London, Sept. 30, 2025 (GLOBE NEWSWIRE) -- Pixalate, the leading global platform for ad fraud protection, privacy, and compliance analytics, today released its Q2 2025 report. The report exclusively examines mobile apps on the Apple App Store and Google Play Store that are registered in the U.S. and likely aimed at children under 13 (i.e., Child-Directed) but do not collect Verifiable Parental Consent (VPC), potentially violating the Children’s Online Privacy Protection Act (COPPA).
This report highlights potential privacy violation risks for app developers under COPPA, specifically concerning the collection, sale, or sharing of children’s personal information through likely Child-Directed apps without obtaining lawful VPC, as assessed by Pixalate. The Federal Trade Commission (FTC)’s COPPA Rule governs the online collection, use, and disclosure of personal information from children under 13 in the United States (U.S.). It also outlines multiple acceptable methods for obtaining a VPC.
Key Findings Raise Concerns About Children’s Data Privacy
The legal analysis, conducted by Pixalate’s legal and data science teams, examined 1,149 U.S.-registered, likely Child-Directed Google Play and Apple App Store-hosted apps with advertising capabilities:
- 99% Non-Compliance Rate: 1,136 out of 1,149 manually reviewed Google Play and Apple App Store-hosted apps failed to obtain VPC under the COPPA Rule, as assessed by Pixalate
- Apple App Store violations: 866 of 877 examined Apple iOS-hosted apps (99%) lacked lawful VPC mechanisms
- Google Play Store Violation: 270 out of 272 examined Google Play-hosted apps lacked lawful VPC mechanisms
Additional Personal Information Sharing Violations Discovered in Likely Child-Directed Apps without VPC Measures:
- 40% of the apps shared device IDs in the ad bidstream
- 42% of the apps transmitted IP addresses in the ad bidstream
- 34% disclose location information in the ad bidstream
- 31% of the apps transmitted all three types of personal information in the ad bidstream
Advertising Supply Chain Implications
The report identifies major advertising platforms facilitating monetization within these likely non-compliant apps:
- Google Ad Exchange: Listed in app-ads.txt files of 1,019 (90%) likely non-compliant apps
- Meta/Facebook: Present in 658 (58%) likely non-compliant apps
- AppLovin: Associated with 619 (54%) likely non-compliant apps
To learn more about our other recent investigation into COPPA violations, please see the report.
Top 10 U.S.-Registered Apps without VPC - Apple App Store
| Rank | App | Developer | Developer Country | VPC Detected | Lifetime App Users (US) |
| 1 | Roblox | Roblox Corporation | UNITED STATES | FALSE | 34M |
| 2 | Real Racing 3: Car Race Game | Electronic Arts Inc. | UNITED STATES | FALSE | 11M |
| 3 | The Sims™ FreePlay | Electronic Arts Inc. | UNITED STATES | FALSE | 10M |
| 4 | MONOPOLY GO! | Scopely, Inc. | UNITED STATES | FALSE | 8M |
| 5 | Golf Clash - Golfing Simulator | EA Swiss Sarl | UNITED STATES | FALSE | 5M |
| 6 | BitLife - Life Simulator | Candywriter, LLC | UNITED STATES | FALSE | 4M |
| 7 | Harry Potter: Hogwarts Mystery | Jam City, Inc. | UNITED STATES | FALSE | 3M |
| 8 | Match 3D | Lion Studios Plus LLC | UNITED STATES | FALSE | 3M |
| 9 | sendit - get it now | iconic hearts holdings, inc. | UNITED STATES | FALSE | 3M |
| 10 | Plants vs. Zombies™ | EA Swiss Sarl | UNITED STATES | FALSE | 2M |
Top 10 U.S.-Registered Apps without VPC - Google Play Store
| Rank | App | Developer | Developer Country | VPC Detected | Lifetime App Users (US) |
| 1 | Burger Shop Deluxe | GoBit Games | UNITED STATES | FALSE | 892K |
| 2 | PJ Masks™: Moonlight Heroes | Scary Beasties Limited | UNITED STATES | FALSE | 530K |
| 3 | Coloring Games: Color & Paint | RV AppStudios | UNITED STATES | FALSE | 332K |
