On June 18, 2024, the California Attorney General announced a settlement with Tilting Point Media LLC, the developer and publisher of the mobile game “SpongeBob: Krusty Cook-Off” (SpongeBob app), resolving allegations of unauthorized disclosure of children’s personal information under the federal Children’s Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA), as well as claims of unlawful advertising tactics under the California Unfair Competition Law (UCL). The settlement includes a $500,000 civil penalty and injunctive relief. The Los Angeles City Attorney, who has concurrent authority with the California Attorney General to enforce the UCL, joined the complaint and settlement.

Complaint

According to the complaint, the SpongeBob app was directed to children under COPPA and the company had actual knowledge that children were using its app even though Tilting Point’s terms of service and privacy policy stated that consumers under age 13 were not authorized to use the company’s services.

COPPA and CCPA. As to both COPPA and the CCPA, the complaint alleges that the age screen was not neutral because it defaulted to a 1953 birth year and thereby likely encouraged children to indicate that they were older than they actually were and steered them to the adult version of the game with broader data collection designed for older users. In addition:

  • Tilting Point incorrectly configured third-party software development kits (SDKs) embedded in the SpongeBob app to collect and disclose personal information for targeted advertising without the necessary consent, regardless of what age consumers indicated. Under COPPA, parental consent is required to collect personal information online from children under age 13. Under the CCPA, businesses may not sell or share the personal information of children under age 13 without affirmative authorization from the parent or, in the case of children between age 13 through 15, affirmative authorization from the consumer. The complaint alleges that Tilting Point failed to obtain (1) the requisite parental consent for children under age 13 under COPPA and the CCPA and (2) the consumer’s opt-in consent for the sale or sharing of personal information for consumers between age 13 through 15 under the CCPA.
  • Tilting Point failed to provide the required disclosures to parents and consumers of its practices with respect to targeted advertising and children. More specifically, with respect to COPPA, the complaint alleges that Tilting Point failed to describe its data processing practices in a direct notice to parents or on its website privacy policy. With respect to the CCPA, the complaint alleges that Tilting Point’s privacy policy insufficiently disclosed the collection, sale, or sharing of children’s personal data or the use and purpose of SDKs sufficient to allow consumers or parents to understand and exercise their CCPA rights.  

UCL. According to the complaint, Tilting Point engaged in a range of deceptive and unfair advertising tactics in the SpongeBob app:

  • Displaying ads that were not clearly labeled as such that included full-screen videos that did not have clear exit methods; 
  • Displaying ads that could not be stopped or dismissed until the player engaged with the ad or downloaded unnecessary apps;
  • Using unfair, deceptive, or other manipulative tactics to encourage excessive ad viewing by children and teens, as well as causing children and teens to inadvertently engage with ads or download additional apps; and
  • Displaying ads that were age-inappropriate (e.g., for a gambling app and a game about growing marijuana). 

Order

The proposed stipulated court order requires payment of a $500,000 civil penalty and subjects Tilting Point to a permanent injunction that includes the following key provisions:

  • COPPA. Comply with relevant provisions of COPPA related to the disclosure of children’s data in the SpongeBob app and all of its games directed to children (e.g., providing a direct notice to parents and obtaining verifiable parental consent).
  • CCPA. Comply with relevant provisions of the CCPA related to the sale or sharing of personal information of children under 16 (e.g., refrain from selling or sharing the personal information of consumers less than 13 years old without parental consent and refrain from selling or sharing the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative opt-in consent, where Tilting Point has actual knowledge or willfully disregards the consumer’s age).
  • Neutral Age Screens. Use only neutral age screens that encourage children to enter their age accurately.
  • SDK Compliance. Implement and maintain an SDK governance program to review the use of SDKs in apps that are directed to children (including mixed audience apps) that collect personal information, including evaluating their configuration settings or controls and contracts, confirming and documenting measures to ensure the sale or sharing of personal information complies with the order. Tilting Point must annually assess compliance.
  • Data Minimization. Collect only what personal information is reasonably necessary for a child to participate in any online service directed to children or for consumers age 13 through 15 to participate in any activity or game. 
  • Advertising. Ensure that any ad displayed on any website or online service directed to children under age 13 complies with the following: (1) identifies the ad as an ad and not part of gameplay; (2) includes a prominent “X” or “Close” button to promptly close the ad in one click; (3) does not manipulate or deceive consumers into engaging with the ad or downloading or installing unnecessary apps, making unnecessary purchases, or providing unnecessary personal information; and (4) does not promote activities in which children cannot legally engage or products they cannot legally possess.

Takeaways

This case illustrates that state regulators are scrutinizing children’s privacy practices under COPPA and a growing body of state laws. The case also highlights that:

  • Regulators give little, if any, weight to statements in privacy policies or terms of service that children are not authorized to use a service in determining whether children’s privacy laws apply.
  • Age screens should be designed to operate neutrally (e.g., allowing individuals to freely enter month and year of birth).
  • Regulators expect businesses to confirm that third-party SDKs integrated into apps function as intended.
  • Regulators are increasingly focused on whether businesses are properly identifying promotional content to children as advertising, as reflected in the FTC’s staff report on so-called “stealth advertising” to kids, in addition to their broader focus on online child safety issues.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Janis Kestenbaum Janis Kestenbaum

Janis Kestenbaum is a partner in the Privacy & Security practice and Advertising, Marketing & Promotions industry group. Janis represents companies under investigation by the Federal Trade Commission (FTC), state attorneys general, congressional committees, and foreign data protection authorities regarding privacy, data security…

Janis Kestenbaum is a partner in the Privacy & Security practice and Advertising, Marketing & Promotions industry group. Janis represents companies under investigation by the Federal Trade Commission (FTC), state attorneys general, congressional committees, and foreign data protection authorities regarding privacy, data security, and consumer protection issues.