Pixalate Research Finds 253 EU & UK-Registered Mobile Apps Likely Violating GDPR-K & UK Children's Code: Apple App Store & Google Play Store Apps Endangering Privacy Rights of 104M+ Children Across Europe
According to Pixalate’s latest legal investigation, 253 Google Play & Apple App Stores-hosted Child-Accessible mobile apps with ads are likely non-compliant under the EU & UK GDPR; over 95% (245) of the identified apps are transmitting unlawfully obtained personal data–including Device ID and Location data– in the advertising bid stream
LONDON, Sept. 05, 2025 (GLOBE NEWSWIRE) -- Pixalate, the leading global ad fraud protection, privacy, and compliance analytics platform, today released the Q2 2025 GDPR-K & UK Children’s Code Privacy Violations in Mobile Apps Report, part of Pixalate’s series on European Users’ Privacy Rights.
The report exclusively examines Child-Accessible* apps across the Google Play & Apple App Store that are EU & UK registered and likely violate several provisions and standards under the General Data Protection Regulation (GDPR) and UK Children’s Code. Key potential violations include transmission of unlawfully obtained personal data in the advertising bid stream, no disclosures on how children’s personal data is processed, omitting mandatory information concerning data subject rights and failure to provide apps’ contact information within privacy notices/policies.
Key Findings Concerning EU+UK Children’s Privacy Rights
The following key findings highlight significant data privacy failures determined by Pixalate’s legal research and data science teams within 253 EU and UK-registered Child-Accessible mobile apps with ads**:
-
GDPR-K & UK Children’s Code Violations. 253 child-accessible mobile apps with ads are likely non-compliant under several provisions and standards of the GDPR, and the UK Children's Code, including GDPR Articles 5, 8, 12, 13, 15 and Recitals 38 and 58.
- Google Ad Exchange appears to partner with 96% (230) of the non-compliant apps, according to app-ads.txt analysis; Meta appears to partner with 80% (192)
- Transparency Failures. 91% (230) of the mobile apps do not disclose how they process children's personal data
- Illicit Data Transmissions. 97% (245) of the mobile apps transmit unlawfully obtained personal data in advertising bid streams, including location data
- Gaps in Protection: 43% (108) apps do not inform app users of their data subject rights, while 16 fail to disclose the categories of personal data that the apps are processing
- User Impact. Over 104 million lifetime app users*** – the majority of which are likely children–– are impacted by 253 non-compliant mobile apps
“Essential privacy practices, particularly those concerning children, are still being neglected by app developers, causing illegally-obtained personal data to be exposed in the digital advertising supply chain,” said Yusra Kayani, Director and Privacy Legal Counsel at Pixalate. “Pixalate’s investigation exposes these privacy failures in the European app market and calls for stronger safeguards, with regulators urged to give this privacy gap the attention it deserves.”
Understanding Parental Consent Requirements Under The GDPR & UK Children’s Code
The report further reveals a failure in safeguarding children's privacy due to the widespread absence of effective parental consent mechanisms.
- Out of the 253 identified likely non-compliant and Child-Accessible mobile apps with ads, 98% (247) lacked any appropriate age verification, age estimation, or parental consent mechanisms, directly violating GDPR Article 8(1) and the UK Children's Code standards.
