Tiny Lab Responds
In our work looking at COPPA violations, one company really stood out: Tiny Lab Productions. They currently have 98 games available in the Play Store. Most of these games are in Google’s Designed for Families (DFF) program, which means that the developer is specifically marketing their apps to children under 13. We cited them in the paper as a particularly egregious example because their children’s apps were collecting location data, persistent identifiers, and even email addresses, and then sharing them with a multitude of advertisers and tracking companies.
Based on the popular media coverage of the paper, Tiny Lab decided to issue a press release (I’ve made a copy here). In it, they claim that they are not violating COPPA because they use an age gate to provide COPPA-compliant treatment for those who report their ages as being under 13. They go even farther and claim that if an age below 13 is entered, no personal information is collected at all. (As to what happens when an age of 13 or older is entered, they make no attempts to rebut any of our claims about the types of personal data collected and with whom it is shared.)
This press release is incorrect and misleading for two reasons:
- It is simply false to claim that when a user enters an age below 13, no personal information is collected.
- Their use of age gating violates the FTC’s guidelines, and therefore may be violating COPPA.
Update: The New Mexico Attorney General has now filed suit against Tiny Lab and several adtech companies over the issues outlined in this post.
Information Collected from Children
Tiny Lab’s first claim is that through their use of age gating, when a user reports an age below 13, no personal information is collected by the app:
1. COPPA is the regulation that forbids to collect any personal data from children under 13 years old without parental consent and permission. And we do not do that – we have an age gate to determine the users age by asking their birth date as per FTC guidelines. If according to the entered birthdate user is under 13 none of the personal information is collected. [sic]
In our automated testing, an app is tested by simulating random UI events (e.g., swiping, taping, etc.). In Tiny Lab’s apps, our testing system was able to get past the age gate by randomly selecting an age. Thus, I was able to find two examples of Tiny Lab’s apps being tested while specifying ages below 13:
- Ambulance Kid Driving Game, version 3.39 (released: May 17, 2018)
- Age entered during testing was 12
- Tiny Lab collects the AAID without using TLS encryption.
- Both the Android ID and Android Advertising ID (AAID) were shared with Chartboost.
- The AAID is shared with Google Analytics, also without using TLS.
- The email address is collected by Tiny Lab (though hosted on a Google server [appspot.com]).
- Paradise Island Summer Fun Run, version 3.36 (released: May 2, 2018)
- Age entered during testing was 12
- The user’s AAID is sent to many third party advertisers, often without using TLS encryption.
- The user’s email address is collected by Tiny Lab.
Thus, it is simply incorrect to claim that no personal information is collected from users who claim to be under 13.
Background on Age Gating
All of Tiny Lab’s games that we tested use an age gate to determine whether or not a user is under 13. If the user reports that he/she is under 13, the app will perform less invasive advertising (note that this does not completely prevent personal data from being shared with third parties, as shown above). The FTC allows age screening to be used when a website or app is directed at a general audience (i.e., not specifically targeted at children), but not if it is primarily directed to children:
2. I run a child-directed app. I would like to screen users so that I only have to get parental consent from children under age 13, not from everyone who uses the app. May I?
It depends. Because of its very nature, in most instances, a website or online service (such as an app) directed to children must treat all visitors as children and provide COPPA’s protections to every such visitor. This means that for the most part, a website or online service directed to children may not screen users for age.
However, the amended Rule provides for a narrow exception for a site or service that may be directed to children under the criteria set forth in FAQ D.1 above, but that does not target children as its primary audience [emphasis added]. For instance, a child-directed site may target children under age 13, as well as parents or younger teens. An operator of a site or service meeting this standard may age-screen its users if it: (1) does not collect personal information from any visitor prior to collecting age information, and (2) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the amended Rule’s notice and parental consent provisions. See 16 C.F.R. § 312.2 (definition of “Web site or online service directed to children,” paragraph (3)). Importantly, as an operator of a website or online service directed to children, you may not block children from participating in the website or online service (see FAQ D.4 below).
So if the website or service is not primarily directed to children, then an age gate can be used, but only if that age gate does not encourage users to lie about their ages:
If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID.
That is, a neutral age gate may be used to screen out—or provide separate treatment for (e.g., disabling behavioral advertising)—those under 13, but again, only if the service is not primarily directed to children.
Tiny Lab’s Selective Quoting
In claiming that it is acceptable for them to use age gating, Tiny Lab quotes from the FTC’s guidance:
That is not only the industry standard but also recommended by FTC in their COPPA FAQ which provides a provision in section D2 that reads:
<..>For instance, a child-directed site may target children under age 13, as well as parents or younger teens. An operator of a site or service meeting this standard may age-screen its users if it: (1) does not collect personal information from any visitor prior to collecting age information, and (2) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the amended Rule’s notice and parental consent provisions<..>
The original FTC guidance can be found here. You will note, though, that in their quotation, Tiny Lab decided to omit the immediate preceding sentence:
However, the amended Rule provides for a narrow exception for a site or service that may be directed to children under the criteria set forth in FAQ D.1 above, but that does not target children as its primary audience [emphasis added].
Taken in full, yes, Tiny Lab is allowed to age gate their users, providing COPPA-compliant treatment to only those under 13, if their apps are not primarily directed to children. So the question is, are Tiny Lab’s apps primarily directed at children? Here is a screenshot from their website (red highlighting is mine):
To summarize, Tiny Lab appears to be claiming that while their game’s “levels are designed specifically for children” and “children love it,” they are allowed to screen users with an age gate, performing invasive tracking without informed consent on all those who report ages of 13 or older, because this game isn’t directed primarily at children.
Neutral Age Gating
Even if Tiny Lab were allowed to use an age gate, it would still violate the very guidance that Tiny Lab disingenuously claims to be following. Recall that the FTC requires that age gates be “neutral.” The FTC defines this as not “encouraging children to falsify their age information.” Here is a screenshot of the age gate that Tiny Lab uses (this design has more or less been used since January 2017):
Entering an age of 17 or 18 requires exactly two taps (i.e., pressing either the left or right arrow, followed by “OK”), whereas entering an age below 13 requires at least seven taps. That is, it takes 3.5x as much effort to report an age that will trigger COPPA protections.
In our automated testing, which used random taps and swipes on the screen (similar to how a very young child may interact with a device), it is no wonder why 17 and 18 were the most frequently selected ages: they were selected 57% of the time, across 820 tests. In fact, ages below 13 were only randomly selected twice, which means that there’s a 99.8% chance of randomly selecting an age over 13 by randomly tapping on the device. Thus, this is not a neutral age gate because this design is likely to result in young children misreporting their ages, and therefore subjected to invasive data collection procedures without parental consent.
Thus, Tiny Lab’s press release is simply wrong:
- They collect personal information, even if you report your age as being below 13.
- The FTC guidance prohibits them from performing invasive tracking on their users without informed consent, because their games are primarily directed to children.
- Even if they were allowed to use an age gate to limit tracking to some users, the specific design that they are using violates the FTC’s guidance because it is not neutral: it makes it harder to enter ages below 13, and therefore increases the likelihood that children will lie about their ages.