Of the 5,855 total apps included in the study, 281 of them collected contact or location data without asking for a parent's permission. Needless to say, those are red flags for any app targeted at kids. A further 1,100 shared persistent identifying info with third parties for restricted purposes, while 2,281 of them seemed to violate Google terms of service forbidding apps from sharing those identifiers to the same destination as the Android Advertising ID (which gives you control over tracking). About 40 percent of apps transmitted info without using "reasonable security measures," and nearly all (92 percent) of the 1,280 apps with Facebook tie-ins weren't properly using the social network's code flags to limit under-13 use (though they may not have realized they were using this info for law-breaking purposes).
The researchers are adamant that they're not showing "definitive legal liability." These apps may be running afoul of the law, but it's up to regulators at the FTC to decide if they are. Without iOS data, it's also unclear how common this problem is across platforms. We've asked Google for comment on the findings as well.
Whatever the response, the findings illustrate the challenges that Google and officials face in enforcing COPPA and similar child-focused privacy laws. It's not as simple as performing an age check or asking for parents' permission. There's a whole range of data sharing concerns that have to be addressed, and developers may not be fully aware of these -- especially for apps where kids aren't the sole focus. Likewise, it can be difficult for app store operators like Google to manually inspect apps when there are thousands added per day (over 2,700 per day as of March 2018, according to AppBrain). The automated tool behind the study could go a long way toward addressing that, but it might still require checking apps by hand before removing them or involving the law.