Suits alleging game apps spy on kids is call to action for privacy compliance
Legalities are tested as collection of personal data becomes a lucrative business
By Roger Yu, ThirdCertainty
Dora the Explorer turns out to be something of a spy. And that’s a problem for many parents in the digital age.
The long-reaching arm of online advertising for children is increasingly coming under legal assault as parents seek to limit what large media companies, like Disney and Viacom, can conduct in surreptitious audience monitoring.
Viacom, whose brands include Nickelodeon, the producer of Dora, SpongeBob and other popular children TV shows, is the latest media giant to be sued in class action by parents for allegedly inserting advertising software in children’s game apps without parental consent.
The legal action, filed on behalf of a San Francisco parent by two law firms—Lieff Cabraser and Carney Bates & Pulliam—follows similar lawsuits filed against the Walt Disney Co. and game app maker Kiloo, the Danish producer of the immensely popular game app Subway Surfers.
The complaint against Viacom also names Upsight and Unity, the ad tech companies that embedded software in Viacom’s child-focused Nickelodeon apps to allegedly track, collect and export the children’s personal information.
Third parties benefit
The complaint also alleges that this software captures children’s personal information along with information about their online behavior, which is then sold to third-party companies that track the children’s behavior across multiple apps and devices for subsequent ad targeting.
“Child data and privacy laws were enacted by Congress and individual states as critical protections for our children, to safeguard their security online, and to ensure they are not unwittingly exploited for financial gain,” says Michael Sobol, a Lieff Cabraser partner. “Viacom has a fundamental obligation to make sure their games and apps—especially Nickelodeon games and apps—comply with child data and child privacy law.”
The plaintiffs seek to legally compel Viacom and its partners to obtain verifiable parental consent before extracting kids’ data from their mobile devices when kids play Nickelodeon games.
Revenue stream threatened
Privacy protection lawsuits, like this one, represent an obstacle to the online revenue lifeline of large media companies looking to diversify beyond cable television, as well as game app producers that have relied on increasingly sophisticated digital advertising technology that can identify, track and analyze user behavior.
With so many free game apps now operating with user-tracking software, the plaintiffs’ victory could open a floodgate of other lawsuits by class-action attorneys that could unravel the ad-driven, free-app business model that has fueled the mobile gaming industry.
But these lawsuits also are unfolding in the political and regulatory realm under President Trump that seems to be tilting in favor of advertisers and their partners that enable such targeted advertising.
Earlier this year, President Trump signed a bill that quashed Obama-era rules that would have blocked internet service providers from selling customers’ data—such as their browsing history—to advertisers. Large ISPs, including AT&T, Comcast and Verizon, fought for the change, arguing that they are increasingly under competitive assault from internet ad giants like Google or Facebook.
Of course, the legal basis for ISPs and media companies is different. ISPs can pretend to be nothing more than a provider of “dumb pipes.” And with Trump’s signature, ISPs are now considered a “common carrier,” a designation that makes them more like a public utility and answerable only to the Federal Communications Commission. The federal agency that is responsible for protecting consumers, the Federal Trade Commission, no longer has enforcement jurisdiction over ISPs.
“ISPs are in a unique position. They can see virtually everything you do when you go online,” John M. Simpson, consumer advocate for Consumer Watchdog, told ThirdCertainty. Google, Facebook and other content or application providers “don’t see everything you do when you go online. ISPs do.”
Indeed, the large ISPs control the intersection and traffic of all parties involved in online advertising. And the underlying issue is similar—a corporate entity’s right to collect consumers’ online behavior data and sell it to advertisers and their ad networks that are willing to pay a premium for targeted groups.
Components of the judgments that will be rendered in the lawsuits against Disney and Viacom likely will surely resurface and be mentioned in future legal fights to curb ISPs’ actions in tracking their users. Besides, ISPs also are increasingly morphing into content producers—as witnessed by AT&T’s $48.5 billion acquisition of DirecTV—and the distinction between ISPs and media companies are more difficult to delineate.
