California’s Attorney General Announces $ 500,000 Settlement for CCPA and COPPA Violations Regarding Children’s Data

Alert
|
5 min read

In June 2024, California Attorney General Rob Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement1 with Tilting Point Media LLC (Tilting Point). After a joint investigation by the California Department of Justice and Los Angeles City Attorney's Office, Tilting Point was found in violation of the California Consumer Privacy Act (CCPA) and the federal Children's Online Privacy Protection Act (COPPA) by collecting and sharing children's data without obtaining parental consent. The CCPA - which incorporates COPPA controls - aims to safeguard the online privacy of children under the age of 13 by requiring websites and online services to obtain parental consent before collecting, using, or disclosing their personal information.

Background and Key Allegations

On the Insert tab, the galleries include items that are designed to coordinate with the overall look of your In 2020, Tilting Point launched a popular mobile app game titled the "SpongeBob: Krusty Cook-Off," (the "SpongeBob App") which contained both advertising and in-app purchases. The SpongeBob App was first investigated in September 2022 by the Children's Advertising Review Unit, a unit of the Better Business Bureau, for discrepancies in the app's data privacy and advertising practices, such as allowing children under age 13 to consent to the privacy policy and play the game despite the privacy policy stating that users must be at least 13 years old. Despite Tilting Point's initial corrective measures, including updating its age screen to direct users to two different versions of the app, a subsequent investigation by the California Department of Justice and the Los Angeles City Attorney's Office revealed continued violations of the CCPA and COPPA that included the sale of children's personal information.

Under the CCPA, businesses are prohibited from selling or sharing the personal information of a consumer when it has actual knowledge the consumer is under 13 years of age without the child's parent or guardian affirmative authorization, and in the case of 13-15 year-old consumers, without that consumer's affirmative authorization. COPPA also mandates that businesses obtain parental consent before collecting or using personal information from children under 13, provide notice on their websites or online services about this data collection, and directly notify parents regarding the information gathered from these children.

The California Attorney General and the Los Angeles City Attorney alleged that Tilting Point did not comply with these requirements and focused on the following factors:

  1. Non-neutral Age Screening: the age verification methods failed to encourage users to enter their age accurately and defaulted to older ages. For example, when the SpongeBob App was first downloaded, the initial screen asking users to select their birth year was pre-set to the year 1953.
  2. Misconfigured SDKs: The company misconfigured third-party software development kits (SDKs) in such a way that did not limit collection, disclosure and use of personal information based on the consumer's age or parental or opt-in consent, resulting in the unauthorized collection and disclosure of children's data.
  3. Deceptive Advertising Tactics: Tilting Point engaged in deceptive advertising practices targeting minors, including displaying advertisements that were not clearly labeled as such, that lacked clear exit methods, and that showed age-inappropriate ads to children.

Settlement Terms and Compliance Measures

Under the proposed settlement agreement, Tilting Point is required to pay $500,000 in civil penalties and adhere to stringent injunctive terms to ensure compliance with both the COPPA and CCPA. Implementing appropriate parental controls can be difficult, this settlement may provide insights for companies looking to do so. The settlement requires Tilting Point to:

  • Parental Consent Requirements: Obtain parental consent before selling or sharing the personal information of children under 13, and secure affirmative opt-in consent from users aged 13 to 15. Further, it must undertake reasonable efforts to ensure parents receive direct notice of its processing of children's personal information. 
  • Neutral Age Screens: Determine whether its website or online service meets the definition of a mixed audience service and implement neutral age screens to ensure accurate age reporting by users. A mixed audience service is directed to children but does not target children as its primary audience. If Tilting Point determines that its offers a mixed audience app, it must (i) ask age information in a neutral manner that does not default to a set age of 16 or above or encourage users to falsify age information, (ii) not suggest that certain features will not be available for users who identify as younger than 16 years old, and (iii) provide clear and conspicuous notice as part of the age screen that the age entered should be accurate to the user.
  • SDK Configuration and Governance: Ensure data minimization and proper configuration of third-party SDKs along with the establishment of a governance framework to oversee SDK use. Where selling or sharing personal information through SDKs, ensure its privacy policy provides clear and conspicuous notice regarding its use of SDKs, including, identifying the categories of SDKs, the personal information shared through SDKs, and the business or commercial purpose for such selling or sharing.
  • Advertising to Minors: Ensure that advertisements on website and online services are (i) clearly marked, (ii) easy to close with a prominent button, (iii) do not deceive or manipulate users into engaging with the advertisement, and (iv) do not promote age-restricted activities or products to children.
  • Transparency in Data Practices: When selling or sharing personal information of children, provide clear, just-in-time notices to users and parents detailing what information is collected, how it will be used, link to its privacy policy, and obtain the necessary consents.
  • Compliance and Monitoring: Establish, for a three-year period, a compliance program to monitor adherence to the settlement terms, with annual reporting to the California Department of Justice and Los Angeles City Attorney's Office.

The $500,000 settlement with Tilting Point serves as a critical reminder of the heightened scrutiny and risk of enforcement actions that businesses may face regarding data privacy violations, particularly those affecting children and other categories of sensitive data. This settlement represents California Attorney General Bonta's third enforcement action under the CCPA.

White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as U.S. data privacy laws and regulations evolves. Please reference our article on the first CCPA enforcement action and second enforcement action.

1 See Attorney General Bonta, L.A. City Attorney Feldstein Soto, Announce $500,000 Settlement with Tilting Point Media for Illegally Collecting and Sharing Children’s Data.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Top