Pixalate’s Q3 2025 State Of Children’s Privacy On Mobile Apps Report: Asia-Pacific (APAC) is part of its COPPA Violation Risks in Mobile Apps series, highlighting APAC-registered app developers that have likely child-directed apps downloadable from the Google Play Store and the Apple App Store that are at risk of violating the United States’ Children’s Online Privacy Protection Act (COPPA).
Download the Q3 2025 report, along with two complete lists of APAC-registered, child-directed apps:
This report investigates and discusses several privacy violations of the United States’ Children’s Online Privacy Protection Act (COPPA) by mobile app developers registered within the Asia Pacific (APAC) market (e.g. Singapore, People’s Republic of China, Vietnam, Japan, South Korea and others). Although the identified app developers are based outside of the United States (U.S.), their child-directed mobile apps are offered to and accessed by app users–the majority of whom are children–within the U.S.
Based on COPPA’s scope and a thorough application of data privacy compliance analysis, Pixalate identified 1,248 APAC-registered and child-directed apps that are violating the COPPA Rule, especially provisions addressing the collection, use, sale, and disclosure of personal information of U.S.-based child app users under the age of 13.
Pixalate also observed that from a dataset of 1,003 APAC-registered and child-directed apps, 1,001 apps violated the requirement of obtaining a Verifiable Parental Consent (VPC) under COPPA.
For this report, Pixalate’s legal and data science teams analysed the privacy policies* of around 23,097 child-directed apps with ads** that were downloadable from the Google Play Store and Apple App Store in Q3 2025. From this number, 7,524 child-directed apps were determined to be registered in the APAC region and 1,248 of these were likely violating COPPA. The data in this report is derived from conducting manual assessments and systematic browsing or ‘crawls’ of the Google Play and Apple App Stores, performed via Pixalate’s proprietary technologies and detection systems.
*References to ‘no privacy policy/policies’ or ‘no privacy policy/policies detected’ indicate that Pixalate’s proprietary systems were unable to detect or identify a purported privacy policy/notice URL or the requisite disclosures at the time of crawling the App Stores, pursuant to Pixalate’s proprietary privacy policy detection and classification system. To learn more, please refer to the Methodology section.
**Having programmatic traffic, with ad impressions in the United States. For a detailed explanation, please refer to the Methodology section.
The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998 in the U.S. to protect the privacy of children under the age of 13 in the digital online environment. COPPA is enforced by a consumer protection U.S. government agency, the Federal Trade Commission (FTC).
The FTC conducts investigations and takes rigorous legal actions by imposing hefty fines against numerous national and international businesses, including app developers, that are found to be violating COPPA’s requirements when collecting, using, sharing or selling children’s personal information.
APAC-registered app developers are likely subject to COPPA if they are ‘Operators’ of ‘child-directed’ apps and are collecting personal information* via such apps from U.S.-based children under the age of 13.
*individually identifiable information about an individual collected online - See 16 CFR 312.2 “Personal information”
Any person who operates a website or online service and collects, maintains, or uses personal information of U.S.-based children under 13. Examples:
Under COPPA, the FTC relies on 10 factors to determine if your app or online services are directed towards children. These factors range between: subject matter, visuals, animation usage, music/audio content, age of characters & more.
You operate apps that are targeted towards and accessible by U.S.-based children aged under 13, and collect, use, or disclose personal information of U.S.-based children. If both conditions apply, the app developer qualifies as an ‘Operator’ and their apps would be deemed by the FTC as ‘covered’ child-directed apps.
Your apps will also qualify as ‘covered’ apps subject to COPPA if:
*According to the FTC, ‘mixed audience’ websites and online services are a subcategory of those operators that are deemed ‘child-directed.’ This includes apps that do not “target children children as its primary audience,” meaning it can cover apps that also target older teens and adults.
See also:
Pixalate is a global platform for privacy compliance, ad fraud prevention, and data intelligence in the digital ad supply chain. Founded in 2012, Pixalate’s platform is trusted by regulators, data researchers, advertisers, publishers, ad tech platforms, and financial analysts across the Connected TV (CTV), mobile app, and website ecosystems. Pixalate is MRC-accredited for the detection and filtration of Sophisticated Invalid Traffic (SIVT).
Contact
Offices
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”
