California Attorney General and Los Angeles District Attorney Announce CCPA/COPPA Enforcement Actions Against Mobile App Game Makers

On June 18, the Attorney General of California (“AG”) and the City Attorney of Los Angeles announced a settlement with Tilting Point Media, the maker of a mobile app game called “SpongeBob: Krusty Cook-Off,” resolving allegations that Tilting Point violated the California Consumer Privacy Act (CCPA) and the Children’s Online Privacy Protection Act (COPPA) by collecting and sharing children’s data without obtaining the required parental consent (for users under 13) or express consent (for users between 13 and 16). Under the terms of the settlement, Tilting Point must pay a $500,000 fine and comply with a series of cease-and-desist orders, including complying with the CCPA and COPPA, appropriately using age verification, and implementing processes to ensure data minimization and proper use of software development kits (SDKs).

The Tilting Point settlement is the third CCPA enforcement action by the California Attorney General, following the DoorDash settlement in February 2024 and the Sephora settlement in August 2022. The Tilting Point settlement is the first of the three enforcement actions to focus specifically on children’s data, suggesting that this may be an area of ​​increasing enforcement priority for the California Attorney General. Companies that handle children’s data should be careful to ensure they collect and use that data in a manner that complies with legal requirements such as those under COPPA and CCPA – and should keep in mind that CCPA provides increased protections not only for children under 13 (as under COPPA), but also for children between the ages of 13 and 16.

In this post, we discuss the key takeaways from the Tilting Point Agreement. To stay up to date on the latest developments in California privacy law and children’s privacy protections, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

THE CENTRAL THESES

Key conclusions from the Tilting Point settlement (including the complaint and proposed final judgment) include:

1. Consent and authorization to process children’s data. The key conclusion from the Tilting Point settlement is that companies that process data from children (including those aged 16 and under) must ensure they do so with the appropriate consents and permissions. This includes parental consent (for users under 13, as required under COPPA and CCPA) and explicit opt-in permission (for users between 13 and 16, as required under CCPA).

2. Configuration and governance of SDKs. Tilting Point’s misuse of third-party SDKs resulted in many data usage practices that the California Attorney General later determined violated CCPA and COPPA. (Recall that SDKs are bundles of software development tools that help develop applications for specific platforms, operating systems, and programming languages.) Essentially, Tilting Point failed to properly configure or install its SDKs, resulting in the SpongeBob app collecting, sharing, and selling users’ personal information without parental consent or explicit opt-in authorization, even when they identified themselves as under 16 years of age. Tilting Point also lacked appropriate processes to audit the configuration of its SDKs and ensure their compliance with relevant legal requirements.

The cease-and-desist agreement requires Tilting Point to implement an “SDK governance framework” to ensure that future use of SDKs complies with its legal obligations. Companies that collect data from children and use SDKs would be well advised to take the California Attorney General’s SDK governance framework requirements as a model. These requirements include:

• Identification of each SDK (including its provider) used in an app directed to children that collects personal data;
• Description of the intended use of each SDK;
• Evaluate the configuration settings of each SDK regarding the collection, use, and disclosure of personal information;
• Reviewing contracts for SDKs that collect personal data from children; and
• Document the measures taken to ensure that SDKs that collect personal data from children comply with relevant legal requirements.

3. Privacy Policy Disclosure. This settlement should again remind companies of the importance of ensuring that their privacy policies—particularly regarding the sharing and sale of personal information—are sufficiently detailed. In this case, the California Attorney General alleged that Tilting Point’s privacy policy was “ambiguous and incomplete with respect to the use of personal information for targeted and behavioral advertising” and “failed to adequately disclose the collection, sale, or sharing of consumers’ personal information, particularly children’s information, or the use and purpose of SDKs.” The importance of disclosing SDK use in privacy policies is further emphasized, particularly in the terms of the settlement’s preliminary injunction, which require Tilting Point to disclose information including “identification of the SDK categories, identification of the categories of PERSONAL INFORMATION SOLD or SHARED through SDKs, and the business or commercial purpose of SELLING or SHARING the PERSONAL INFORMATION.” The agreement with Tilting Point therefore shows that companies that use SDKs should be careful to disclose this use in their privacy policies.

4. Neutral age screens. The California Attorney General challenged the “age filters” Tilting Point used to determine which users of the SpongeBob app were under 16 years old. He alleged that Tilting Point “used a non-neutral age filter that did not prompt users to correctly enter their age and defaulted to higher ages.” Companies that use age filters to meet their obligations under children’s privacy laws can look to the preliminary injunction terms of this settlement for general guidance on how to design a “neutral” age filter. For example, the California Attorney General found that such age filters:

1) Ask for age in a neutral way, i.e. you must not default to a fixed age of 16 or above or encourage users to falsify their age; (2) You must not imply that certain features are not available to users who identify themselves as younger than 16; (3) You must provide a CLEAR AND PROMINENT indication in the age query that the age entered must match that of the user (i.e. refers to the player and not the owner of the phone) and is collected to ensure age-appropriate data usage and advertising.

5. Data minimization. The tilting point comparison makes it clear that companies Do Processing children’s data should minimize the collection of such data as much as possible. For example, the injunctions prohibit Tilting Point from “COLLECTING more PERSONAL INFORMATION than is necessary for a (user under 16 years of age) to participate in an activity or game.” This issue of data minimization has recently gained prominence in the state data privacy landscape, such as the recently enacted Maryland Online Data Privacy Act, which requires data controllers to limit their collection of personal information to “what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”