Article Text
Statistics from Altmetric.com
Despite policy recognition of children’s vulnerability online, children’s apps (or parental apps involving children’s data) may share user data with third parties, which may be used to create detailed, long-term profiles of children, generating privacy risks.1 2 These risks have attracted policy attention from the Federal Trade Commission; Apple Inc. subsequently stipulated that apps developed for children may not send personally identifiable or device information to third parties and should not include third-party trackers or advertising.
We conducted a cross-sectional study of top user-rated mobile apps labelled for children under 12 years available in the Apple App store in Australia, Canada, the UK and the USA as of July 2022 (https://kids-apps.healthprivacy.info). We aimed to (1) Characterise their data sharing practices through analysing their network traffic; (2) Identify the third parties who received the information transmitted from these apps. Building off previously reported methods,3 we created a parent/child dummy profile and measured network traffic analysis during simulated app use to identify transmission of 21 prespecified types of user data and its network destinations. For identified data recipients, we examined their websites to categorise data recipients’ main activities.
We purposively sampled 25 of 6264 apps identified by an App Store crawling program because they were highly rated by users (84% or 21/25 rated >4.4/5.0), had a privacy policy (96%, 24/25) and represented a variety of store categories including Productivity, Lifestyle, Utilities and Social Networking (32%, 8/25), Education (28%, 7/25), Entertainment (20%, 5/25), and Games (20%, 5/25), and Medical, Health and Fitness (12%, 3/25).
All sampled apps (100%, 25/25) shared user data with varying degrees of sensitivity outside the app (table 1). Almost half of the apps (44%, 11/25) transmitted at least one piece of data to third parties considered to be personal information under the European Union’s General Data Protection Rules.
Included apps transmitted user data to 165 unique hosts (median 10, IQR 5–17). Forty hosts (24%, 40/165) were associated with the app’s developer or its parent company. One hundred and thirty-eight hosts (84%, 138/165) were third parties including those providing infrastructure-related services (19%, 31/165), such as cloud services, and analysis services (65%, 108/165), such as advertising or analytics for commercial purposes (table 2). Amazon.com, Inc., Apple Inc. and Google LLC accounted for over a third of the unique hosts (58/165, 35%) in our traffic analysis and received data from all apps in the study as either a first party or third party (table 2). Despite Apple Inc.’s guidelines, 18 apps (72%) transmitted data to analysis-related third parties not associated with Apple Inc.
Children’s data are commonly shared with third parties, suggesting there are privacy risks in using children’s apps.4 Thus, an industry self-regulatory approach to addressing children’s privacy risks in apps may be limited. The implications of data sharing may manifest across aspects of childhood including those related to education, entertainment and health, and extend into adulthood. Privacy regulation should require transparency and accountability of data sharing practices from developers and third parties and promote user control over data sharing.
Ethics statements
Patient consent for publication
Ethics approval
Not applicable.
Acknowledgments
The authors thank ip2location.com for support in providing an academic license to their geo-IP database.
Footnotes
Contributors QG and LJ acquired funding, designed the study, supervised, and participated in data collection and content analysis. JP participated in data collection and content analysis. JB conducted the traffic analysis. TB conducted the traffic analysis. AC and RH designed the study, supervised the traffic analysis. JP and QG act as guarantors.
Funding Government of Canada’s New Frontiers in Research Fund (NFRF) (NFRFE-2019-00806).
Competing interests None declared.
Provenance and peer review Not commissioned; externally peer reviewed.