Sign up for tech policy updates
The latest on technology policy from AEI, published daily.
What’s new in tech policy at AEI?
Beyond privacy protection: Getting to privacy enforcement
View related content: Technology and Innovation
Privacy concerns continue to foment in our brave new digital age, and industries that rely on the collection and exchange of consumer data continue to be in the news for data-related reasons. Eyes had been on the Cambridge Analytica scandal and the Zuckerberg hearings, but other instances of data collectors behaving badly have been in the news. If you happened to miss it, a study published last month showed that thousands of Android apps may be illegally tracking children.
To put this headline in perspective, there are very few federal privacy laws, but one such law is the Children’s Online Privacy Protection Act (COPPA). Broadly speaking, one aspect of COPPA is that it prevents the collection of the personal data of children. If an app is aimed primarily at children 13 years old and under, it falls under the COPPA prohibition. In a fascinating study, independent researchers viewed the data gathered by over 5,000 Android apps aimed at children and determined that over 60 percent of the apps may be in violation of COPPA. The main point of the COPPA violation may center on app developers’ use of third-party software development kits (SDKs) that expressly state that they are not COPPA compliant. Even after using these non-COPPA compliant SDKs, the developers attest to Google (the app platform) that the app is indeed COPPA compliant. The authors summarize:
Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of third-party SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.
The Federal Trade Commission (FTC) — which has guidance on the parental consents required for COPPA — has not yet acted on the study.
For its part, Google has responded by saying it is “taking the researchers’ report very seriously and looking into their findings.” The company is in an interesting legal position. Platforms that “merely offer the public access to someone else’s child-directed content” are exempt from COPPA liability. However, in the Google Play Store, Google permits app developers to voluntarily choose Google Play’s Designed for Families program. These apps are self-reported as directed, among others, at children under age 13. The developers of these apps will have received some guidance from Google on COPPA compliance, and the developers attest that they are in compliance. Even though Google will not be liable under COPPA, it does appear to be in an enviable position to enforce its own terms of service and protect Google consumers from COPPA violations. Arguably, the FTC could encourage Google to do so by flexing its Federal Trade Commission Act Section 5 muscles, but the commission has not yet moved forward to do so.
In the rush for new privacy legislation, this study is an insight into how much needs to be done on enforcement of the laws currently on the books. The creative process developed by these researchers also shows that private solutions to privacy detection, enforcement, and prevention might exist if Google, regulators, and other data industry insiders are willing (or forced) to adopt them.