The Berkley Laboratory for Usable and Experimental Security (BLUES) took a look at Android apps and how well, if at all, they comply with the Children's Online Privacy Protection Act (COPPA). The findings were not encouraging.
COPPA is federal law, in effect since 2000. It lays out what policies a website operator must have in place when dealing with under-13 users, including how much data it can collect, how long it can keep it, and when a parent has to give permission. COPPA was spruced up a bit in 2012 and now, for instance, operators cannot extort child info as a precondition of continuing to use the site, and operators can only retain personal info for as long as necessary to fulfill the purpose for which it was collected (which seems -- well, that 's not really much restraint if the info was collected for naughty purposes, is it). The FTC is responsible for enforcing COPPA.
Any app marketed to children, or one whose operators know that lots of children use the app, must follow COPPA.
BLUES looked at Android apps that were directly aimed at children (listed in the Designed For Families" category in Google Play's store, a designation that developers choose for themselves. They can't choose that category until they indicate that they have privacy protections in place and that no "behavioral advertising" is aimed at children. In other words, no app owner can pretend that they had no idea what they were getting into or what the rules were. BLUES explains this process at even greater length here, an important point since several app companies responded to the findings by claiming they weren't subject to COPPA.
BLUES found that many were in violation because of their use of third-party software development kits (SDK). The research found that 19% of children's apps collected identifiers or other personally identifiable information. Many of these apps share children's information with advertisers, and though Google has tried to arrange things so that the information is not "persistent" (it just keeps changing so it can't be tracked to a particular child) 66% of the apps also transmitted other identifiers that were persistent, rendering Google's fix not a fix at all.
Much of the report is pretty technical, but the bottom line is clear enough-- despite federal law and federal law enforcement, a giant heaping ton of children are not having their privacy protected.
And this is in the world of phone apps. What sort of protection do you suppose is being given to the privacy of the students who use software in school.