On June 18, 2024, theCalifornia Attorney General and the Los Angeles City Attorney(collectively, “the People”)announceda settlement with Tilting Point Media LLC (Tilting Point). The settlement resolves allegations that Tilting Point violated the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the Privacy Rights for California Minors in the Digital World Act (Digital Privacy for Minors Act).
Tilting Point is a video game company that developed the mobile game“SpongeBob: Krusty Cook-Off”(“the app”), which features characters from the popular animated TV seriesSpongeBob SquarePants.
The allegations and settlement focus on Tilting Point’s practices regarding data collection and disclosures, the use of software development kits (SDKs), and advertising. In particular, the claims and settlement focus on how these practices affect the rights of consumers under 13 years old (“children”) and 13 to 15 years old (“minors”).
The complaint and settlement are notable, as they mark only the third formal enforcement action brought under the CCPA since the law took effect on January 1, 2020, and the second enforcement of the marketing restrictions in the Digital Privacy for Minors Act since that law became effective on January 1, 2015. Their key provisions and takeaways are summarized below.
Applicable Law
The complaint alleges violations of three primary laws: COPPA, the CCPA, and the Digital Privacy for Minors Act.
COPPA is a federal law that requires online services directed to children or with actual knowledge that a user is a child to obtain parental consent before collecting personal information from children. It also requires businesses to provide certain notices regarding children’s data practices, both on the company’s website and directly to parents.
According to the complaint, the app was directed to children based on its design and simple gameplay, even though the app also targeted teens and adults. And, despite stating in its terms of service and privacy policy that children were prohibited from using the app, Tilting Point allegedly had actual knowledge that children were using the app and the app was directed to children. Because of this, Tilting Point was obligated to comply with COPPA.
The CCPA requires covered businesses to disclose how they sell personal information or “share” personal information in connection with targeted advertising within their privacy policies. Further, these privacy policies must include a statement regarding whether the business shares or sells children’s and minors’ personal information.
In order to sell or share children’s and minors’ information under the CCPA, a covered business needs to obtain parental consent (for children) or the consumer’s consent (for minors). For mixed audience apps (i.e., those that are not solely directed to children), implementing a neutral age gate can enable developers to properly classify the user as a child, minor, or adult, and obtain consents or provide opt-outs accordingly.
Finally, California’s Digital Privacy for Minors Act prohibits operators of websites, online services, and online and mobile applications from marketing or advertising certain products or services to minors under 18 years of age when the operator has actual knowledge that a user is a minor and the ad is based on information specific to that minor, including the minor’s activity. Operators that take reasonable steps in good faith to avoid marketing such products or services are deemed to be in compliance with the law. Restricted products and services include, among other things, alcoholic beverages, tobacco and drug products, and lottery games.
Alleged Conduct
The complaint outlines six principal allegations:
- Neutral Age Gates.Although Tilting Point implemented an age gate within the app, the age gate inserted a default year that would result in the user registering as an adult if not changed. The People alleged that this age gate configuration likely resulted in some children and minors being directed to the adult version of the game.
- Targeted Ads to Children.Tilting Point did not obtain parental consent for targeting ads to children.
- Sharing Personal Information Without Consent.Tilting Point did not obtain parental consent prior to collecting, disclosing, or sharing personal information from children. Further, Tilting Point did not receive minors’ consent to collect, disclose, or share their personal information.
- Incorrect Configuration of SDKs.Tilting Point configured SDKs in such a way that they shared children’s and minors’ information with the SDK providers without consent, and the company did not sufficiently review or audit the configuration and use of SDKs for privacy law compliance. While third-party documentation and default settings may complicate legally compliant installation, the People asserted that “the proper configuration of third-party SDKs is ultimately [the developer’s] legal obligation.”
- Vague Privacy Policy.Tilting Point’s privacy policy did not fully disclose the collection and use of personal information for targeted advertising. Further, the privacy policy did not adequately disclose the company’s use of SDKs or explain their use and purpose.
- Inappropriate and Deceptive Advertising.Tilting Point’s app displayed ads that were not clearly labeled as ads. These ads also did not provide clear exit methods, resulting in unintentional engagement and unnecessary sharing of personal information. Finally, at issue for the Digital Privacy for Minors Act, the app displayed age-inappropriate ads. While Tilting Point’s ads did not necessarily show products or services covered by the Digital Privacy for Minors Act, the ads featured products that incorporated such products and services, such as gambling apps or games about growing marijuana.
Settlement Terms
The settlement requires that Tilting Point comply with COPPA, the CCPA, and the Digital Privacy for Minors Act. For example, Tilting Point cannot collect, disclose, or share children’s or minors’ personal information without consent. The company must also provide adequate notices regarding their children’s and minors’ data practices, including through the company’s privacy policy and just-in-time notices. In addition, Tilting Point must minimize its collection of children’s and minors’ personal information.
Tilting Point must implement neutral age gates and cannot suggest that certain features will be unavailable for children or minors. Further, the age gate must specify that users must enter their age, rather than the age of the phone owner.
Of particular importance, this settlement has specific requirements regarding SDKs. Tilting Point must provide clear and conspicuous notice regarding its SDK data-sharing practices within its privacy policy, including the categories of SDKs used, the categories of personal information shared via the SDKs, and the business or commercial purpose for that sharing.
Additionally, the company must implement and maintain an SDK governance framework. The company must assess its compliance with the framework at least annually. This framework must contain a number of specific controls, including identification of (1) child-directed apps collecting personal information, (2) SDKs used per app, and (3) the purpose for using each SDK. The framework must also evaluate SDK configuration settings and relevant SDK provider contracts, and document the measures taken to ensure that data sales and sharing comply with the settlement.
Further, the settlement requires Tilting Point to pay $500,000 in civil penalties and submit annual compliance reports to the People for three years.
Key Takeaways
State and local law enforcers are increasingly attentive to businesses' data privacy and security practices, particularly if businesses handle children’s and minors’ data.1The Tilting Point settlement is the third CCPA action, showing that California continues to be an active player in this area. With many other state privacy laws taking effect in the coming years, other states are bolstering their privacy enforcement capabilities to also be active in this field.
The settlement’s focus on SDKs signals to developers the importance of properly implementing data-sharing technologies and conducting regular evaluations to ensure compliance with applicable law. Developers should review their data practices, especially if they produce games or apps that may have child or minor users.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, and we specialize in issues pertaining to children’s privacy and state privacy law compliance. For more information, please contactTracy Shapiro,Eddie Holman,Rebecca Weitzel Garcia, or another member of the firm’sprivacy and cybersecuritypractice.
[1]The Wilson Sonsini Data Advisor regularly issues alerts on privacy and cybersecurity news, especially those pertaining to children’s and minors’ data. Our most recent alerts on this topic include: New York’s pair of children’s privacy and safety laws, Maryland’s new age-appropriate design code, new child exploitation reporting requirements, UK regulatory strategy to protect children online, and Florida’s social media law to restrict minors’ use of those services.
