On August 5, 2020, parents who accused Disney, Viacom, Kiloo, and more than ten other companies of violating parents’ and children’s privacy rights in connection with information collected from children’s video games sought court preliminary approval of a class settlement in three separate but coordinated actions.

The three class actions are based on allegations that the companies embedded codes into children’s games “permitting the exfiltration and commercial use of children’s personal data,” including allowing them to track children’s behaviors across the apps and devices. The collected information was then used for targeted advertisement. Although the suits initially alleged violation of the Children’s Online Privacy Protection Act (“COPPA”) and state law, the COPPA claims were dropped. Among the survived claims included the California Constitutional Right to Privacy and California Unfair Competition Law.

While the settlements for each of the three actions were negotiated separately, all three settlements include foundational principles including: 1) stringent privacy protections and limitations on the use and collection of children’s personal data; 2) business practice requirements that exceed prevailing industry standards and federal requirements, ensuring app developers to protect children’s privacy; and 3) injunctive relief applying industry-wide to thousands of popular children apps, including future apps aimed at children.

The settlements do not provide a monetary relief, which would likely be nominal for most class members anyway. The parents rather found the continued litigation threatened to delay implementation of injunctive relief to the classes and believed the immediate relief provided by the settlements was much more important. Among other things, the settlements include requirements extending beyond the apps at issue in the operative complaints to thousands of other apps containing certain software development kits (“SDKs”), as well as dozens of Disney apps, and feature three common components: 1) a prohibition on behavioral advertising to children; 2) a requirement that advertising services be limited to contextual advertising in any app where the user is under 13, or stop providing all advertising services; and 3) requirements in the enrollment process for app developers to (i) educate app developers and (ii) enable screen apps to child-directed content. The relief also includes employing an age gate to screen users into over and under the age of 13.

For the defendants who developed the specific apps in each case, including Disney, Viacom, Kiloo, and Sybo, the relief provides privacy protections requiring deletion or sequestration of personal data previously collected. In addition, the developers are prohibited from collecting the children users’ street name combined with a city or town, using personal data to send push notifications, and must obtain written assurances from any advertising SDK that it will not track location information. The settlements also create an enforceable right to ensure that federal articulated privacy standards are met or even exceeded for children’s apps, in addition to abiding by COPPA requirements on the collection and use of children’s personal data.

The request for approval indicated the settlements “represent a milestone achievement for privacy protection in a rapidly developing mobile advertising ecosystem” and “will provide protections that exceed existing requirements relating to the collection, use, and monetization of children’s personal data.” The settlements allow plaintiffs to seek more than $9 million in attorneys’ fees and expenses and $2,500 for class representatives.

For businesses collecting children’s personal information, these settlements are a good reminder that federal and state privacy laws protecting children’s personal information should be viewed as the “floor” for protecting children’s privacy, not the ceiling. Indeed, the standard for protecting children’s privacy policy continues to increase as businesses are finding new ways to collect and commercialize this type of information. As we previously indicated in our CCPA Enforcement Series, No. 4, the CCPA, for example, extends several new rights to minors by requiring businesses to obtain opt-in consent prior to the “sale” of a child’s personal information. The FTC has also recognized the rapid changes in technology and the effect those changes have on children’s online activities — requiring it to accelerate its review cycle of the COPPA rule. For further information on this topic, click here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Paul Kim Paul Kim

Paul is an associate attorney in the firm’s Consumer Financial Services and Cybersecurity, Information Governance and Privacy practice groups. Paul’s practice focuses on representing corporations in the financial services industry in both state and federal litigation and class actions lawsuits. Paul also counsels…

Paul is an associate attorney in the firm’s Consumer Financial Services and Cybersecurity, Information Governance and Privacy practice groups. Paul’s practice focuses on representing corporations in the financial services industry in both state and federal litigation and class actions lawsuits. Paul also counsels clients in various compliance and regulatory matters.

Show more Show less
Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Read more about Sadia MirzaSadia's Linkedin Profile
Show more Show less
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Related Posts
Cybersecurity_1060950942
FinCEN Highlights Identity Theft in Latest Threats and Trends Report
January 22, 2024
Cybersecurity_1073242516-690x345
Online Tracking Case Dismissed by Ninth Circuit Holding that Online Purchase Does Not Subject Web-Based Payment Processing Platform to Personal Jurisdiction in California
December 5, 2023
Cybersecurity_1073242516
FTC Amends Safeguards Rule to Require Reporting of Data Breaches
October 31, 2023