Google accused of urging Android devs to mislabel apps to get forbidden kids ad data

Google on Thursday was sued for violating children's privacy through a program it designed to protect children's privacy.

The complaint [PDF], filed in a US federal court in San Jose, California, contends that Google and its AdMob mobile advertising business deceived parents and children, and violated the law, by collecting kids' personal information from apps in its Designed for Families (DFF) program.

Google launched DFF in 2015 to "help parents discover great, age-appropriate content and make more informed choices." Developers participating in the program had to confirm that their apps "comply with applicable legal obligations relating to advertising to children," and that any ads displayed don't involve interest-based advertising or remarketing, and present appropriate content.

The program was put in place about a year after Google was sued for allegedly enticing minors to make unauthorized in-app purchases of virtual game assets.

That's one among many privacy lawsuits Google has faced over the past decade or so: as the complaint puts it, "Google’s surveillance practices have led to a litany of fines and settlements with private parties and governmental entities and regulators." The court filing goes on to cite 15 privacy violation settlements amounting to roughly $1 billion between 2011 and 2023 with government regulators in various countries and private litigants.

In 2018, a UC Berkeley International Institute of Computer Science study found that a majority of some 5,800 Android apps violated COPPA through third-party SDKs that collected personal data from kids.

In February 2019, Georgetown’s Institute for Public Representation (IPR), on behalf of 20 consumer groups, urged the US Federal Trade Commission to investigate Google for alleged misrepresentations to parents and kids about the safety of Google Play apps identified as being kid-friendly.

By September 2019, the FTC announced a $170 million settlement with Google and YouTube for allegedly violating the Children's Online Privacy Protection Act (COPPA) Rule, the watchdog's implementation of the 1998 law by that name. The rule requires online service providers to limit information gathered from children under the age of 13 and to obtain consent from parents.

Two years later, Hector Balderas, New Mexico Attorney General at the time, announced a settlement ($5 million, according to the California complaint) of two more cases against Google alleging violations of COPPA and state consumer protection laws.

The New Mexico announcement says that Google "will take a much more active role in policing app developers that mislabel their child-directed apps in an effort to make more money from targeted advertising and user profiling" and "will also enact a number of reforms, including a requirement that apps implement age screening measures to ensure that these apps do not collect information from children under the age of 13, and increasing parents" visibility into what information apps are collecting from their children."

It's the mislabeling of child-directed apps that the California lawsuit specifically cites as a problem.

• Privacy Sandbox, Google's answer to third-party cookies, promised within months
• Google searchers from years past can get paid for pilfered privacy
• Google agrees to $400m settlement in privacy lawsuit
• The first step to data privacy is admitting you have a problem, Google

While COPPA limits data collection for children under 13, Google's DFF program allowed different categorization schemes, including "intended primarily for children" and "mixed audience."

The lawsuit argues that Google, eager to tap the lucrative children's advertising market, encouraged developers to make DFF apps and label them for everyone, knowing children would use the apps without the data limiting privacy controls in apps marked specifically for children.

"If an app developer categorized an app as 'intended primarily for children,' Google would not permit the app to exfiltrate the data of the app’s users and show behavioral advertising to those users, the most lucrative type of advertising for both Defendants and app developers," the complaint says.

"But, if an app developer categorized an app as 'mixed-audience' or 'not primarily intended for children,' Google allowed the app – via the SDKs integrated into the app – to exfiltrate the data of all of the users of the app and show the users behavioral advertising."

If an app developer categorized an app as 'mixed-audience' or 'not primarily intended for children,' Google allowed the app ... to exfiltrate the data

The complaint says that both Google and app developers creating DFF apps stood to gain by not applying the strict "intended for children" label. And it claims that Google incentivized this mislabeling by promising developers more advertising revenue for mixed-audience apps.

"[W]hile Google implemented strict guidelines and standards for the DFF program, and publicly represented that DFF Apps complied with COPPA and other applicable laws regarding data collection and interest-based advertising, Defendants were surreptitiously exfiltrating the personal information of the children under the age of 13 playing those Android App games (the very children the games were designed for) in violation of COPPA and privacy protections of children," the lawsuit contends.

As a result of the New Mexico AG's settlement in December 2021, Google made changes to its developer policy intended to prevent the mislabeling of apps intended for children.

The complaint was filed on behalf of six minors and their adult guardians in California, Florida, and New York, with the hope it will be certified as a class action. It makes claims under various state privacy and consumer protection laws.

Google did not immediately respond to a request for comment. ®