On June 18, 2024, California Attorney General (AG) Rob Bonta announced a third CCPA enforcement settlement, this one with Tilting Point Media LLC. Tilting Point was allegedly using its mobile app game "SpongeBob: Krusty Cook-Off" to collect, share, and sell the data of minors, in violation of the California Consumer Privacy Act (CCPA), California's Unfair Competition Law (UCL), and the Children's Online Privacy Protection Act (COPPA). Tilting Point agreed to pay a $500,000 civil penalty and implement certain measures to address the alleged violations. The settlement is notable for combining enforcement of COPPA alongside the CCPA, targeting similar practices but different age groups under each law. Also notably, the AG investigated Tilting Point after the Children's Advertising Review Unit (CARU) of BBB National Programs issued findings alleging that Tilting Point's practices violated COPPA. The AG alleged that Tilting Point failed to correct its practices following the investigation by CARU. The case illustrates the risks of ignoring industry self-regulatory reviews and provides a roadmap other states can use to leverage multiple laws against the same activities.
The AG's complaint focused on the key allegations outlined below:
- Age Screening Practices
Tilting Pont allegedly violated COPPA by failing to provide a neutral and effective age screen to limit the collection, use, or disclosure of personal information of users under the age of 13. According to the AG's complaint, when users downloaded the app, the initial screen asked users to select their birthday with a default of 1953 as the birth year. Users under the age of 13 would have to scroll through a long list to select an accurate birth year. As a result, the AG claimed this age screen failed to encourage users to enter an accurate age, and therefore minors using the game likely selected incorrect dates and were directed to an adult version of the game.
- Parental Consent for Minors Under 13
Tilting Point allegedly failed to obtain verifiable parental consent before the collection, use, or disclosure of personal information from children under 13. In particular, the AG alleged that Tilting Point failed to obtain verifiable parental consent for the processing of personal data for "personalized" advertising. COPPA requires companies to obtain parental consent for the collection of personal information of users under the age of 13 when the company has "actual knowledge" the data is collected from a child. The CCPA also requires parental authorization to sell or share personal information when the company has actual knowledge, or willfully disregards, that the individual is under 13.
- "Opt-in" Consent for Minors Under 16
Tilting Point allegedly violated the CCPA by failing to obtain affirmative authorization from individuals who self-identified as 13 to 15 years of age before selling or sharing personal information. The AG noted that the CCPA is an "opt-in" statute (for minors in this age range) requiring companies to obtain authorization from users before selling or sharing their personal information with actual knowledge or willful disregard of a user's age.
- Software Development Kits
Tilting Point allegedly misconfigured or installed SDKs in the app, allowing unrestricted collection, disclosure, and use of personal information without considering a consumer's age or obtaining the requisite parental or individual consent required by both CCPA and COPPA. Although the AG noted that "third-party documentation and default settings complicated installation and configuration of SDKs," the AG reiterated that Tilting Point had the responsibility to ensure proper configuration for compliance.
- Inadequate Privacy Policy Disclosures
Tilting Point allegedly provided inadequate notice and limited disclosures in its privacy policy. According to the AG, the company failed to disclose in the privacy policy or in a direct notice to parents how it sold or shared personal information, especially concerning targeted advertising related to data collected from child users of the app. Both the CCPA and COPPA require companies to provide specific notices about the collection, disclosure, and use of personal information from consumers.
- Inappropriate Advertising to Minors
Tilting Point allegedly employed inappropriate advertising practices targeted at minors. These practices included failing to label ads, displaying full-screen ads without clear exit options, displaying ads that required engagement or downloading additional apps, using manipulative tactics to encourage excessive ad viewing by children, and promoting age-inappropriate content such as ads for gambling apps. These practices collectively were alleged to constitute unlawful, deceptive, and unfair business acts or practices and unfair competition in violation of the UCL.
As part of the settlement, Tilting Point agreed to implement proactive measures to prevent any future improper collection and sale of data from children. The order includes requirements to use neutral age screens; obtain parental consent or "opt-in" consent, depending on the user's age; comply with laws related to the privacy of and advertising to minors, including clear disclosures, formatting requirements, and a clear opportunity to exit the ad; and implement responsible use and review of SDKs within its apps.
About Venable: Venable's Privacy and Data Security Practice Group has extensive experience counseling clients on obligations as controllers and processors under the state consumer privacy laws. Please feel free to reach out to us if you would like to learn more about federal or state privacy legislation, applicability to your organization, or what you can do to assess your compliance posture with respect to new laws.