Top 10 Most Popular EU+UK Registered Likely Non-Compliant Mobile Apps - Google Play Store
| Rank | App | Developer | Developer Country | Est. Lifetime App Users (EU+UK) |
| 1 | Zombie Tsunami | Mobigame SAS | FRANCE | 16.8M |
| 2 | Akinator | Elokence SAS | FRANCE | 14.9M |
| 3 | 4 Fotos 1 Palabra | Lotum GmbH | GERMANY | 5.6M |
| 4 | 4 Pics 1 Word | Lotum GmbH | GERMANY | 5.4M |
| 5 | European Truck Simulator | Ovidiu Pop | ROMANIA | 5.1M |
| 6 | Checkers Online | CC Games | POLAND | 4.7M |
| 7 | Coach Bus Simulator | Ovidiu Pop | ROMANIA | 3.3M |
| 8 | TopSpeed: Drag & Fast Racing | T-Bull S A | POLAND | 3.1M |
| 9 | Moto Rider GO: Highway Traffic | T-Bull S A | POLAND | 3.0M |
| 10 | Thief Puzzle: to pass a level | TapNation | FRANCE | 2.4M |
Top 10 Most Popular EU+UK Registered Likely Non-Compliant Mobile Apps - Apple App Store
| Rank | App | Developer | Developer Country | Est. Lifetime App Users (EU+UK) |
| 1 | Akinator | Elokence.com | FRANCE | 1.4M |
| 2 | Thief Puzzle: Brain Games | TapNation | FRANCE | 1.1M |
| 3 | Guess Their Answer | TapNation | FRANCE | 359K |
| 4 | 4 Pics 1 Word | LOTUM GmbH | GERMANY | 332K |
| 5 | BFF Friendship Test - Quiz | DH3 Games Ltd | IRELAND | 277K |
| 6 | Driving School Simulator | Alexandru Marusac | ROMANIA | 222K |
| 7 | Doll Dress Up: Makeup Games | TapNation | FRANCE | 218K |
| 8 | Save My Doggy - Dog Rescue | TapNation | FRANCE | 190K |
| 9 | Food Match 3D: Tile Puzzle | Masal Games Oyun Yazilim ve Teknoloji Anonim Sirketi | UNITED KINGDOM | 151K |
| 10 | Bubble Explode - pop puzzle | Spooky House Studios UG (haftungsbeschraenkt) | GERMANY | 137K |
Methodology
To compile this research, Pixalate data science and legal teams analyzed 15,417 mobile apps that were determined to be Child-Accessible and ad-enabled, followed by applying a GDPR Applicability Threshold**** to assess apps that were:
- Downloadable and registered within the EU, EEA and UK from the Google Play Store and Apple App Store, as of June 2025
- Met Pixalate’s Child-Accessible assessment criteria, and
- offered programmatic advertising (i.e., were ad-enabled) to users based in EU+UK.
Download Pixalate’s Q2 2025 Privacy Violations in Child-Accessible Mobile Apps (Europe) Report
*Child-Accessible Assessment Criteria: In this report, “Child-Accessible,” denotes the scope applicability of GDPR Art 8(1) & UK Children’s Code concerning mobile apps. Please review the Report’s methodology to learn more about how Pixalate’s Child-Accessible assessment criteria determines whether an app is likely accessible to children.
**Apps with ads: Apps with ads are defined as those having programmatic ad traffic targeted towards users based in EU+UK. These may also include apps with app-ads.txt files detected. See the Report’s Methodology for more information.
***Lifetime App Users: Lifetime App Users refers to Pixalate’s estimated total number of users who have installed (downloaded) each of the identified mobile apps without privacy policies on their device(s) since the apps’ initial launch within the respective app store. See the Report’s Methodology for more information.
****GDPR Applicability Threshold: Pixalate applies a GDPR-focused assessment criteria to determine whether a mobile app falls within scope of the GDPR and its respective obligations. To learn more about this assessment, please review the Report’s methodology for more information.
About Pixalate
Pixalate is a global platform specializing in privacy compliance, ad fraud prevention, and digital ad supply chain data intelligence. Founded in 2012, Pixalate is trusted by regulators, data researchers, advertisers, publishers, ad tech platforms, and financial analysts across the Connected TV (CTV), mobile app, and website ecosystems. Pixalate is accredited by the MRC for the detection and filtration of Sophisticated Invalid Traffic (SIVT). pixalate.com
Disclaimer
The content of this press release, and the Q2 2025 GDPR-K & UK Children’s Code Privacy Violations in Mobile Apps Report (the "Report"), reflect Pixalate's opinions with respect to factors that Pixalate believes can be useful to the digital media industry. Any data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that, opinions, which means that they are neither facts nor guarantees. Pixalate is sharing this data not to impugn the standing or reputation of any entity, person or app, but, instead, to report findings and trends pertaining to privacy and information security practices and compliance across mobile apps in the time period studied.
Statement regarding applicability of the General Data Protection Regulation (GDPR) & UK Children’s Code
Pixalate's opinions regarding possible applicability of, legal obligations under, and compliance with the GDPR & UK Children’s Code are for informational purposes only, and are not offered as legal advice. Nothing in this report: (i) is intended to constitute professional and/or legal advice; (ii) actually constitutes professional and/or legal advice; or (iii) sets forth a comprehensive or complete statement of the matters discussed or the law relating thereto.
Contact: Nina Talcott
ntalcott@pixalate.com
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
