The FTC reviewed the promotional pages for 400 apps aimed at kids and found that fewer than 2 percent disclosed what personal information is collected or how it is used. The commission noted that smartphone apps can collect personal data from the device automatically, including the user's location, phone number, list of contacts and call logs, and share that with others.
The review [PDF] did not delve into what information apps actually are collecting from children, but the FTC is looking into that and plans to release its findings within the next four months.
"Parents should be able to learn before they download apps what information will be used and how it's shared," said Patricia Poss, one of the FTC report authors.
As part of its review, the FTC fined a California company on accusations of violating the Children's Online Privacy Protection Act, which outlaws the collection of data from children younger than 13 without parental approval. By law, companies must explain what information is being collected and how it is used. The California company, W3 Innovations LLC, was fined $50,000 for collecting e-mail addresses and other information from tens of thousands of children without parental consent. It was the FTC's first mobile app case.
Privacy concerns have been growing since news surfaced in February that apps for Facebook, Twitter and others accessed – and sometimes copied – entire address books without permission.
Some privacy experts say the problem stems from the unprecedented growth of the mobile app market, not from malicious intent.
"The majority of the issues raised by the FTC and other interested parties are mostly attributable to the speed of the growth of this market," said Ed Lewis, CEO of Media Chaperone, which develops software for Disney and other companies to help manage content permissions and privacy settings.
Jules Polonetsky of the Future of Privacy Forum think tank says the majority of apps collect limited personal information. Many don't ask for a user's name or e-mail, he said, but track usage in a way that helps target advertising and keeps the app free.
"We don't yet have rogue apps doing evil things to kids," Polonetsky said. "But the issue is we have a law, and the law says you can't collect information from a kid without their parents providing express permission."
Jake Ward, spokesman for the Application Developers Alliance trade association, says part of the challenge is the diverse and fragmented nature of the industry.
"It's problematic to assume that app developers can be coders and privacy lawyers and CEOs all at the same time," Ward said.
Ward added that the industry has been "incredibly quick to respond and fix mistakes when the question of privacy has arisen."
Apps aimed at children feature everything from alphabet games and nursery rhymes to storybooks and animal puzzles. The danger usually lies in the eyes of the beholder. Some parents don't want to expose their children to advertisements embedded in apps, because research has shown children are less savvy at discerning the difference between content and advertising. Other parents might not be concerned about targeted ads, but draw the line at apps that track a child's location.
Some apps collect and use children's data for a positive purpose, said Alan Simpson, vice president of policy at Common Sense Media, a San Francisco public interest group. Simpson points to an app that teaches algebra, tracking responses to earlier problems to best tailor instruction in a challenging way.
"What makes a lot of parents uncomfortable," he said, "is when they are not informed about the collection and use of data."
To help address the concerns, the FTC recommended that app makers create parental permissions and privacy settings for apps accessed by children and that app stores create a system to display permissions and privacy settings clearly.
In California, the process is already in the works. A recent agreement between Attorney General Kamala Harris and major app stores requires them to create a system for apps to share privacy practices with users in simple ways.
That is a step in the right direction, says Jim Brock, founder of PrivacyChoice, a tool that helps developers write privacy policies.
"Most developers are scared of privacy policies. They're scared it's going to take time and cost money," Brock said. "We're going to need more proactive attention from the app marketplace if there is any hope of bringing up privacy standards among the developer community."
Various groups already are working toward reaching the goals. The Application Developers Alliance and Future of Privacy Forum, for example, will be hosting a privacy summit at Stanford University on April 25 to examine privacy challenges the app ecosystem faces.
View this story on California Watch
Story courtesy of our media partners at California Watch (A Project of the Center for Investigative Reporting)