Google cannot escape COPPA lawsuit
There was some big news last week on the children’s privacy front: A District Judge has ruled that Google and the apps they sell on their “store” cannot dodge a lawsuit brought by the New Mexico Attorney General. Previously, a state court had said the case couldn’t proceed, but thanks to this decision, Google will face claims that apps they hosted in the “Designed for Families” section of their Google Play Store, and ad networks they employed, had actual knowledge they were targeting and marketing children’s data, in violation of COPPA, the Children’s Online Privacy Protection Act. The apps in question are owned by Tiny Lab Productions.
This court case will be significant in highlighting how apps use cookies and advertising tools to track children across the web. As explained in the decision,
“Tiny Lab Productions (“Tiny Lab”), a Lithuanian company, is a developer of child-directed, mobile game apps including Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, and GummyBear and Friends Speed Racing. AdMob [AdMob is owned by Google], Twitter/MoPub, InMobi/AerServ, Applovin, and ironSource (collectively, the “Ad Networks”) sold their proprietary software development kits (“SDKs”) to Tiny Lab for installation and use in its gaming apps. Id. ¶ 13. When a Tiny Lab app is downloaded onto a child’s device in New Mexico, the Ad Networks’ SDKs are also installed as app components. Id. ¶ 5. Once so embedded, while a child in New Mexico plays one of the apps, the Ad Networks’ SDK collects personal information about that child and tracks the child’s online behavior to profile the child for targeted advertising. Id. ¶¶ 43-46. This activity is invisible to the child and her parents” [emphasis added]
Think of an advertising SDK as a unique tag that identifies the user and follows him or her across the internet; an “Identifier for Advertisers” that allows advertisers to see what sites the user visits, and stays embedded on their device even after they are done using the original app. Ad tracking tools like cookies, persistent beacons, and fingerprinting can be installed on a child’s device when they download an app or edtech platform and these are not transparent to the student, the teacher, or the parent. We know apps track us, but it is not always easy to see how or what they do with our data.
Several parents have asked us:
- How often do apps use children’s information for marketing purposes?
- Do edtech apps use ad trackers?
- How would you know if your child’s app is using adware or ad trackers?
- What can parents do?
Thankfully, others including this bipartisan group of US Senators, are asking how edtech companies use children’s data. The Federal Trade Commission (FTC), which oversees COPPA, is also asking how online platforms use children’s data. In a move led by Commissioner Christine Wilson, the FTC announced in December 2020 that it is using its 6(b) authority to investigate several big tech companies that handle children’s data. In a joint statement issued by the FTC says, “Despite their central role in our daily lives, the decisions that prominent online platforms make regarding consumers and consumer data remain shrouded in secrecy. Critical questions about business models, algorithms, and data collection and use have gone unanswered.”
We agree with executive director of the Campaign for a Commercial-Free Childhood Josh Golin’s statement in Bloomberg News, “These 6(b) studies will provide a much-needed window into the opaque data practices that have a profound impact on young people’s well-being”.
These FTC studies come at a time when many are also calling for COPPA to be updated. Currently COPPA only covers children 12 and under and is confusingly and inconsistently applied to schools. Through advisory guidance (though not regulation), the FTC has said that schools can consent in place of parents, but only if the app is used ONLY for educational rather than marketing purposes. [You can see the joint letter we sent the FTC with 23 organizations when they threatened to weaken COPPA, and you can also read our separate PCSP comments to the FTC here.]
COPPA says that websites and online services, including apps and general audience sites that have actual knowledge they are collecting data from children under 13, must get prior parent approval before collecting, using or disclosing a child’s information. The FTC says this “includes a child’s name, address, phone number or email address; their physical whereabouts; photos, videos and audio recordings of the child, and persistent identifiers, like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.” However, many agree that actual knowledge should be updated to constructive knowledge. As implied in the case of the above Google lawsuit, constructive knowledge means the company has enough information that they knew or should have reasonably known the app was directed towards children and they were allowing for the marketing of their personal data.
Why are companies allowed to use children’s data for advertising at all?
Parents need transparency and control over how children’s data are collected and used. We believe children should be protected, not monetized or profiled by advertisers. We think that all advertising to children under the age of 18 by any app or program used in schools should be prohibited; any data gathered by these apps should be strictly used only for educational purposes.
Apple will prohibit automatic ad tracking
This idea of prohibiting ad tracking is not that novel. Last year Apple began requiring developers in its App Store to have Privacy Labels, listing which types of data the app collects and how it uses your data. Now, Apple has just announced a new transparency feature that will prevent apps from sharing your data with third parties, without opting-IN. Apple’s white paper that discusses their new policy and prevalence on embedded trackers is entitled A Day in the Life of Your Data, and is worth taking a look at. As TechCrunch reports,
“The App Tracking Transparency feature moves from the old method where you had to opt-out of sharing your Identifier for Advertisers (IDFA) to an opt-in model. This means that every app will have to ask you up front whether it is ok for them to share your IDFA with third parties including networks or data brokers.”
“The feature’s most prominent evidence is a notification on launch of a new app that will explain what the tracker will be used for and ask you to opt-in to it. …app developers would have to ask users for permission in order to track and share their IDFA identifier for cross-property ad targeting purposes.”
This is how Apple describes the new system:
“Under Settings, users will be able to see which apps have requested permission to track, and make changes as they see fit. This requirement will roll out broadly in early spring with an upcoming release of iOS 14, iPadOS 14, and tvOS 14, and has already garnered support from privacy advocates around the world.”
Tools you can use to see trackers and block ads
There are several tools you can use to see and block trackers on your child’s device. Here are a few:
- Install uBlockOrigin tracker and ad blocker; it’s free and it shows you the trackers and blocks ads. We know of schools who have installed uBlockOrigin on every student Chromebook to stop ad tracking in schools. Ask your school if they would be willing to install an ad blocker like uBlockOrigin on school issued devices. Go here to download uBlockOrigin https://github.com/gorhill/uBlock#ublock-origin or here https://ublockorigin.com/ ; either of these links will ensure you are using Origin. Read more about uBlockOrigin here. See an example (below) of the 14 trackers blocked while a student visited her College Board MyAP Classroom account.
- MarkUp’s Blacklight lets you paste website urls into their analysis program to see what type of ads and trackers are being used. This tool gives detailed analysis and even flags trackers that evade cookie blockers. https://themarkup.org/blacklight See an example (below) of the different kinds of trackers found on a student’s Google Classroom account.
- Use a web browser that blocks ads: Brave web browser blocks ads and reportedly loads pages quicker than Chrome. Firefox also blocks ads and has many privacy and security extensions.
Take our App Survey
In honor of World Data Privacy Day, on January 28, we launched an App Survey for parents, asking what apps your school uses and what privacy protections and transparency notifications are in place. The response has been incredible and we encourage all parents to share and take this survey; of course your answers will remain confidential. Click here to take the survey and if you happen to install ad blockers, let us know what you find!
uBlock and AP Classroom trackers
Blacklight and Google Classroom ad trackers