A bold warning about kids’ privacy in APAC mobile apps revealed a troubling gap in protections, with 1,248 APAC-registered apps across Google Play and Apple App Store likely breaching COPPA and exposing over 117 million child app users in the United States to privacy risks.
Pixalate’s Q3 2025 analysis examined 23,097 apps deemed likely child-directed under their COPPA methodology. Of these, 7,524 were registered in the APAC region, highlighting widespread gaps in disclosures, policy presence, and data handling practices that could endanger young users.
Key takeaways for beginners
- Privacy disclosures are often insufficient. Among the 1,248 apps likely in violation, 962 (77%) provided inadequate information about what data is collected, how it’s processed, or how it’s used.
- Many apps lack privacy policies. 78 APAC-registered, likely child-directed apps did not have a detectable privacy policy, and 72 of these (92%) unlawfully transmitted users’ IP addresses in advertising data streams.
- Data-sharing practices are prevalent. A striking 1,198 (96%) of COPPA-violating APAC apps shared U.S. users’ Device IDs in ad bid streams, raising concerns about how children’s data is repurposed for advertising.
- Scope and impact. The 1,248 APAC-registered, COPPA-risk apps collectively account for over 117 million lifetime app users, the majority of whom are likely children, underscoring potential widespread exposure to privacy risks.
- Advertising networks and integrations. Google Ad Exchange appeared in the app-ads.txt files of 558 (45%) of the covered apps identified as non-compliant, signaling limited visibility and control over ad traffic for children’s data.
Understanding COPPA and what constitutes children’s personal information
COPPA restricts the online collection of personal information from children under 13. Personal data under COPPA includes identifiers and sensitive details such as location, addresses, contact data, security numbers, persistent identifiers (like IP addresses and device identifiers), and multimedia content that contains a child’s image or voice.
Notable examples from APAC-registered non-compliant apps
- Google Play: Brain Out: Can you pass it? (India) with 12.5 million lifetime US users.
- Google Play: SAKURA School Simulator (Japan) with 7.5 million lifetime US users.
- Google Play: Megapolis: City Building Sim (Hong Kong) with 7 million lifetime US users.
- Apple App Store: Coloring Book - Color by Number (Hong Kong) with 564.8K lifetime US users.
- Apple App Store: Paint.ly: Color by Number (Hong Kong) with 454K lifetime US users.
Why this matters—and what to watch for next
- If apps fail to clearly disclose data practices or omit privacy policies, families may remain unaware of how children’s data is collected and used in ads and analytics.
- The prevalence of device and IP identifiers in ad streams suggests that children’s online activity could be tracked across sites and apps, potentially enabling profiling and personalized advertising without adequate consent.
- Industry observers should ask whether existing app developers, platforms, and regulators have sufficient oversight to enforce COPPA and similar privacy protections for minors in the APAC region, where the market continues to expand rapidly.
Controversial angles and questions for discussion
- Should COPPA extend to prohibit certain types of data sharing in kids’ apps unless explicit, parental consent is obtained for each data category? What trade-offs would this create for developers and ad-supported apps?
- Is it reasonable to expect platform-level enforcement on app-ads.txt implementations when app owners themselves may not be fully aware of their data flows?
- How can parents, educators, and regulators collaborate to improve visibility into which apps are collecting data from children and how that data is used in advertising networks?
If you have thoughts on how COPPA protections could be strengthened or questions about how these findings affect families, share your perspective in the comments.
