Pixalate Exposes Widespread COPPA Violations in New Verifiable Parental Consent (VPC) Report Q2 2025

According to Pixalate's research, Google Ad Exchange is listed in 90% of likely non-compliant apps' ads.txt files (apps enabled for advertising), Meta/Facebook in 58%, and AppLovin in 54%

LONDON, September 25, 2025 -- Pixalate, the leading global platform for ad fraud protection, privacy, and compliance analytics, today released its Q2 2025 Verifiable Parental Consent Failures In Mobile Apps Report. The report exclusively examines mobile apps on the Apple App Store and Google Play Store that are registered in the U.S. and likely aimed at children under 13 (i.e., Child-Directed) but do not collect Verifiable Parental Consent (VPC), potentially violating the Children’s Online Privacy Protection Act (COPPA).

This report highlights potential privacy violation risks for app developers under COPPA, specifically concerning the collection, sale, or sharing of children’s personal information through likely Child-Directed apps without obtaining lawful VPC, as assessed by Pixalate. The Federal Trade Commission (FTC)’s  COPPA Rule governs the online collection, use, and disclosure of personal information from children under 13 in the United States (U.S.). It also outlines multiple acceptable methods for obtaining a VPC.

Key Findings Raise Concerns About Children’s Data Privacy

The legal analysis, conducted by Pixalate’s legal and data science teams, examined 1,149 U.S.-registered, likely Child-Directed Google Play and Apple App Store-hosted apps with advertising capabilities:

• 99% Non-Compliance Rate: 1,136 out of 1,149 manually reviewed Google Play and Apple App Store-hosted apps failed to obtain VPC under the COPPA Rule, as assessed by Pixalate
  • Apple App Store violations: 866 of 877 examined Apple iOS-hosted apps (99%) lacked lawful VPC mechanisms
  • Google Play Store Violation: 270 out of 272 examined Google Play-hosted apps lacked lawful VPC mechanisms
    
    

Additional Personal Information Sharing Violations Discovered in Likely Child-Directed Apps without VPC Measures:

• 40% of the apps shared device IDs in the ad bidstream
• 42% of the apps transmitted IP addresses in the ad bidstream
• 34% disclose location information in the ad bidstream
• 31% of the apps transmitted all three types of personal information in the ad bidstrea
  
  

Advertising Supply Chain Implications

The report identifies major advertising platforms facilitating monetization within these likely non-compliant apps:

• Google Ad Exchange: Listed in app-ads.txt files of 1,019 (90%) likely non-compliant apps
• Meta/Facebook: Present in 658 (58%) likely non-compliant apps
• AppLovin: Associated with 619 (54%) likely non-compliant apps
  
  

To learn more about our other recent investigation into COPPA violations, please see the report.

Top 10 U.S.-Registered Apps without VPC - Apple App Store

Top 10 U.S.-Registered Apps without VPC - Google Play Store

“App developers collecting and sharing children’s personal information without obtaining VPC signifies the apparent failure to comply with COPPA’s express compliance obligations,” said Shanzay Javaid, Data Protection & Privacy Counsel at Pixalate. “Despite recent amendments to the COPPA Rule, this systematic non-compliance exposes the entire advertising supply chain, including supply-side platforms and downstream advertising partners, to regulatory risks.”

To compile this research, Pixalate’s legal and data science teams employed automated processing combined with manual reviews by its Trust & Safety Advisory Board to assess nearly 134,000 apps with ads* (i.e., those with open programmatic traffic and ad impressions in the United States) available for download from the Google Play Store and Apple App Store in Q2 2025.

Download Pixalate’s Verifiable Parental Consent Failures In Mobile Apps report.

About Pixalate

Pixalate is a global platform specializing in privacy compliance, ad fraud prevention, and digital ad supply chain data intelligence. Founded in 2012, Pixalate is trusted by regulators, data researchers, advertisers, publishers, ad tech platforms, and financial analysts across the Connected TV (CTV), mobile app, and website ecosystems. Pixalate is accredited by the MRC for the detection and filtration of Sophisticated Invalid Traffic (SIVT). pixalate.com

Disclaimer

The content of this press release, and the COPPA VIOLATION CRISIS: Verifiable Parental Consent Failures In Mobile Apps report (the “Report”), reflect Pixalate's opinions with respect to factors that Pixalate believes may be useful to the digital media industry. Any data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate's opinions are just that, opinions, which means that they are neither facts nor guarantees. It is important to note that the mere fact that an app appears to be directed to children or is deemed likely child-directed (e.g., data subjects under 13 years of age, as defined by COPPA), or appears not to obtain VPC (e.g. as per the COPPA Rule)  does not mean that any such app, or its operator, is failing to comply with COPPA. Further, with respect to apps that appear to be directed to children and have characteristics that, in Pixalate’s opinion, may trigger related privacy obligations and/or risk, such assertions reflect Pixalate’s opinions (i.e., they are neither facts nor guarantees); and, although Pixalate’s methodologies used to render such opinions are derived from automated processing, which at times is coupled with human intervention, no assurances can be – or are – given by Pixalate with respect to the accuracy of any such opinions. Pixalate is sharing this data not to impugn the standing or reputation of any entity, person or app, but, instead, to report findings and trends pertaining to programmatic advertising activity in the time period studied.