We’re in an era where parents like me have grown up with smartphones. My parents, as much as I loved them, were what we would refer to as ‘technologically challenged’. I often had to help them navigate the digital world, teaching them how to spot phishing emails or PayPal scams.
Now, as a parent myself, I find the roles reversed. It’s my job to protect my kids not just from the dangers of the physical world, but from the mobile app privacy risks for kids. Most kids don’t think about things like data collection, online tracking, predatory advertising or excessive permissions. They just want to play games, chat with friends and have fun. That’s why it’s up to us as parents and guardians to stay vigilant about children’s mobile app security and privacy.
What Data Are Apps Really Collecting?
Both the Apple App Store and Google Play Store require developers to disclose the kinds of data their apps collect. These Privacy Nutrition Labels and Data Safety Labels are meant to provide transparency about data collection practices and can give parents better insight about mobile app privacy for children.
For apps designed for kids, the rules are supposed to be stricter. According to the Google Play Families Policy and Apple App Review guidelines, apps that target children aren’t supposed to collect device-specific or user-specific data. These requirements are reinforced by digital privacy laws such as Children’s Online Privacy Protection Act (COPPA) in the United States and the General Data Protection Regulation (GDPR) in Europe.
But in reality, it’s not always that simple. Take Roblox, one of the most popular kids apps in the world. Roblox collects a range of data, including voice recordings, personal information and location data. Roblox claims to serve a general audience, not just kids. This technicality lets the app sidestep some of the stricter rules around COPPA compliance, even though children make up a large part of its user base.
The Florida Attorney General recently subpoenaed Roblox as part of an investigation into how the platform protects children from online exploitation. The subpoena aimed at strengthening digital safeguards for minors includes documents related to Roblox’ data collection and processing practices.
Can We Trust App Store Privacy Labels?
Both the Google Play Store and the Apple App Store provide insight into what data an app collects, how it’s used, and who it’s shared with. But here’s the catch: these labels often don’t tell the whole story about kids app data collection.
Most developers only disclose the data their own app collects, not the data collected by third-party components. These third-party libraries, also called Software Development Kits (SDKs) or dependencies, are often used for analytics, in-app advertising or extra features and save time for developers. Unfortunately, many developers don’t fully understand how these SDKs handle data, which creates serious privacy risks in kids apps.
One of the largest mobile data breaches in history offers a perfect example of this. In early 2025, Gravy Analytics suffered a massive breach, exposing tens of millions of user records on the dark web. Thousands of apps were affected, including some of the most popular apps available such as Tinder and Candy Crush. Many of the app developers had no idea they were even connected to Gravy Analytics — they were simply using a third-party ad library to monetize their apps. But behind the scenes, this advertising SDK collected mobile app telemetry and personal data.
Today, some of the same ad libraries are still present in kids’ apps. In fact, one of the most popular ad libraries recently removed COPPA compliance from its Android library, but dozens of childrens’ apps still use it today. That’s why parents should be cautious when reviewing app store declarations and be wary of hidden third-party data sharing.
Shedding Light on Mobile Privacy Risks
To gauge the accuracy of the Data Safety labels, I decided to run a real-world test by examining app traffic. What I found was troubling to say the least.
I downloaded a kids app that explicitly claimed it did not collect ANY data and did not share data with third parties as shown below.
But when I analyzed the network traffic, I found something concerning: every 30 seconds, the app sent an encrypted message containing 7,448 characters to the developer’s server.
That’s a lot of information for an app that supposedly collects nothing. What’s being transmitted? Why is it encrypted? We can’t say for sure, but we know that data is being decrypted on the developer end and used for something.
This kind of hidden mobile data collection highlights why parents need to be vigilant about mobile app privacy for children. As we’ve seen, not all apps adhere to their data collection statements and privacy policies.
What About Roblox?
To compare, I ran the same analysis on the hit game Roblox. The Roblox app listing states it collects personal information, approximate location and in-app purchase data. When I created an account as a minor, I saw some differences. The network traffic was mostly limited to session-related data app telemetry, currency status and inventory updates. Based on this behavior, we see Roblox has taken some measures to attempt to safeguard kids’ app privacy.
In July, Roblox introduced new safety measures for teens, including AI-powered age estimation technology and monitored Trusted Connections conversations to better protect young users on the platform.
How Parents Can Protect Their Kids from Mobile Privacy Risks
1. Enable Parental Controls
Parental controls let you filter content, block inappropriate apps and restrict downloads.
2. Check App Permissions
Every function on a phone, from the camera to location services, requires permission. Apps should only request permissions to access functionalities that are absolutely necessary for the app to work properly. For example, a simple Sudoku puzzle game shouldn’t ask for precise location or access to record audio.
Here are permissions I always block for kids’ apps:
- Camera access
- Microphone access
- Contacts access
- Precise location*
*Apps in the ‘Kids’ section of the Play Store are prohibited from collecting this data
3. Be Wary of “Free” Apps
The app stores are inundated with kids game apps that look free, but drive revenue through ads, microtransactions or subscriptions. ‘in-app purchases’. Some apps even attempt to lock the user into a monthly/yearly subscription. Consider paying upfront for paid apps to avoid these deceptive in-app purchase practices.
4. Watch for Deceptive Ads
Many apps are stuffed with deceptive ads disguised as games. These ads often trick kids into playing, then redirect them to the app store. Sometimes the ‘close’ button is hidden or too small to spot. For example, this ad for the Township game popped up on the screen without any warning, making it almost feel like it was a part of the original game. The option to exit the ad was crammed in the corner, almost impossible to see. Once you finally see it and tap it, the app store pops with the option to install the game!
5. Consider Subscription Services Like Apple Arcade
In my home, I’ve encouraged my young kids to use Apple Arcade because it offers ad-free games with no in-app purchases. On Android, the Google Play Kids tab offers some safer options as well as paid apps, though parents should still vet each app carefully.
6. Avoid Social Features in Kids Apps
Social apps for children are risky due to predatory behavior and online safety risks. Apps like Roblox or older platforms like Club Penguin include chat features that can expose kids to strangers. In my house, apps with social limits are strictly off limits until my children are old enough to understand the potential dangers.
The Bottom Line: Protecting Kids’ Privacy Is Up to Us
Our kids are some of the most vulnerable users in the digital world. They depend on us to protect their privacy, safety, and online security. That means going beyond trusting app store labels, questioning what apps are really doing behind the scene and refusing to accept shady data practices as normal.
We must continue to push for stronger mobile app privacy protections for children and demand stricter enforcement of the policies that already exist. When it comes to kids apps and data collection, you can never be too careful.
On the workplace front, whether you’re a developer, security professional, privacy specialist or enterprise mobility manager, NowSecure solutions detect hidden data leaks, risky SDKs, excessive permissions, privacy issues and compliance gaps, including violations of COPPA, HIPAA and GDPR regulations.
In a world where even “safe” kids apps can secretly collect data, NowSecure gives you the tools to assess the apps you build and vet the third-party apps you use thoroughly and act with confidence. Contact NowSecure to explore how we can help protect your mobile application’s privacy posture.
