On August 5, 2020, parents who accused Disney, Viacom, Kiloo, and more than ten other companies of violating parents’ and children’s privacy rights in connection with information collected from children’s video games sought court preliminary approval of a class settlement in three separate but coordinated actions.

The three class actions are based on allegations that the companies embedded codes into children’s games “permitting the exfiltration and commercial use of children’s personal data,” including allowing them to track children’s behaviors across the apps and devices. The collected information was then used for targeted advertisement. Although the suits initially alleged violation of the Children’s Online Privacy Protection Act (“COPPA”) and state law, the COPPA claims were dropped. Among the survived claims included the California Constitutional Right to Privacy and California Unfair Competition Law.

While the settlements for each of the three actions were negotiated separately, all three settlements include foundational principles including: 1) stringent privacy protections and limitations on the use and collection of children’s personal data; 2) business practice requirements that exceed prevailing industry standards and federal requirements, ensuring app developers to protect children’s privacy; and 3) injunctive relief applying industry-wide to thousands of popular children apps, including future apps aimed at children.

The settlements do not provide a monetary relief, which would likely be nominal for most class members anyway. The parents rather found the continued litigation threatened to delay implementation of injunctive relief to the classes and believed the immediate relief provided by the settlements was much more important. Among other things, the settlements include requirements extending beyond the apps at issue in the operative complaints to thousands of other apps containing certain software development kits (“SDKs”), as well as dozens of Disney apps, and feature three common components: 1) a prohibition on behavioral advertising to children; 2) a requirement that advertising services be limited to contextual advertising in any app where the user is under 13, or stop providing all advertising services; and 3) requirements in the enrollment process for app developers to (i) educate app developers and (ii) enable screen apps to child-directed content. The relief also includes employing an age gate to screen users into over and under the age of 13.

For the defendants who developed the specific apps in each case, including Disney, Viacom, Kiloo, and Sybo, the relief provides privacy protections requiring deletion or sequestration of personal data previously collected. In addition, the developers are prohibited from collecting the children users’ street name combined with a city or town, using personal data to send push notifications, and must obtain written assurances from any advertising SDK that it will not track location information. The settlements also create an enforceable right to ensure that federal articulated privacy standards are met or even exceeded for children’s apps, in addition to abiding by COPPA requirements on the collection and use of children’s personal data.

The request for approval indicated the settlements “represent a milestone achievement for privacy protection in a rapidly developing mobile advertising ecosystem” and “will provide protections that exceed existing requirements relating to the collection, use, and monetization of children’s personal data.” The settlements allow plaintiffs to seek more than $9 million in attorneys’ fees and expenses and $2,500 for class representatives.

For businesses collecting children’s personal information, these settlements are a good reminder that federal and state privacy laws protecting children’s personal information should be viewed as the “floor” for protecting children’s privacy, not the ceiling. Indeed, the standard for protecting children’s privacy policy continues to increase as businesses are finding new ways to collect and commercialize this type of information. As we previously indicated in our CCPA Enforcement Series, No. 4, the CCPA, for example, extends several new rights to minors by requiring businesses to obtain opt-in consent prior to the “sale” of a child’s personal information. The FTC has also recognized the rapid changes in technology and the effect those changes have on children’s online activities — requiring it to accelerate its review cycle of the COPPA rule. For further information on this topic, click here.