Google is looking into the findings of a new study that says thousands of the most popular free kids' apps in its Google Play store may be illegally tracking their young users — without getting parents' permission first.
Researchers at the University of California's International Computer Science Institute analyzed 5,855 of the most downloaded kids apps, concluding that most of them are "are potentially in violation" of the Children's Online Privacy Protection Act 1998, or COPPA, a federal law making it illegal to collect personally identifiable data on children under 13.
In addition, almost half of that sample didn’t follow standard security measures for sending sensitive data online, potentially in violation of the data security measures required by COPPA.
Some of the potentially problematic apps identified by the researchers included TabTale’s Pop Girls–High School Band, Disney’s Where’s My Water? and Tiny Lab’s Motocross Kids–Winter Sports, as well as Yousician’s Guitar Tuner Free — GuitarTuna.
Some of the apps were "transmitting location data, where you go, potentially where you live," said study co-author Serge Egelman, director of privacy research at the International Computer Science Institute.
Other information that some of the apps transmitted included names, phone numbers, email addresses and serial numbers or other codes that could be used to identify the device. Even if the data gathered only contained a string of numbers and letters as part of an identification code, tracking companies could partner with third-party data brokers to connect that code with other slices of information collected — and form a complete user profile to deliver targeted advertising.
"There's no way for the average consumer to tell an app can do this," Egelman told NBC News. The solution? "Don't use apps," said Egelman. Instead, it's up to regulators to get involved, he said.
Each app had been installed by users more than 750,000 times on average, the researchers wrote.
Whereas Apple iOS users do have a function where they can "reset" the advertising identification token by digging into their settings (Settings -> Privacy -> Advertising -> Reset Advertising Identifier -> Reset Identifer), Egelman said the Android system has more persistent identifiers that can't be changed.
His group is maintaining a website where parents can research kids apps and see whether and what kind of privacy issues they may have, Appcensus.mobi.
In a statement, Google said it's taking the researchers' report "very seriously and looking into their findings." The company said "Protecting kids and families is a top priority" and promised to "take action" on any app that violates its policies.
Reached for comment, a Disney spokesperson told NBC News, "Protecting children’s online privacy is very important to us and we are confident that our practices adhere to the law. We have a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families."
TinyLab CEO Jonas Abromaitis said in a statement that "we are not violating COPPA in any way as far as we know," and said his company's apps ask users for their birthdate before playing and doesn't collect personnel information for users who say they're under 13.
Guy Tomer, the Chief Operating Officer of Tap Table said "we are looking into this matter further and if we find anything of concern we will take appropriate action if necessary."
Yousician didn't immediately provide a comment upon request.