ISPs gain tracking power
“A vast storehouse of consumer data is now being added to the trove of … online information already gathered by cable and telephone ISPs,” the Center for Digital Democracy said in a report last year. “ISPs have made partnerships with powerful data brokers, giving them insights into our online and offline behaviors.”
The rule change for ISPs could result in “further overreach by ISPs,” Simpson said. It “opens doors to all kinds of abuses that shouldn’t happen, the kind of profiling that will be done.”
In the Viacom case, the plaintiffs, led by Amanda Rushing and her child, “L.L,” both of San Francisco, allege that their personally identifying information was extracted by Viacom and its partners for commercial exploitation in direct violation of the federal Children’s Online Privacy Protection Act (COPPA). Data analytics firms Upsight and mobile app developer Unity Technologies also were named as defendants.
COPPA applies to any company that operates an online service or commercial website that attracts children and collects information about users. The law, enacted in 1998, also says website or app publishers can be held liable for the privacy-violation acts of third parties whose software is embedded into their apps or websites.
Child privacy rules clear
COPPA requires app/website developers for children to issue their privacy notice in clear language and include an explanation of data collection practices. They must inform parents what information is being collected and how collected data will be used. They also have to disclose the third parties involved and provide instructions on how to submit parental consent or disallow further data collection.
L.L. was under the age of 13 while using the gaming app Llama Spit Spit, which is based on Nickelodeon’s TV show, “Game Shakers.” Viacom’s partners provided their tracking software code “to secretly collect an app user’s personal information and track online behavior,” according to the lawsuit.
Other Viacom apps cited in the lawsuit include PAW Patrol Pups to the Rescue, Teenage Mutant Ninja Turtles: Portal Power, SpongeBob Bubble Party and Dora Appisode: Perrito’s Big Surprise.
Data collection dives deep
The Viacom app can specifically obtain critical data from mobile devices, including “persistent identifiers,” a unique number linked to a specific device. These identifiers allow the software developers to detect a child’s location and activity across multiple apps and platforms. The collected information is then sold to third parties who sell targeted online advertising.
“Viacom has failed to safeguard children’s personal information and ensure that third-parties’ collection of data from children is lawful,” the lawsuit said.
The plaintiffs’ case could be supported by a 2016 settlement by Viacom with the New York attorney general following his two-year investigation of Viacom, toy companies Mattel, Hasbro and educational media company Jumpstart. The attorney general concluded that the companies violated COPPA by running websites that included tracking technology that “illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity.”
Viacom in violation in past
Viacom agreed to pay a $500,000 fine in its settlement with the New York attorney general and agreed to undergo “comprehensive reforms.”
Still, the lawsuits against and Disney and Viacom also could prove to be a legal test of COPPA’s strength as a federal consumer protection rule.
“Many companies in the mobile gaming industry have written COPPA off as an empty threat due to minimal enforcement by the Federal Trade Commission,” gaming industry veteran Roy Smith wrote on gaming blog Gamasutra.
Meanwhile, app publishers, ISPs and other companies dependent on selling and marketing users’ data could be heading right into “the Privacy Tsunami,” Smith says.
EU tightens privacy rules
The European Union plans to crack down on data breaches by starting enforcement on a privacy law it adopted last year, called the General Data Protection Regulation. The rule, applied to data collectors and their data processor partners that operate in the EU, proposes to fine breaching companies up to 4 percent of their annual global sales or €20 million, whichever is greater.
The European Union also is considering another regulation that aims to update the EU’s existing electronic privacy legal framework, including requiring consent for installing cookies.
The changes are “going to deeply affect mobile gaming in numerous ways—user acquisition, monetization methods, CPMs (cost per million impressions), in app revenues, and retention,” Smith wrote. “Because these risks are augmented by data flowing downstream via third-party advertising and analytics partners integrated into almost every app, it will affect the entire mobile ecosystem, not just publishers.”
More stories related to privacy:
Suit filed against Disney may be a new way to sue for privacy invasion
‘Pokemon No’—Mobile apps put personal information at risk
How to talk to your kids about malware