Mobile apps still collect vast amounts of personal data on kids, despite FTC privacy rule

More than a year after federal regulators issued new privacy rules for kids' mobile apps, online stores are flooded with cute and silly software programs that quietly collect vast amounts of data on the youngest consumers, including a person's location and even recordings of their voice, according to privacy researchers and consumer advocates.

Whether they pass that information on to retailers or seek parental consent first — as required by law — isn't entirely clear. But if you don't want your family tracked online by fast food chains, toy stores or other retailers, your choices are limited: Stick the phone in "airplane mode" to shut off the wireless connection and risk losing functionality, or wade through a developer's privacy policy to make sure you're OK with how it works.

"Kids are such a lucrative market, especially for apps," said Jeff Chester, executive director of the Center for Digital Democracy. "Unfortunately, there are still companies out there that are more concerned about generating revenue than protecting the privacy of kids."

Americans have traded vast amounts of personal data in exchange for the ease and functionality of fun mobile applications on their phones. But how is industry using that information? Chester and other consumer advocates allege that fast food chains are increasingly focusing advertising dollars on digital media, targeting blacks and Hispanics. They also warn that data from phones can be combined with offline information like home prices, race or income in ways that could violate fair lending laws. And a new site, PrivacyGrade.org, found that many popular kids' apps like Talking Tom and Fruit Ninja collect information in ways parents wouldn't necessarily expect.

Concerned in particular about industries' focus on kids online, the Federal Trade Commission in July 2013 expanded the Child Online Privacy Protection Act, or COPPA, to require app developers to get parental consent before collecting personal data on anyone younger than 13. That includes information like the unique identifying device on a phone, a person's phone number or a device's location.

"It's upped the ante for companies deciding whether they are going to market to kids," said Michelle De Mooy of the Center for Democracy and Technology. "And that's a good thing."

But with the number of smartphones expected to reach 3.5 billion in the next five years, according to Forrester Research, the mobile app and advertising industry has exploded. Regulators don't have an easy, automated way of analyzing the hundreds of mobile apps popping up each day, forcing them to focus efforts on the most egregious privacy offenders.

Since the updated regulation went into effect, the FTC has brought about only two enforcement actions against mobile apps. Last September, the commission announced that Yelp Inc. agreed to pay $450,000 and TinyCo. $300,000 to settle separate charges that their companies knowingly collected information on young children through their mobile apps.

"Our ultimate goal is compliance," said Kandi Parsons, an attorney in the FTC's Bureau of Consumer Protection. But "that doesn't undermine our desire to bring cases against companies that violate COPPA ... where we find violations, we will bring cases against mobile apps."

According to PrivacyGrade.org, which is run by computer scientists at Carnegie Mellon University, scores of apps that collect information are still aimed at kids.

For example, Fruit Ninja collects a phone's location, which could be passed on to advertisers. And Talking Tom, where kids can talk to and "tickle" an alley cat using the touch screen, collects a child's audio recordings along with other information that can uniquely identify a phone.

Whether these apps would violate COPPA, would depend on a number of factors, including whether and how they seek parental consent. But because these apps collect information in surprising ways, PrivacyGrade.org gave them both D grades.

Outfit7, the developer behind Talking Tom, said in a statement that personal information and recordings are never shared with advertisers. The developer says its app also complies with COPPA by providing "appropriate gate protections ... to distinguish adults from minors and restrict sharing on social media," according to the statement.

Halfbrick Studios, which developed Fruit Ninja, said in a statement that it planned to release updates to Fruit Ninja and other apps to increase privacy protections.

"Parents and players are understandably cautious about the privacy aspects of online games, and the way their data is handled," said company CEO Shainiel Deo. "Creating a safe and secure app is no longer enough to answer consumers' needs for assurance. Developers must also ensure that permissions are clearly explained and easy to access at every applicable point in a game."

Jason Hong, who runs PrivacyGrade.org, says it's hard to know exactly what developers are doing with the information they collect. And it's possible, he said, that some developers are building apps using popular, pre-fabricated libraries of code that automatically collect information that the developer never uses or passes on to advertisers.

Hong said he thinks the government should devote more resources to evaluating popular apps and working with developers to promote basic privacy standards.

"It's part of a long conversation about what is privacy, and what we should be doing every day," he said.

___

Follow Anne Flaherty on Twitter at https://twitter.com/AnneKFlaherty

___

Online:

FTC Consumer Information: http://www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online