Suits alleging game apps spy on kids is call to action for privacy compliance

Legalities are tested as collection of personal data becomes a lucrative business

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Dora the Explor­er turns out to be some­thing of a spy. And that’s a prob­lem for many par­ents in the dig­i­tal age.

The long-reach­ing arm of online adver­tis­ing for chil­dren is increas­ing­ly com­ing under legal assault as par­ents seek to lim­it what large media com­pa­nies, like Dis­ney and Via­com, can con­duct in sur­rep­ti­tious audi­ence monitoring.

Via­com, whose brands include Nick­elodeon, the pro­duc­er of Dora, Sponge­Bob and oth­er pop­u­lar chil­dren TV shows, is the lat­est media giant to be sued in class action by par­ents for alleged­ly insert­ing adver­tis­ing soft­ware in children’s game apps with­out parental consent.

Relat­ed pod­cast: The wider impli­ca­tions of Don­ald Trump jet­ti­son­ing Obama’s pri­va­cy rules

The legal action, filed on behalf of a San Fran­cis­co par­ent by two law firms—Lieff Cabras­er and Car­ney Bates & Pulliam—follows sim­i­lar law­suits filed against the Walt Dis­ney Co. and game app mak­er Kiloo, the Dan­ish pro­duc­er of the immense­ly pop­u­lar game app Sub­way Surfers.

The com­plaint against Via­com also names Upsight and Uni­ty, the ad tech com­pa­nies that embed­ded soft­ware in Viacom’s child-focused Nick­elodeon apps to alleged­ly track, col­lect and export the children’s per­son­al information.

Third par­ties benefit

The com­plaint also alleges that this soft­ware cap­tures children’s per­son­al infor­ma­tion along with infor­ma­tion about their online behav­ior, which is then sold to third-par­ty com­pa­nies that track the children’s behav­ior across mul­ti­ple apps and devices for sub­se­quent ad targeting.

Michael Sobol, Lieff Cabras­er partner

Child data and pri­va­cy laws were enact­ed by Con­gress and indi­vid­ual states as crit­i­cal pro­tec­tions for our chil­dren, to safe­guard their secu­ri­ty online, and to ensure they are not unwit­ting­ly exploit­ed for finan­cial gain,” says Michael Sobol, a Lieff Cabras­er part­ner. “Via­com has a fun­da­men­tal oblig­a­tion to make sure their games and apps—especially Nick­elodeon games and apps—comply with child data and child pri­va­cy law.”

The plain­tiffs seek to legal­ly com­pel Via­com and its part­ners to obtain ver­i­fi­able parental con­sent before extract­ing kids’ data from their mobile devices when kids play Nick­elodeon games.

Rev­enue stream threatened

Pri­va­cy pro­tec­tion law­suits, like this one, rep­re­sent an obsta­cle to the online rev­enue life­line of large media com­pa­nies look­ing to diver­si­fy beyond cable tele­vi­sion, as well as game app pro­duc­ers that have relied on increas­ing­ly sophis­ti­cat­ed dig­i­tal adver­tis­ing tech­nol­o­gy that can iden­ti­fy, track and ana­lyze user behavior.

With so many free game apps now oper­at­ing with user-track­ing soft­ware, the plain­tiffs’ vic­to­ry could open a flood­gate of oth­er law­suits by class-action attor­neys that could unrav­el the ad-dri­ven, free-app busi­ness mod­el that has fueled the mobile gam­ing industry.

But these law­suits also are unfold­ing in the polit­i­cal and reg­u­la­to­ry realm under Pres­i­dent Trump that seems to be tilt­ing in favor of adver­tis­ers and their part­ners that enable such tar­get­ed advertising.

Ear­li­er this year, Pres­i­dent Trump signed a bill that quashed Oba­ma-era rules that would have blocked inter­net ser­vice providers from sell­ing cus­tomers’ data—such as their brows­ing history—to adver­tis­ers. Large ISPs, includ­ing AT&T, Com­cast and Ver­i­zon, fought for the change, argu­ing that they are increas­ing­ly under com­pet­i­tive assault from inter­net ad giants like Google or Facebook.

