Risky Business: A New Study Assessing Teen Privacy in Mobile Apps

Oct 29, 2020 by BBB National Programs

 

Teen Privacy and Mobile Security 

 

Data privacy policymaking has traditionally focused on creating privacy protections for the general population or for children under age 13. Teenagers, as a standalone population, have been consistently absent from these policy discussions. At best they are lumped in with children under 13 in the context of expanding the scope of the Children's Online Privacy Protection Act (“COPPA”)

The recent advent of BBB National Programs’ TeenAge Privacy Program (TAPP) comes at the end of a year where policymakers have continued that trend, offering new legislation that will cover teenagers under an expanded COPPA umbrella. 

Good intentions back these efforts. Teens are more at risk online than ever, and with 83% of mobile device users aged 13-17 downloading a new app at least once a month, that risk increases twelvefold. Research shows that teens are not unaware of their plight: 72% of teens also believe tech companies manipulate users to spend more time on devices. What teens may not be aware of is the ecosystem of data collection and monetization that goes on behind the scenes of mobile apps. 

TAPP’s new whitepaper, Risky Business: The Current State of Teen Privacy in the Android App Marketplace, examines how teens put themselves at risk when they engage with mobile apps. 

53,000 apps with 20 million or more installations were analyzed, later divided into apps directed to a general audience and those targeted to teens. The teen dataset of 1,322 apps was further narrowed using general knowledge of teen trends in addition to established content rating systems, industry marketing standards, and the parameters used by the FTC to assess child-directed material under COPPA. After adjusting for technical errors, the teen dataset yielded 1,144 apps. 

By comparing the teen dataset to the remaining broad general dataset, comprised of various apps from each category of the Google Play Store, TAPP gained insight into a microcosm of the mobile app ecosystem that teens are immersed in. 

After analyzing the teen dataset through multiple lenses, the whitepaper strongly supports the finding that teen apps have a greater attack surface for privacy risk due to a higher number of permission requests and trackers that could expose personal information. 

Teen apps contained medians of:

  • 11 permissions per app
  • 6 dangerous permissions per app
  • 10 trackers per app


Google defines dangerous permissions as “permissions that could potentially affect the user's privacy.” When a user grants permission for an app to access their data, the trackers embedded in the app can collect different types of data about that user. That data can be combined to create a full profile of individual users down to where they live and work, what they look and sound like, who their friends and family are, and their daily habits and routines. 

Considering that the trackers TAPP observed most frequently in the teen dataset appeared to be controlled by Google and Facebook, teens are leaving precariously little to the imagination about their lives to these companies. 

Greater opportunities for data collection and tracking aren’t the only risk the whitepaper revealed: teen apps showed greater monetization patterns than general apps across the board.

  • 82% of teen apps in the dataset were ad-supported compared to only 52% of general apps. 


When comparing gaming apps in each dataset, the monetization divide gets even more striking: 

  • 12.6 times as many game apps in the teen dataset had in-app purchases as opposed to those that didn’t, while only 4 times as many game apps in the general dataset did.


The implications of these findings are more far-reaching than the four corners of a teen’s cell phone. In the real-world teens aren’t given full autonomy, so why are they able to unknowingly invite hundreds of companies into the most private aspects of their and their loved ones’ lives? It is for this reason that TAPP was created: to partner with companies and ensure they are collecting data responsibly in an environment where teens have been left (quite literally) to their own devices. 

Read the full whitepaper or contact us at TAPP@bbbnp.org to learn more about TAPP or join the initiative. 

Other Blog Articles

Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

FTC Stats On NAD Referrals

Brands have been challenging the truthfulness of competing advertising campaigns for nearly 50 years at the Better Business Bureau’s National Advertising Division, a voluntary self-regulatory system put in place by the advertising industry to increase consumer trust in advertising.
Read more
Blog

Champions for Truth in Advertising

Today, the National Advertising Division (NAD) continues to carry the torch for truth-in-advertising. As the advertising landscape has evolved over the last 50 years, NAD has continued to adapt to new products, new industries, and new advertising media. Laura Brett, Vice President of NAD, and New York Office Lead for BBB National Programs discusses truth-in-advertising trends, hot topics, and issues that lie ahead.
Read more
Blog

Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more