Your preschooler’s privacy is likely being violated by the child-centered games or educational apps he or she is playing – perhaps on your very own smartphone or tablet – in direct violation of the Children’s Online Privacy Protection Act.
That’s the shocking finding of a new study analyzing how developers collect and share personal digital information while children are using many of the tens of thousands of digital apps created for kids – a trend that is on the rise during the coronavirus pandemic as more and more children shelter and study at home.
“My colleagues and I found that 67% of the apps played by 3- to 4-year-old children collected these sorts of digital identifiers – mobile serial numbers or ID codes that can be traced back to the device’s owner – and shared them with ‘third party’ marketing companies,” said lead author Dr. Jenny Radesky, an assistant professor of pediatrics at Michigan Medicine C.S. Mott Children’s Hospital.
“The fact that two thirds of apps used by very young children transmit information about their online activity — information that is ultimately used to target ads — suggests that COPPA noncompliance is indeed widespread, and more enforcement is needed,” said Angela Campbell, who directs the Institute for Public Representation Communications and Technology Clinic at Georgetown Law, in an accompanying editorial.
Why is this alarming? Because the tapped information can be used by businesses to identify personality traits or behavioral weaknesses that leave children open to risk for manipulation or exploitation, the study said.
“It is incredible how much can be inferred from a child’s gameplay behavior: their impulsivity, responses to rewards, or information processing,” said Radesky, who is a developmental behavioral pediatrician and a lead author of the American Academy of Pediatrics’ screen time guidelines.
“Educational technology reveals even more about our children’s strengths and weaknesses, including data such as their behavioral self-control or learning disabilities,” she added.
Digital footprints
All of us experience digital tracking every day on the web – how else did that garden hose you were pricing suddenly appear in an ad on a different site you just clicked to?
When we use the internet to shop or surf, we give away information on what we like to read, where we like to shop, what we want to buy and what we think. That digital footprint is collected and sold to third-party aggregators to provide marketing insights and target ads to our preferences – such as a garden hose.
To understand more of how developers design websites and apps to collect information on our personal likes and dislikes, Radesky suggested watching the new Netflix docudrama “The Social Dilemma,” which debuts Wednesday, September 9.
Some of us find such deliberate tracking creepy and worry about invasion of personal privacy and identify theft; others like the personalization and content suggestions that fit our preferences.
Regardless of your point of view, that type of data mining is not supposed to happen to our children. The Children’s Online Privacy Protection Act requires web platforms and creators of digital products to obtain parental consent before collecting and sharing anything that might be traced back to a child under the age of 13, such as location, email or a serial number or other device identifier.
However, a 2018 study that analyzed 959,000 apps on Google Play stores in the United States and the UK found those in the “Family and Games & Entertainment genre” – which children would use – contained the highest number of third-party trackers. Another 2018 study found the majority of the most popular free children’s apps for Androids may violate COPPA rules.
And a newly established digital watchdog, called the International Digital Accountability Council, just published a report that found reading, math, science and language apps shared data to multiple third-party companies, although none did so in an “egregious or evidently willful” manner.
Tracking your child to your home
The new research, published Tuesday in JAMA Pediatrics, is part of a longitudinal study of child mobile media use, development and behavior called the Preschooler Tablet Study.
In this first wave, the study looked at data from 124 children using Android children’s apps, analyzing the number of information transmissions to third-party domains over a nine-day period.
“In our study, we were able to detect when apps were siphoning data such as advertising IDs, device IDs, email addresses, or even geolocation coordinates without the app or the app store providing notice,” Radesky said.
Being able to track a child to a particular neighborhood is especially valuable to marketers, Radesky said.
“Location is a very valuable piece of private data, since it can identify behaviors like where you go to church, which can help target ideological ads at you,” Radesky said.
And analyzing the type of content a child consumes can tell companies a great deal about both the child and the parents, she added.
“When it comes to videos (children) view on YouTube, TikTok, or other platforms, online behavior can reveal aspects of their psychology such as their emotional reactivity, body image, or their penchant for outrageous content,” Radesky said.
Companies can use this information to profile consumers and “sell our characteristics to advertisers who want to influence our beliefs and behaviors about things like COVID-19, racist hate speech, or voting,” she said. “The data transmissions identified in the study are part of the same machine that powers these persuasion markets.”
Not all of the apps said they were specifically designed for children, the study found – yet children were using them.
“We found that most of kids’ data were being collected from apps that called themselves ‘general audience apps,’ even though they had names like ‘Children’s Doctor Dentist,’ ” Radesky said. “Lack of enforcement of COPPA has meant that these apps can claim they are not for kids, and therefore continue to collect data.”
That is a major issue in the industry, said Morgan Reed, president of The App Association (ACT), which represents more than 5,000 mobile app makers and connected device companies.
“The dominance of free, general audience apps like YouTube, Facebook, and casual games (has) created an environment rife with confusion as to what is a kids’ app and a wave of blatantly poor privacy practices for children and adults alike,” said Morgan, who was not involved in the study.
“Rather than layering compliance burdens on kids’ app developers trying to do the right thing, Congress should pass comprehensive legislation that sets privacy expectations for general audience and kids’ apps alike,” he said.
Socioeconomic differences
Children of parents in higher socioeconomic and educational brackets were less likely to experience digital collection tactics, possibly due to the parent’s ability to screen for such exposure, the study found.
“Children in our study who were from lower-education backgrounds were two to three times more likely to have their data collected and shared, which raises questions about structural inequities in digital surveillance,” Radesky said.
In addition, children who were older, who had their own mobile devices or who played a higher number of apps also had more personal information siphoned, the study found. Only 8% of children in the study played apps that transmitted no data at all.
What can parents do?
While it should be up to government authorities to enforce the Children’s Online Privacy Protection Act, that is not currently happening, Radesky said. Therefore, she said, it falls to parents to identify and block apps and games that might be exploiting children.
“If you want to go all-out, you can stop installing apps (other than what is needed for school) until app stores are more transparent – meaning that Google Play, iTunes and other stores would test each app and disclose what data it collects,” Radesky said.
For Android apps, you can also go to the website AppCensus AppSearch and search for the app to see what privacy protections it includes. If they do mine for data, uninstall them, Radesky advised.
Other actions include:
- Turn off geotagging in all apps and games (or any other features).
- Check privacy settings on any app your child has, including Facebook and other social media sites as they grow.
- Delete any app or games your child no longer uses – in fact, go further and ask the app developer to delete any data that it has collected on your child (or you).
- Seek out products that minimize data collection by default, such as PBS Kids, Nick Jr. or Lego.
- Rethink sharing pictures of your children on public social media sites – some unscrupulous websites steal the pictures and use them in other, less savory, ways.
- Check out Common Sense Media and Campaign for a Commercial Free Childhood for information and trends on data privacy.
Get CNN Health's weekly newsletter
Sign up here to get The Results Are In with Dr. Sanjay Gupta every Tuesday from the CNN Health team.
Above all, take the invasion of your child’s personality, growth and behavior seriously.
“Aspects of our personality and neurodiversity are extremely personal and can be exploited, and therefore medical and research institutions have rigorous safeguards to keep this information private,” Radesky said.
“As our country heads into a year of online learning, it’s crucial that we know that children’s educational data are not merged with marketing datasets that can then exploit these fundamentally private things about our children.”