Kids and Data: How Apps Invade Child Privacy by Shipra Sanganeria

Published on: September 15, 2025

From interactive learning tools to reading games, children’s apps often come with hidden costs. Behind their playful designs lies a billion-dollar data economy that quietly harvests names, voice recordings, locations, and more.

Laws like COPPA and GDPR have provisions meant to protect children and their data, but enforcement remains weak and many apps exploit loopholes like vague age gates or mixed-audience claims.

To understand the depth of this problem, our research team at SafetyDetectives analyzed 20 popular educational and gaming apps for children. We found that 70% of the apps collected personal identifiers, over half shared data with third parties, and 100% of subscription-based apps were rated medium- to high-privacy risk.

This article reveals how monetization models, platform rules, and lax regulations are quietly enabling a new era of childhood surveillance, and what can be done to stop it.

Methodology

To understand how children’s data is collected, shared, and monetized, we analyzed 20 popular applications primarily from the Google Play Store and Apple App Store.

Selection criteria included:

• Target audience: Apps for children aged 2–12, based on app store categorization, descriptions, and third-party recognition (e.g., Common Sense Media).
• High install counts, strong average ratings, and broad user reach.
• Cross-platform availability, with some high-risk, single-platform popular apps included.
• Freemium, subscription-based, and ad-supported apps were examined to understand links between monetization and privacy risk.
• Categories such as EdTech and classroom tools, learning games, multimedia educational content, and entertainment and gaming were examined.

We reviewed privacy policies (from app stores and developer sites) and manually extracted data on whether and how the apps collected personal information (PII, device, location).

In addition, third-party data sharing, deletion options, and platform-specific disclosures were assessed.

Finally, apps were scored across 20 questions using a traffic-light model:

• Green (2 pts) – Minimal or no data collected
• Yellow (1 pt) – Limited or vaguely defined collection
• Red (0 pts) – Extensive or sensitive data collected

Final scores reflect the clarity and safety of each app’s privacy practices.

What the Law Says vs. What Apps Actually Do

Even as concerns about children’s digital safety grow, few governments have introduced laws to protect kids’ safety and privacy online.

On paper at least, two major regulations set clear boundaries:

• COPPA (US): The Children’s Online Privacy Protection Act (COPPA) requires websites and online services to obtain verifiable parental consent before collecting, using, or sharing data from children under 13.

• GDPR (EU/UK): The General Data Protection Regulation (GDPR) sets the age of digital consent at 16 by default, though member countries may lower it to 13 (UK: 13, Spain: 14). It also gives children the right to have their data erased.

But in practice, these rules are often bypassed or ignored. Loopholes, vague definitions, and poor enforcement allow many apps to sidestep these protections.

What Data Is Actually Collected

To assess how well some of the most popular educational and entertainment apps follow COPPA and GDPR, we analyzed each app against 17 real-world data behaviors like what they collect and share, and whether basic protections like encryption or deletion are offered.

Apps like ABCmouse and Epic! collect more data than most parents expect, including usage patterns, device identifiers, and sometimes even precise location.

While the previous table outlines data types that are commonly collected, platform differences matter. The same app may collect or disclose different data on Apple versus Google — we explore this in detail later.

For example, Lingokids links behavioral and ID data to children on Apple but doesn’t disclose marketing use. Elmo Loves ABCs appears nearly data-safe on iOS, yet collects location and diagnostics on Google Play.

Meanwhile, basic protections like encryption or easy account deletion are often unclear or entirely absent.

How Risky Are These Apps?

Now that we’ve shown the kinds of data these apps collect, the next question is: How risky are they, really? We scored each app based on its data collection and sharing practices. The results may surprise you.

Of the 20 apps that we tested, we rated 35% (7 apps) as high-risk — they collect personal data, share data with third parties, or lack deletion options.

Another 40% (8 apps) fell into the moderate-risk category, often collecting partial data or offering vague, unclear privacy policies.

Rarely do these educational and entertainment apps spare even very young children. Nearly 80% of these high- to moderate-risk apps are designed for kids under age 5, despite regulations like COPPA and GDPR that are designed to protect them.

The overall trend paints a concerning picture, but which apps are the worst offenders? The breakdown in the following tables show what each app collects and why it earned a high-, medium-, or low-risk score.

App-by-App Risk Breakdown

Apps categorized as high risk collect extensive data with little transparency, often sharing user IDs, usage behavior, and even sensitive data like voice or photos.

• Biometric Red Flag: Reading Eggs is the only app in the previous table that collects audio and photo data, a major red flag under kids’ privacy laws.
• Extensive Sharing: Over 50% of the red-flagged apps confirm third-party marketing use, especially on Apple.
• Lack of Clear Deletion: Most of these apps do not offer any clear deletion option.

