Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps

Authors: Noura Alomar (University of California, Berkeley), Serge Egelman (University of California, Berkeley and International Computer Science Institute)

Volume: 2022
Issue: 4
Pages: 250–273
DOI: https://doi.org/10.56553/popets-2022-0108

Download PDF

Abstract: We investigate the privacy compliance processes followed by developers of child-directed mobile apps. While children’s online privacy laws have existed for decades in the US, prior research found relatively low rates of compliance. Yet, little is known about how compliance issues come to exist and how compliance processes can be improved to address them. Our results, based on surveys (n = 127) and interviews (n = 27), suggest that most developers rely on app markets to identify privacy issues, they lack complete understandings of the third-party SDKs they integrate, and they find it challenging to ensure that these SDKs are kept upto-date and privacy-related options are configured correctly. As a result, we find that well-resourced app developers outsource most compliance decisions to auditing services, and that smaller developers follow “best-effort” models, by assuming that their apps are compliant so long as they have not been rejected by app markets. We highlight the need for usable tools that help developers identify and fix mobile app privacy issues.

Keywords: Privacy compliance, Software developers, Children privacy, Google Play, SDKs

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.