staff first asked those questions in 2012. Fast forward three years, and how have things changed? According to the FTC’s Office of Technology Research and Investigation, the glass is both half-full and half-empty. Our December 2012 kids’ app survey found that only 20% of apps had a link to a privacy policy available to parents before downloading the app.
Developers are now doing a better job, with more than 45% including a direct link to their privacy policy on their app store page. For many kids’ apps, however, parents still don’t have an easy way to learn about their data collection and usage practices.
What was the lay of the land in 2012? As we reported in Mobile Apps for Kids: Current Privacy Disclosures are Disappointing and Mobile Apps for Kids: Disclosures Still Not Making the Grade, many apps shared kids’ information with third parties without telling parents. Furthermore, Moms and Dads had little or no access to information about the apps’ privacy practices. That put parents in a bind since it made it nearly impossible to evaluate an app’s privacy practices before downloading – in other words, before they had paid for it and before the app started to collect information about their kids.
Our new survey explored similar terrain. This time, we looked at 364 kids’ apps in Google Play or the Apple App Store. We considered disclosures about apps’ privacy practices and interactive features – for example, links to social media. We also downloaded and used the apps to learn about their data collection and sharing practices. (Methodology mavens can get the details here.)
Here’s what we learned about the apps included in our survey: 164 of them (45%) had privacy policies that could be viewed from a direct link on the app store page.
Of the apps we surveyed, an additional 38 include privacy policies in harder-to-find places – for example, within the app or on the app developer’s webpage. Of course, information that’s difficult for parents to locate isn’t likely to be of much benefit to them.
Of all the apps, 48 included short form disclosures in their app descriptions about the sharing of personal information with third parties, the use of persistent identifiers, in-app purchases, social network integration, or the presence of advertising.
We don’t know for certain why there has been an increase in easy-to-locate privacy policies since our last survey, but a few factors may have contributed to this welcome development. First, changes to the FTC’s Children’s Online Privacy Protection Rule took effect in January 2013. The updated rule widened the definition of children’s personal information to include geolocation data, photos, videos, audio recordings, and persistent identifiers like cookies that track a child’s activity online. Perhaps the renewed focus on kids’ privacy encouraged some app developers to be more transparent about their practices, regardless of whether their apps are covered by COPPA.
The increase in easy-to-locate privacy disclosures also may be the result of a 2012 agreement between California and major mobile platform providers. The agreement required all apps collecting personal information to have a privacy policy available to consumers before downloading.
Changes in the practices of the major app platforms may have played a role, too. Both Apple and Google now provide specific space on their app promotion pages for privacy disclosures. And with the introduction of its “Kids” category in the app store, Apple now requires apps in that group to include a direct link to a privacy policy.
Whatever the reasons for the increase in direct links to kids’ app privacy policies, it’s a step in the right direction. That said, a significant portion of kids’ apps still leave parents in the dark about the data collected about their children – so there’s more work to be done. Furthermore, for improved disclosures to have any value, they must accurately reflect what the app is up to. We’ll dive deeper into that issue in upcoming blog posts.
A side note on the survey: These findings are part of the third annual Global Privacy Enforcement Network (link is external) (GPEN) privacy sweep. GPEN connects privacy enforcement authorities to promote and support cross-border cooperation. This year’s GPEN sweep brought together 29 privacy enforcement authorities from around the world. With the explosion in children’s connectivity, the sweep centered on the privacy practices of websites and apps popular among kids.