| 4 | ABC Kids - Tracing & Phonics | RV AppStudios | UNITED STATES | FALSE | 295K |
| 5 | Wild Cougar Sim 3D | Turbo Rocket Games | UNITED STATES | FALSE | 199K |
| 6 | Baby Games: Piano & Baby Phone | RV AppStudios | UNITED STATES | FALSE | 193K |
| 7 | iHeartRadio Family | iHeartMedia, Inc. | UNITED STATES | FALSE | 176K |
| 8 | Kids Games: For Toddlers 3-5 | RV AppStudios | UNITED STATES | FALSE | 170K |
| 9 | Emma's World - Town & Family | Beansprites LLC | UNITED STATES | FALSE | 145K |
| 10 | Puzzle Kids: Jigsaw Puzzles | RV AppStudios | UNITED STATES | FALSE | 140K |
“App developers collecting and sharing children’s personal information without obtaining VPC signifies the apparent failure to comply with COPPA’s express compliance obligations,” said Shanzay Javaid, Data Protection & Privacy Counsel at Pixalate. “Despite recent amendments to the COPPA Rule, this systematic non-compliance exposes the entire advertising supply chain, including supply-side platforms and downstream advertising partners, to regulatory risks.”
To compile this research, Pixalate’s legal and data science teams employed automated processing combined with manual reviews by its Trust & Safety Advisory Board to assess nearly 134,000 apps with ads* (i.e., those with open programmatic traffic and ad impressions in the United States) available for download from the Google Play Store and Apple App Store in Q2 2025.
Download the report
Download Pixalate’s Q2 2025 Verifiable Parental Consent Failures In Mobile Apps report.
About Pixalate
Pixalate is a global platform specializing in privacy compliance, ad fraud prevention, and digital ad supply chain data intelligence. Founded in 2012, Pixalate is trusted by regulators, data researchers, advertisers, publishers, ad tech platforms, and financial analysts across the Connected TV (CTV), mobile app, and website ecosystems. Pixalate is accredited by the MRC for the detection and filtration of Sophisticated Invalid Traffic (SIVT). pixalate.com
Disclaimer
The content of this press release, and the COPPA VIOLATION CRISIS: Verifiable Parental Consent Failures In Mobile Apps report (the “Report”), reflect Pixalate's opinions with respect to factors that Pixalate believes may be useful to the digital media industry. Any data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate's opinions are just that, opinions, which means that they are neither facts nor guarantees. It is important to note that the mere fact that an app appears to be directed to children or is deemed likely child-directed (e.g., data subjects under 13 years of age, as defined by COPPA), or appears not to obtain VPC (e.g. as per the COPPA Rule) does not mean that any such app, or its operator, is failing to comply with COPPA. Further, with respect to apps that appear to be directed to children and have characteristics that, in Pixalate’s opinion, may trigger related privacy obligations and/or risk, such assertions reflect Pixalate’s opinions (i.e., they are neither facts nor guarantees); and, although Pixalate’s methodologies used to render such opinions are derived from automated processing, which at times is coupled with human intervention, no assurances can be – or are – given by Pixalate with respect to the accuracy of any such opinions. Pixalate is sharing this data not to impugn the standing or reputation of any entity, person or app, but, instead, to report findings and trends pertaining to programmatic advertising activity in the time period studied.
Apple and the Apple logo are trademarks of Apple Inc.
Google, Google AdExchange, the brand “Google Play,” its logos, and other Google logos are trademarks of Google LLC.
Meta, Facebook, the brand “Facebook,” its logos and other Meta logos are trademarks of Meta Platforms Inc.
AppLovin and its logo are trademarks of AppLovin Corporation.
Nina Talcott ntalcott@pixalate.com