ISPs reclas­si­fied

Of course, the legal basis for ISPs and media com­pa­nies is dif­fer­ent. ISPs can pre­tend to be noth­ing more than a provider of “dumb pipes.” And with Trump’s sig­na­ture, ISPs are now con­sid­ered a “com­mon car­ri­er,” a des­ig­na­tion that makes them more like a pub­lic util­i­ty and answer­able only to the Fed­er­al Com­mu­ni­ca­tions Com­mis­sion. The fed­er­al agency that is respon­si­ble for pro­tect­ing con­sumers, the Fed­er­al Trade Com­mis­sion, no longer has enforce­ment juris­dic­tion over ISPs.

ISPs are in a unique posi­tion. They can see vir­tu­al­ly every­thing you do when you go online,” John M. Simp­son, con­sumer advo­cate for Con­sumer Watch­dog, told Third­Cer­tain­ty. Google, Face­book and oth­er con­tent or appli­ca­tion providers “don’t see every­thing you do when you go online. ISPs do.”

Indeed, the large ISPs con­trol the inter­sec­tion and traf­fic of all par­ties involved in online adver­tis­ing. And the under­ly­ing issue is similar—a cor­po­rate entity’s right to col­lect con­sumers’ online behav­ior data and sell it to adver­tis­ers and their ad net­works that are will­ing to pay a pre­mi­um for tar­get­ed groups.

Com­po­nents of the judg­ments that will be ren­dered in the law­suits against Dis­ney and Via­com like­ly will sure­ly resur­face and be men­tioned in future legal fights to curb ISPs’ actions in track­ing their users. Besides, ISPs also are increas­ing­ly mor­ph­ing into con­tent producers—as wit­nessed by AT&T’s $48.5 bil­lion acqui­si­tion of DirecTV—and the dis­tinc­tion between ISPs and media com­pa­nies are more dif­fi­cult to delineate.

ISPs gain track­ing power

A vast store­house of con­sumer data is now being added to the trove of … online infor­ma­tion already gath­ered by cable and tele­phone ISPs,” the Cen­ter for Dig­i­tal Democ­ra­cy said in a report last year. “ISPs have made part­ner­ships with pow­er­ful data bro­kers, giv­ing them insights into our online and offline behaviors.”

The rule change for ISPs could result in “fur­ther over­reach by ISPs,” Simp­son said. It “opens doors to all kinds of abus­es that shouldn’t hap­pen, the kind of pro­fil­ing that will be done.”

In the Via­com case, the plain­tiffs, led by Aman­da Rush­ing and her child, “L.L,” both of San Fran­cis­co, allege that their per­son­al­ly iden­ti­fy­ing infor­ma­tion was extract­ed by Via­com and its part­ners for com­mer­cial exploita­tion in direct vio­la­tion of the fed­er­al Children’s Online Pri­va­cy Pro­tec­tion Act (COPPA). Data ana­lyt­ics firms Upsight and mobile app devel­op­er Uni­ty Tech­nolo­gies also were named as defendants.

COPPA applies to any com­pa­ny that oper­ates an online ser­vice or com­mer­cial web­site that attracts chil­dren and col­lects infor­ma­tion about users. The law, enact­ed in 1998, also says web­site or app pub­lish­ers can be held liable for the pri­va­cy-vio­la­tion acts of third par­ties whose soft­ware is embed­ded into their apps or websites.

Child pri­va­cy rules clear

COPPA requires app/website devel­op­ers for chil­dren to issue their pri­va­cy notice in clear lan­guage and include an expla­na­tion of data col­lec­tion prac­tices. They must inform par­ents what infor­ma­tion is being col­lect­ed and how col­lect­ed data will be used. They also have to dis­close the third par­ties involved and pro­vide instruc­tions on how to sub­mit parental con­sent or dis­al­low fur­ther data collection.

L.L. was under the age of 13 while using the gam­ing app Lla­ma Spit Spit, which is based on Nickelodeon’s TV show, “Game Shak­ers.” Viacom’s part­ners pro­vid­ed their track­ing soft­ware code “to secret­ly col­lect an app user’s per­son­al infor­ma­tion and track online behav­ior,” accord­ing to the lawsuit.

