Pixalate, the leading global platform for ad fraud protection, privacy, and compliance analytics, released the Q2 2025 GDPR-K & UK Children’s Code Privacy Violations in Mobile Apps Report, part of Pixalate’s series on European Users’ Privacy Rights. 

The report exclusively examines child-accessible apps across the Google Play & Apple App Store that are EU & UK registered and likely violate several provisions and standards under the General Data Protection Regulation (GDPR) and UK Children’s Code. Key potential violations include transmission of unlawfully obtained personal data in the advertising bid stream, no disclosures on how children’s personal data is processed, omitting mandatory information concerning data subject rights, and failure to provide apps’ contact information within privacy notices/policies. 

Key findings concerning EU+UK children’s privacy rights

The following key findings highlight significant data privacy failures determined by Pixalate’s legal research and data science teams within 253 EU and UK-registered child-accessible mobile apps with ads:

• GDPR-K & UK Children’s Code violations. 253 child-accessible mobile apps with ads are likely non-compliant under several provisions and standards of the GDPR, and the UK Children's Code, including GDPR Articles 5, 8, 12, 13, 15 and Recitals 38 and 58. 
• Google Ad Exchange appears to partner with 96% (230) of the non-compliant apps, according to app-ads.txt analysis; Meta appears to partner with 80% (192)
• Transparency failures. 91% (230) of the mobile apps do not disclose how they process children's personal data

"Essential privacy practices, particularly those concerning children, are still being neglected by app developers, causing illegally-obtained personal data to be exposed in the digital advertising supply chain," said Yusra Kayani, director and privacy legal counsel at Pixalate. "Pixalate’s investigation exposes these privacy failures in the European app market and calls for stronger safeguards, with regulators urged to give this privacy gap the attention it deserves." 

Understanding parental consent requirements under the GDPR & UK children’s code

The report further reveals a failure in safeguarding children's privacy due to the widespread absence of effective parental consent mechanisms. 

• Out of the 253 identified likely non-compliant and child-accessible mobile apps with ads, 98% (247) lacked any appropriate age verification, age estimation, or parental consent mechanisms, directly violating GDPR Article 8(1) and the UK Children's Code standards. 

Methodology 

To compile this research, Pixalate data science and legal teams analysed 15,417 mobile apps that were determined to be child-accessible and ad-enabled, followed by applying a GDPR applicability threshold to assess apps that were:

1. Downloadable and registered within the EU, EEA and UK from the Google Play Store and Apple App Store, as of June 2025 
2. Met Pixalate’s child-accessible assessment criteria, and 
3. offered programmatic advertising (i.e., were ad-enabled) to users based in EU+UK.

Download Pixalate’s Q2 2025 Privacy Violations in Child-Accessible Mobile Apps (Europe) Report

Pixalate

Pixalate is the market-leading fraud protection, privacy, and compliance analytics platform for Connected TV (CTV), Mobile Apps, and Websites. ...

More about Pixalate »

Powered by PressBox