Apps categorized as moderate risk often don’t share data externally, but still collect device IDs, usage data, or lack clarity on privacy policies.

For example, Duolingo ABC collects some data and links it to identity, while Sago Mini World shows more data use on Apple than Android.

• Platform Disparity: Several apps like ScratchJr perform better on Google Play, with Apple versions collecting more identifiers or lacking deletion support.
• Data Collection: Nearly 60% of the apps we rated as moderate-risk collect data for internal use (analytics).
• Deletion Options: About 62% of these apps do not offer any clear deletion option.

Apps categorized as low risk generally avoid personal data collection and third-party tracking, with strong online support.

Some may collect data for analytical purposes, but nothing is linked to the user (children).

• Zero Tracking: Apps like Monkey Preschool Lunchbox and PBS Kids Games collect no personal data.
• Minimal Analytics: Any data collected, like location or purchase history, are anonymous and tracked for internal purposes.

Across these 20 apps, privacy practices vary widely. While some apps protect children’s data, many collect more than necessary, often without clear consent.

One pattern clearly emerges — how an app earns money often influences how much data it collects.

Pricing Model = Risk Model?

When it comes to children’s data privacy, how an app makes money may be just as important as what data it collects. Our analysis suggests that applications featuring subscriptions or in-app purchases (IAPs) are more likely to be high-risk compared to apps with a pricing strategy based on one-time payments.

Could this business model be driving these apps to collect and share more data?

The results show a clear trend.

Subscription-based apps are the most privacy-invasive. Of the 20 apps analyzed with this pricing model, 25% were rated high-risk, and none fell into the low-risk category — suggesting that recurring revenue models may drive aggressive data collection for engagement or marketing purposes.

Freemium apps with in-app purchases (IAPs) tended to score more highly than subscription-based apps, with only 5% rated as high-risk and 10% rated medium. While none of the free apps we tested ranked as high-risk, 25% landed in medium-risk, and just 5% qualified as low-risk.

In contrast, paid apps (one-time purchase model) were the safest. With 15% rated low-risk and none as high-risk, this model appears to protect children’s privacy.

In short, we can say that how an app makes money is a strong indicator of how much it may compromise your child’s privacy.

Does the Platform Make a Difference?

During our research, we found that pricing isn’t the only variable that matters, but the platform itself — Apple or Android — also plays a critical role in how children’s data is collected and handled.

Data collection and sharing practices of the same app differs based on where it’s downloaded.

iOS vs Android: A Comparison

Our analysis across both Apple and Google revealed that personal data collection is common on both platforms.

Apps on Apple collected personal identity information — like name, email, precise location, address, and user IDs — in 60% of the cases, and Google followed closely with 55%.

When compared to Google, Apple generally offers more transparency regarding privacy policies — requiring developers to clearly state whether data is used for tracking, advertising, or internal analytics.

Which Apps Actually Share Data?

After understanding the data collection practices, our analysis focused on what each platform admits in its privacy disclosures.

Some apps clearly state they share data for advertising or marketing, while others claim not to share anything at all. And then there are those with inconsistent, often confusing data sharing practices between both Apple and Google.

While some apps clearly disclose data sharing, others offer vague or inconsistent information on both Apple and Google. This inconsistency makes it difficult for parents to make informed choices, even with the presence of privacy labels.

These inconsistencies raise serious questions: Is your child’s data truly safe — or merely selectively reported?

Case Studies: When Violations Go Public

Privacy risks related to children aren’t theoretical. Major tech platforms and app makers have been fined for collecting kids’ data without consent, using deceptive practices, and failing to protect sensitive data.

The following graphic highlights patterns of misuse and the consequences when these companies are caught violating the rules.

How Parents Can Protect Their Kids

Our study shows that the apps on your child’s tablet may look like harmless learning tools, but many double as silent data mining factories.

So what can you do as a parent, right now?

Before Downloading:

• Check privacy labels on app stores.
• Read independent reviews (e.g., Common Sense Media).
• Avoid subscription-based apps with vague policies and age gates like “Are you over 13?”
• Support stronger enforcement of children’s privacy laws.
• Push schools to vet EdTech tools more thoroughly.
• Opt for safer apps like:

• Monkey Preschool Lunchbox (paid, no data collection).
• PBS Kids Games (free, strong protections).

Until regulators are able to rein in these data mining practices, parents, schools, and watchdogs must act as the first firewall against apps that quietly exploit children’s data for profit.