Oth­er Via­com apps cit­ed in the law­suit include PAW Patrol Pups to the Res­cue, Teenage Mutant Nin­ja Tur­tles: Por­tal Pow­er, Sponge­Bob Bub­ble Par­ty and Dora Appisode: Perrito’s Big Surprise.

Data col­lec­tion dives deep

The Via­com app can specif­i­cal­ly obtain crit­i­cal data from mobile devices, includ­ing “per­sis­tent iden­ti­fiers,” a unique num­ber linked to a spe­cif­ic device. These iden­ti­fiers allow the soft­ware devel­op­ers to detect a child’s loca­tion and activ­i­ty across mul­ti­ple apps and plat­forms. The col­lect­ed infor­ma­tion is then sold to third par­ties who sell tar­get­ed online advertising.

Via­com has failed to safe­guard children’s per­son­al infor­ma­tion and ensure that third-par­ties’ col­lec­tion of data from chil­dren is law­ful,” the law­suit said.

The plain­tiffs’ case could be sup­port­ed by a 2016 set­tle­ment by Via­com with the New York attor­ney gen­er­al fol­low­ing his two-year inves­ti­ga­tion of Via­com, toy com­pa­nies Mat­tel, Has­bro and edu­ca­tion­al media com­pa­ny Jump­start. The attor­ney gen­er­al con­clud­ed that the com­pa­nies vio­lat­ed COPPA by run­ning web­sites that includ­ed track­ing tech­nol­o­gy that “ille­gal­ly enabled third-par­ty ven­dors, such as mar­keters or adver­tis­ing com­pa­nies, to track children’s online activity.”

Via­com in vio­la­tion in past

Via­com agreed to pay a $500,000 fine in its set­tle­ment with the New York attor­ney gen­er­al and agreed to under­go “com­pre­hen­sive reforms.”

Still, the law­suits against and Dis­ney and Via­com also could prove to be a legal test of COPPA’s strength as a fed­er­al con­sumer pro­tec­tion rule.

Many com­pa­nies in the mobile gam­ing indus­try have writ­ten COPPA off as an emp­ty threat due to min­i­mal enforce­ment by the Fed­er­al Trade Com­mis­sion,” gam­ing indus­try vet­er­an Roy Smith wrote on gam­ing blog Gamasutra.

Mean­while, app pub­lish­ers, ISPs and oth­er com­pa­nies depen­dent on sell­ing and mar­ket­ing users’ data could be head­ing right into “the Pri­va­cy Tsuna­mi,” Smith says.

EU tight­ens pri­va­cy rules

The Euro­pean Union plans to crack down on data breach­es by start­ing enforce­ment on a pri­va­cy law it adopt­ed last year, called the Gen­er­al Data Pro­tec­tion Reg­u­la­tion. The rule, applied to data col­lec­tors and their data proces­sor part­ners that oper­ate in the EU, pro­pos­es to fine breach­ing com­pa­nies up to 4 per­cent of their annu­al glob­al sales or €20 mil­lion, whichev­er is greater.

The Euro­pean Union also is con­sid­er­ing anoth­er reg­u­la­tion that aims to update the EU’s exist­ing elec­tron­ic pri­va­cy legal frame­work, includ­ing requir­ing con­sent for installing cookies.

The changes are “going to deeply affect mobile gam­ing in numer­ous ways—user acqui­si­tion, mon­e­ti­za­tion meth­ods, CPMs (cost per mil­lion impres­sions), in app rev­enues, and reten­tion,” Smith wrote. “Because these risks are aug­ment­ed by data flow­ing down­stream via third-par­ty adver­tis­ing and ana­lyt­ics part­ners inte­grat­ed into almost every app, it will affect the entire mobile ecosys­tem, not just publishers.”

More sto­ries relat­ed to privacy:
Suit filed against Dis­ney may be a new way to sue for pri­va­cy invasion
Poke­mon No’—Mobile apps put per­son­al infor­ma­tion at risk
How to talk to your kids about malware


Posted in Featured Story