Dad · StoryBeam Kids builder
What "Free" Usually Costs: The Real Data Record Behind Kids' Apps
As a developer, I know exactly what a "free" kids' app is usually built to do with data — here's the documented record, and why I built StoryBeam Kids to structurally avoid all of it.
I've spent my career writing software, which means I've also spent my career reading other people's SDK documentation. When you're a developer looking to make a "free" app pay for itself, there's a well-worn menu: drop in an ad SDK (AdMob, AppLovin, Unity Ads, or a mediation layer like ironSource that auctions your ad space to a dozen networks at once), drop in an analytics SDK (Firebase Analytics, Amplitude, Mixpanel) to track what users do, and maybe an attribution SDK (AppsFlyer, Branch) to figure out which marketing channel brought them in. Each of these is a few lines of integration code. Each of them also means a third party's code is now running inside your app, on your user's device, collecting identifiers and sending them somewhere you don't fully control.
None of that is theoretical or sinister-sounding for effect. It's just how the free-app business model works, and it's exactly why "free" and "no data collection" are not the same promise. A free kids' app still has to pay its hosting bill, its developer's salary, and its investors somehow — and if it's not charging a subscription, the money is almost always coming from ads, from data, or from both. That's not a conspiracy theory. It's an architecture decision every app maker makes, whether they say so or not.
What COPPA actually requires
The US Children's Online Privacy Protection Act (COPPA) governs this directly. If a website or app is directed at children under 13, or if the operator has actual knowledge it's collecting data from kids that age, COPPA requires clear notice to parents and verifiable parental consent before collecting "personal information" — and the FTC's rule defines personal information broadly enough to include persistent identifiers used for behavioral advertising, not just names or emails. In plain terms: an ad SDK quietly grabbing a device's advertising ID to build a profile of a 6-year-old is exactly the kind of thing the law is written to stop.
The documented record, not the marketing spin
I'm not going to make up statistics for this — here's what regulators and researchers have actually found and published.
In September 2019, the FTC and the New York Attorney General reached a $170 million settlement with Google and YouTube — $136 million to the FTC and $34 million to New York — the largest COPPA penalty on record at the time. The allegation was that YouTube collected persistent identifiers from viewers of child-directed channels, without notifying parents or getting consent, and used that data to serve targeted ads.
That record didn't hold for long. In December 2022, the FTC and Epic Games (maker of Fortnite) settled for $520 million combined: $275 million specifically for COPPA violations — collecting personal data from players under 13 without parental notice or consent, and shipping voice/text chat on by default so kids were matched with strangers — plus $245 million to refund players tricked into unwanted charges through manipulative interface design. The $275 million COPPA penalty broke Google/YouTube's 2019 record.
Those are the headline cases involving platforms most people have heard of. But the more useful data point, for understanding how widespread this is, comes from academic research rather than a single enforcement action. In 2018, researchers Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman published "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale" in Proceedings on Privacy Enhancing Technologies (PoPETs). They analyzed 5,855 of the most popular child-directed apps on Android's Designed for Families program and found that roughly 57% — about 3,337 apps — were potentially violating COPPA. The dominant cause wasn't malicious intent from the app developers themselves; it was third-party SDKs. Many ad and analytics SDKs do offer settings meant to disable behavioral tracking for child-directed apps, but the study found most apps either didn't enable those settings or the settings didn't correctly propagate through mediation layers that route ad requests through several networks at once. The researchers also found that 19% of the apps collected identifiers via SDKs whose own terms of service prohibited that use in child-directed apps, and that a large share of apps sharing a resettable advertising ID were also transmitting non-resettable persistent identifiers alongside it — defeating the entire point of a resettable ID.
Read together, what these cases and that study show isn't that a few bad actors got caught. It's that the default architecture of the free-app ecosystem — SDK-driven ads, SDK-driven analytics, identifier sharing across a chain of vendors nobody outside the company fully audits — produces privacy violations even when nobody sets out to build one.
Why StoryBeam Kids is built structurally differently
This is the part I can speak to directly, because I wrote the code. StoryBeam Kids has no accounts. There's no sign-up form, no email collection, no login screen for your kid to sit in front of, because there's no server-side user record to log into in the first place. It has no advertising — which means there's no ad SDK, no mediation layer, no advertising ID being read off the device, because there's no ad inventory to fill. It has no analytics — no event tracking, no session pixels, no attribution SDK, because I'm not running a growth funnel that needs to know what your kid clicked.
The catalog is closed and curated, not algorithmically personalized, which matters more than it sounds like it should: a personalized recommendation engine needs behavioral data to function. A fixed catalog doesn't. When your kid builds a playlist or sets a preference in StoryBeam Kids, that data is written to the browser's local storage on that device and stays there. It never gets sent to a server, because there's no account for it to be attached to and no analytics system waiting to receive it.
I want to be precise about what this means and doesn't mean. I'm not claiming StoryBeam Kids has passed some certification or been audited by a regulator — it hasn't, and I wouldn't say so if it had. What I can say, as the person who wrote every line of it, is that "we don't collect your kid's data" isn't a policy on a page here. There's no pipe for that data to travel through even if I wanted to build one later without ripping out the current architecture. That's a meaningfully different guarantee than a privacy policy promise, and given what the FTC's own enforcement history and this academic research show about how often SDK-based "free" apps get this wrong, I think it's a distinction worth explaining rather than just asserting.
Sources
- Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children's Privacy Law — Federal Trade Commission
- $170 million FTC-NY YouTube settlement offers COPPA compliance tips for platforms and providers — Federal Trade Commission Business Blog
- Epic Games Inc., Developer of Fortnite Video Game, Agrees to $275 Million Penalty and Injunction for Alleged Violations of Children's Privacy Law — U.S. Department of Justice
- FTC Finalizes Order Requiring Fortnite Maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges — Federal Trade Commission
- "Won't Somebody Think of the Children?" Examining COPPA Compliance at Scale (Reyes, Wijesekera, Reardon, Elazari Bar On, Razaghpanah, Vallina-Rodriguez, Egelman) — Proceedings on Privacy Enhancing Technologies (PoPETs), 2018
- Complying with COPPA: Frequently Asked Questions — Federal Trade Commission
- Children's Online Privacy Protection Act (COPPA) — Federal Trade Commission
Jason is a software developer, father to the founder of StoryBeam Kids, and reviews every show in the catalog before it appears.
