The Effect of Platform Policies on App Privacy Compliance: A Study of Child-Directed Apps

Noura Alomar; Joel Reardon; Aniketh Girish; Narseo Vallina-Rodriguez; Serge Egelman

The Effect of Platform Policies on App Privacy Compliance: A Study of Child-Directed Apps

Authors: Noura Alomar (University of California, Berkeley), Joel Reardon (University of Calgary), Aniketh Girish (IMDEA Networks Institute), Narseo Vallina-Rodriguez (IMDEA Networks Institute), Serge Egelman (University of California, Berkeley and International Computer Science Institute (ICSI))

Volume: 2025
Issue: 3
Pages: 170–191
DOI: https://doi.org/10.56553/popets-2025-0094

Download PDF

Abstract: Over the past few years, the two dominant app platforms made major improvements to their policies surrounding child-directed apps. While prior work repeatedly demonstrated that privacy issues were prevalent in child-directed apps, it is unclear whether platform policies can lead child-directed apps to comply with privacy requirements, when laws alone have not. To understand the effect of recent changes in platform policies (e.g., whether they result in greater levels of compliance with applicable privacy laws), we conducted a large-scale measurement study of the privacy behaviors of 7,377 child-directed Android apps, as well as a follow-up survey with some of their developers. We observed a drastic decrease in the number of apps that transmitted personal data without verifiable parental consent and an increase in the number of apps that encrypted their transmissions using TLS. However, improper use of third-party SDKs still led to privacy issues (e.g., inaccurate disclosures in apps’ privacy labels). Our analysis of apps’ privacy practices over a period of a few months in 2023 and a comparison of our results with those observed a few years ago demonstrate gradual improvements in apps’ privacy practices over time. We discuss how app platforms can further improve their policies and emphasize the role of enforcement in making such policies effective.

Keywords: software developers, SDKs, privacy, security, Google Play, personal data, development practices, Android, COPPA

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.