Increasingly, children are accessing mobile applications via cell phones and tablets at younger ages. Recent Pew Internet studies find that 68% of children aged 12-13 own a cell phone and 71% access the Internet via a mobile device (phone, tablet, or other mobile device). Within this age group, 66% report downloading a mobile app. These apps can collect demographic, personally identifiable, behavioral and location data, though the types and combinations of data collected vary. In an effort to protect children’s privacy online, in 2000, the Children’s Online Privacy and Protection Act (COPPA) was enacted in the United States to provide mechanisms for parents to control the information collected from their children online. The legislation stipulates that websites actively collecting information from children under age 13 must seek written parental consent. While COPPA represents an effort to safeguard children’s digital privacy, many argue that it is difficult to implement, resulting in loopholes for children’s access and reduction in their information security. Central to this issue is COPPA’s requirement of written parental consent for their child’s participation. Many websites have enacted age-based bans to comply with COPPA, banning users under the age of 13 in their Terms of Service. Those that offer content to children and attempt to comply with COPPA guidelines, follow a model similar to that of Disney’s popular Club Penguin app. When creating an account, a user who is under 13 must provide an email address for their parent who is then sent an activation email. Yet the identity of an email user is difficult to confirm and as one mother demonstrated, aliases are easy to create. Further, age verification systems face technical and social challenges as young users attempt to subvert them for access.

Is it feasible for apps to be COPPA compliant in light of these technical and social challenges? In a paper published this week in the proceedings of the Privacy, Security, & Trust conference, I, together with Ilaria Liccardi, Hal Abelson, Daniel Weitzner, and Wendy MacKay investigate the social and technical feasibility of apps complying with COPPA. From a technical perspective, we examine apps rated as appropriate for children to determine which of these apps are actually targeted for young audiences, how they engage in COPPA compliance, whether they remain COPPA compliant after 6 months, and what information they collect about their users. We identify 38,842 (out of 635,264) apps which are described by their developers as suitable for young users. Half of these child-directed apps have the ability to collect personal data and only 6% present a privacy policy. We combine this technical analysis with a literature review of behavioral studies of children’s engagement with apps and websites to evaluate the technical and social challenges of COPPA compliance.
Photo image credit: Claude Robillard