Ad verification firm Pixalate has released a new report raising alarms about children’s data privacy on mobile apps.
The Q1 2025 State of Children’s Privacy on Mobile Apps Report, published as part of Pixalate’s ongoing COPPA Violation Risks series, identified 286 US-registered, ad-supported apps in Google Play and Apple’s App Stores that are likely violating the Children’s Online Privacy Protection Act (COPPA).
According to Pixalate, every one of the flagged apps shared personal information with advertisers via the programmatic bid stream, potentially without the disclosures or safeguards required by COPPA. Pixalate analyzed roughly 22,000 likely child-directed apps with ads in Q1 2025, narrowing their findings to over 1,600 apps, of which the 286 in question (17%) were deemed the highest risk.
Pixalate considered an app “high risk” and likely non-compliant with COPPA if it was missing a detectable privacy policy or if the existing policy didn’t meet key requirements set by the FTC. The report’s findings are based on Pixalate’s own store-crawling and detection technologies, plus human review. (You can see more method details at the end of the report.)
Why This Matters:
COPPA enforcement is heating up. Just last month, the FTC issued its first major update to the Children’s Online Privacy Protection Act since 2013. The revised rule broadens the definition of personally identifiable information (PII), mandates verifiable parental consent before sharing children’s data with third parties like advertisers, and adds stricter requirements around data retention and privacy policy transparency. The rule goes into effect June 23, with full compliance required by April 2026.
For advertisers, that means heightened scrutiny—not just of their own practices, but of every partner in their supply chain. App developers and ad tech vendors alike will need to closely monitor the inventory they transact with and monetize. Pixalate’s findings paint a troubling picture for the broader ad industry—and for platforms like Google and Apple that host and profit from this inventory.
Experts React:
Here’s what the IAB previously said about COPPA, though from a few years ago:
“As lawmakers look to strengthen the laws that protect children’s data and consider creating additional rules that extend protections to minors 13 years old and above, companies should reevaluate their approach to children’s data.”
The IAB goes on to say that “any company that touches data, content, or advertising to children must uphold its obligations for COPPA compliance,” and makes it clear that this responsibility lies with the entire ad supply chain.
Our Take:
The Pixalate data isn’t encouraging. That said, with new COPPA rules about to take effect, this report is unlikely to trigger fresh regulatory action. Instead, expect regulators and industry leaders to point to the updated rules as a step toward improving compliance—at least in theory.
Unsurprisingly, the apps in question are sort of what you would expect. Think low-quality, casual puzzle games and pixel art apps. Mobile MFA apps, and also, possibly, illegal.
