On June 18, 2024, the California Attorney General and Los Angeles City Attorney filed a complaint and stipulated final judgment (including a $500,000 settlement) with Tilting Point Media LLC (“Defendant” or “Tilting Point”), resolving allegations that the video game developer and publisher violated the federal Children’s Online Privacy Protection Act (“COPPA”), the California Consumer Privacy Act (“CCPA”), and the California consumer protection law.  Under the final judgment, Defendant would pay to settle the matter without admitting liability and would agree to several other changes to its conduct. 

Background

COPPA applies to websites and apps that collect personal information from children under age 13.  In contrast, CCPA includes provisions related to the collection and processing of personal information of children under age 13, as well as other provisions related to personal information belonging to minors aged 13 to 15.  Tilting Point offered a free-to-play mobile app called “SpongeBob:  Krusty Cook-Off,” which appealed to minors and adults.  Because the app was free to users, Tilting Point earned revenue through in-app purchases and advertising.

Complaint

According to the complaint:

  • The app required users to provide a birthdate, and used a wheel of birth years, with the default set at 1953.  Nevertheless, the complaint pointed out, some users did identify as under age 13;
  • The app allowed users to consent to receive advertising, even if the users were under age 13;
  • The app collected and disclosed personal information, including disclosure to third parties for advertising purposes, “regardless of the age consumers entered via Tilting Point’s age screen . . . without the required parental or opt-in consent”; and
  • Tilting Point configured the Software Development Kits (“SDKs”) provided by third parties, in a manner that resulted in the SDKs collecting and disclosing children’s data without the required consents.

The complaint alleged that Tilting Point:

  • Had a legal obligation to configure third party SDKs properly; and
  • Had a privacy policy that insufficiently disclosed the collection, sale, or sharing of consumer’s personal information, particularly children’s data, or the use and purpose of SDK’s.

Tilting Point allegedly violated COPPA by:

  • Failing to obtain consent from parents of children under age 13;
  • Failing to provide a notice on its website or elsewhere online about its information collection practices from children under age 13; and
  • Failing to provide direct notice to parents.

Tilting Point allegedly violated CCPA by:

  • Having actual knowledge that it collected personal information from children under 13 and children between 13 and 15, but not sufficiently disclosing its practices in its privacy policy;
  • Not seeking parental consent for children under age 13;
  • Not seeking opt-in consent for minors between ages 13 and 15; and
  • “Selling” or “sharing” personal information of individuals under 16 years of age when it had actual knowledge of the individuals’ age or “willfully disregarded” the individuals’ age.

The complaint alleged that these violations of COPPA and CCPA also constituted violations of California’s unfair competition law and violated its laws on advertising to minors.

The complaint sought an injunction under COPPA, civil penalties under CCPA of $2,500 for each violation or $7,500 for each intentional violation, and disgorgement.

Order

The three-year order includes a $500,000 payment to settle the matter, as well as injunctive terms.  In addition, the order also combines the CCPA and COPPA definitions of “collect,” but expands the definition from “minors” to “consumers”:

Collects or collection means the gathering of any personal information from a consumer by any means, including without limitation, (a) requesting, prompting, or encouraging a child to submit personal information online; (b) enabling a consumer to make personal information publicly available in identifiable form; (c) passive tracking of a consumer online; or (d) buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, either actively or passively, or by observing the consumer’s behavior.

Another noteworthy provision in the order relates to SDKs.  Not only must Tilting Point take reasonable steps that any SDKs that collect personal information from minors (including mixed audience games) comply with the order, but it would also establish an SDK governance framework.  The framework has 6 elements:

  1. Identify each app directed at children that collects personal information;
  2. Identify each SDK in such apps and the names of the SDK providers;
  3. Describe the purpose of each SDK;
  4. Evaluate the configuration settings (including defaults) of each SDK for collection, use, and/or disclosure of personal information;
  5. For any SDK that collects personal information from consumers under age 16, evaluate the contract for restrictions on data use, collection, and disclosure; and
  6. For any SDK that sells or shares personal information of consumers under age 16, confirm and document the measures Tilting Point is taking “to ensure” the sales or shares comply with the order.

The order would also require that Tilting Point conduct an annual assessment of its SDK governance and its data minimization efforts.

How Network Traffic Testing Can Help

Compliance with privacy requirements frequently begins with an understanding of what personal information your website and apps will collect and what happens to that data.  As this order makes clear, the requirements apply to data collected not only by the code a company develops but also to third-party code the company uses.  Network traffic testing provides for line-of-sight into the actual data transmitted by a mobile app, without a company having to rely on an SDK provider’s unverified statements about the behavior of its code.

Reach out to us for more information on how we can help your organization meet its privacy requirements. Specifically, through the use of our in-house tool, NT Analyzer, we can assist attorneys and developers with the backend technical aspects of compliance, including confirming SDK uses to ensure the SDKs are configured correctly and functioning as intended.  Indeed, this complaint and order, like many other privacy trends (e.g., CCPA, mobile app store requirements, etc.), reinforces the importance for organizations to utilize technical frameworks to inform and comply with their privacy requirements.

If you are interested in learning more about the firm’s technical capabilities, including a demo of NT Analyzer, please contact NTAnalyzer@nortonrosefulbright.com.