New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

in , ,

This week the California Attorney General and Los Angeles City Attorney announced a proposed $500,000 settlement to a complaint against mobile app game developer and publisher Tilting Point Media LLC for  alleged violations of the California Consumer Privacy Act (“CCPA”), unfair competition law, and federal Children’s Online Privacy Protection Act (“COPPA”). This post summarizes the alleged practices that led to the enforcement action, how it fits with regulatory enforcement priorities including on data sales via tracking technologies and children’s privacy, and steps for companies to consider to reduce risk.

Alleged Improper Collection, Disclosure, and Selling of Children’s Personal Data

The enforcement action centered on the handling of personal data from Tilting Point’s cooking simulation mobile game, “SpongeBob: Krusty Cook-Off.” The mobile app was alleged to be directed to children and was also used by older teens and adults. COPPA requires parental notice and consent before personal data about app users under the age of 13 is collected or disclosed to third parties, and the CCPA requires affirmative authorization from a parent or guardian before personal data of those users is sold or shared for behavioral advertising. The CCPA further requires affirmative authorization from users aged 13 to 16 before their personal data is sold or shared for behavioral advertising. The complaint alleged Tilting Point improperly collected and shared personal data about their child app users in violation of these requirements, and two practices were the primary bases for these violations.

First, the game’s age screen “did not ask age in a neutral manner, meaning users under the age of 13 were not encouraged to enter their age correctly.” Illustratively, at one point the age screen allegedly defaulted the player’s birth year to 1953 so that a ten-year-old player “would need to scroll through more than 50 years to select an accurate birth year.” This undermined the age screen’s purpose of redirecting players under the 16 to an age-appropriate version of the game, increasing the chance that those players would end up using a version of the game that did not have the CCPA’s and COPPA’s required notice and consent safeguards in place.

Second, Tilting Point allegedly misconfigured third-party software development kits (“SDKs”) it used in the game, which led to them disclosing, selling and sharing (for behavioral advertising) children’s personal data with third parties through those SDKs without the required COPPA consents or CCPA authorizations. Even if a player “self-identified as under 16 years old and w[as] directed to the child-specific version” of the game, the misconfigured SDKs purportedly caused sale and sharing of the player’s personal data. The complaint alleged that this resulted from a failure of Tilting Point to “review or audit its configuration and use of SDKs to ensure compliance with CCPA and COPPA.” Notably, the Attorney General found that regardless of an SDK’s third-party documentation or default settings, Tilting Point is ultimately responsible for properly configuring the SDKs it uses.

In the proposed settlement, Tilting Point has agreed to pay $500,000 and to comply with a three year consent decree requiring it to bring its data practices for all apps, websites, and online services it offers into compliance with both the CCPA and COPPA. The consent decree also requires Tilting Point to ensure the age-screening processes it uses to screen ages are done in a neutral manner to effectively result in compliant data practices for children. They must also proactively implement a detailed SDK governance framework to oversee SDK use and configuration across all Tilting Point apps, more explicitly describe its SDK practices in its privacy policy, address “best practices related to advertising to minors,” and conduct and submit to the AG and LA City Attorney reports on annual assessments of the effectiveness of its compliance protocols to address the requirements of the consent decree.

Data Sales, Opt-Out Rights, and Children’s Privacy Remain CCPA Enforcement Priorities

This is the third settlement that the California Attorney General has announced with a company for alleged CCPA violations. Its settlements to date, enforcement case examples, and public statements of it and the California Privacy Protection Agency (which shares enforcement authority) indicate some of the State’s CCPA enforcement priorities.

Personal data sales and processes to opt out of sales and sharing for behavioral advertising are clearly a priority. The AG’s prior settlements with Sephora and DoorDash also alleged violations of the CCPA’s provisions governing sales of personal data, and the announced enforcement sweeps against mobile app providers and streaming services also highlight these provisions as priorities. Governance of technologies used to automatically send personal data to third parties—whether via pixels on websites, or SDKs in apps—and effective opt-out processes should be a key focus area for companies, as we suggested after the Sephora action.

Protections for children and vulnerable, marginalized populations are also an enforcement priority. AG enforcement case examples show attention to children’s privacy protections under the CCPA. The CPPA staff also discussed the agency’s focus on CCPA protections for marginalized and vulnerable populations at the 2024 IAPP Global Privacy Summit. For example, in the press release announcing the Tilting Point settlement, California’s Attorney General promised that as children increasingly engage with the Internet and other online technologies, his office will act on “his continued priority to protect children online” by using “every enforcement tool to ensure compliance with the law,” including collaborations with local, state, and federal agencies. This promise is bolstered by the Attorney General’s involvement in other state and federal initiatives related to children’s privacy, including his signature on a March 2024 letter to the FTC requesting updates to COPPA regulations and co-sponsorship of the proposed California Children’s Data Privacy Act (AB 1949).

CCPA enforcement priorities will evolve over time, but this focus on data sales, opt-out rights, and children’s privacy may have staying power for the years ahead.

Steps to Consider From This Action

Consider the following actions to proactively address the issues that were the basis of this enforcement action:

·       Evaluate age screening methods to avoid age falsification, such as when users are asked to provide their age (consider the FTC COPPA FAQs on this point).

·       Keep an up to date understanding of what third-party SDKs are used in your app(s), what data they transmit, and whether they involve “sales” or sharing for targeted advertising.

·       Validate that child app versions don’t have SDKs or other technologies or processes to sell personal data or share it for behavioral advertising unless required consents are obtained.

·       In all apps, confirm that opt-out processes for “sales” and sharing for behavioral advertising are effective for SDKs that transmit personal data for these purposes. Don’t assume this is the SDK provider’s responsibility—it is likely the app provider’s. 

·       Have an assessment process to evaluate and classify new SDKs before they are added to an app. This process should confirm whether the SDKs are appropriate for particular app versions (e.g., a child app version) and whether opt-in or opt-out rights need to be offered before the SDK can transmit personal data (e.g., when the transmission is a “sale” or for targeted advertising).

·       Monitor and audit SDK implementations and user opt-out settings for ongoing compliance with applicable legal requirements.

Sam Castic is a Partner with Hintze Law. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global AI & data protection. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy & data security.