The internet has become a major part of children’s lives, but their online privacy and security are still at risk. A recent study by Comparitech has revealed that many children's apps on Google Play might be violating the UK's Information Commissioner's Office (ICO) age-appropriate design code.
The ICO code, which came into effect in September 2020, sets out 15 standards that online services must follow to protect children’s online data and privacy. The code applies to any service that is likely to be accessed by children under 18 in the UK, even if it is not specifically aimed at them. The code also requires online services to conduct data protection impact assessments and provide transparent and tailored privacy policies for children.
The study by Comparitech found that nearly 25 percent of the apps reviewed had privacy policies that suggested possible breaches of the ICO code, such as collecting personal data without proper policies or consent, sharing data with third parties without transparency, or claiming not to target children despite being in the child-specific section of Google Play. The most common violation was collecting IP addresses or other persistent identifiers from children without having a clear and comprehensive section on children’s data protection within their privacy policy. IP addresses are considered personal data by the ICO and the EU General Data Protection Regulation (GDPR).
Comparitech studied a total of 402 apps that appeared on the Google Play tab for Children and assessed whether they complied with the ICO’s age-appropriate design code.
The key findings were:
- 96 apps (23.9 percent) had privacy policies that suggested possible violations of the ICO code in some way.
- These apps were downloaded by more than 383 million users and had received an “expert-approved” badge from Google Play.
- 22 apps (5.5 percent) claimed not to be aimed at children despite being in the child-specific section and having a PEGI 3 rating (suitable for all ages).
- 46 apps (11.4 percent) collected personal data without a child-specific policy or were vague, open to interpretation, or unclear about their data collection practices or third-party sharing.
- 16 apps (4 percent) collected data without parental permission or without the right protocols in place.
- 12 apps (3 percent) did not collect data themselves but worked with third parties that potentially did.
A Google spokesperson stated to Comparitech:
"Google Play takes the protection of children on its platform seriously. Play has policies and processes in place to help protect children on our platform and has invested significant resources into related features. Apps that target children must comply with our Google Play Families Policy, which requires developers to adhere to all relevant laws and all of Play’s Developer Program Policies, plus imposes additional privacy, monetisation, and content restrictions like prohibiting access to precise location data. Developers are responsible for ensuring their apps are compliant with all relevant laws and appropriate for their target audiences, including children."
However, the findings suggest that there may be gaps in Google Play’s review process and enforcement of its own policies.
The ICO has said that it is looking into how over 50 different online services are conforming with its code and that it has four ongoing investigations. It has also audited nine organization and is assessing their outcomes. The ICO can impose fines of up to 4% of global turnover or £17 million (whichever is higher) for serious breaches of its code.
Source: Comparitech
4 Comments - Add comment