Privacy

‘Tiny’ COPPA Case Provides Broad Guidance

Published: May. 08, 2020

Last Updated: Oct. 05, 2020

At the end of April, the U.S. District Court in New Mexico dismissed most, but not all, of the New Mexico Attorney General’s claims against a group of Ad Networks and Google for violations of the federal Children’s Online Privacy Protection Act (“COPPA”) and New Mexico’s Unfair Practices Act (“UPA”). Although the decision was a major win for the Ad Network defendants in the case, companies involved in mobile gaming apps should still proceed with caution when collecting information from children. 

COPPA prohibits websites, online services directed to children, “or any operator that has actual knowledge that it is collecting personal information from a child” from collecting personal information from a child in a manner that violates FTC regulations. 15 U.S.C. § 6502(a)(1). The FTC’s COPPA Rule states that unless there is an exception, an operator must provide notice and obtain “verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children.” 16 C.F.R. §§ 312.3(b), 312.4(a). App developers whose content is directed to children are held strictly liable if personal information is collected from children using their apps in a manner that violates the FTC’s COPPA Rule requiring notice and verifiable parental consent. Ad networks, however, must have “actual knowledge” that the apps in which their software development kits (“SDKs”) are embedded are directed to children in order to be held liable. 

The New Mexico Attorney General brought claims against mobile game app developer Tiny Lab Productions (“Tiny Lab”), a group of Ad Networks who sold their SDKs to Tiny Lab for use in its gaming apps, Google’s ad network Google/AdMob, and Google LLC as the operator of the Google Play Store based on allegations that ad network SDKs installed as Tiny Lab game app components collected children’s personal information and tracked children’s online behavior to profile the children for targeted advertising in violation of COPPA and the UPA. Upon motions to dismiss, the court dismissed all claims against the Ad Network Defendants, but only granted Google’s separate motion to dismiss in part. In doing so, the court provided the following guidance: 

A court may reasonably infer that a party has actual knowledge that an app is directed to children from the taking of affirmative steps to review the qualities of apps to determine if they are child-directed, but the automated exchange of data between an SDK and its server, without more, is not enough to infer actual knowledge. 

  • Actual knowledge can be inferred when a party conducts a qualitative review of an app to determine if the app is child-directed. 
    • Google conducted multiple reviews of Tiny Lab apps, investigating the qualities of apps—both when the app was submitted to its “Designated for Families” program and when researchers flagged Tiny Lab’s apps as potentially listed to mixed audiences instead of to children. These actions, in conjunction with the presence of several factors identified in the COPPA Rule that the app is directed to children, indicated actual knowledge. 
  • But the automated exchange of information between SDKs and their servers, without more, is insufficient to establish actual knowledge of the collection of personal information from children. 
    • Because the service of an ad is automated and instantaneous, the court found the complaint did not demonstrate that the Ad Networks had actual knowledge of the identity of the Tiny Lab app user to whom the ad was served. The court specifically emphasized the lack of human decision making involved in the ad service process. 
    • Even if automated transmission could be sufficient evidence of actual knowledge, information such as the app developer name and name of the app are not enough to provide even constructive notice to the Ad Network of the child-directed nature of an app, much less actual knowledge.
  • But proceed with caution: While the most common functions of Ad Network SDKs are automated, other parts of the business operations may give a company greater insight, and therefore greater knowledge into the user base for a specific app. It is unlikely that a court would turn a blind eye to any factual allegations of broader knowledge and uphold any bright line rule that SDKs do not obtain that same level of knowledge about an app’s users. The court suggests that while automated receipt of information about an app cannot generate actual knowledge, familiarity with the actual application and knowledge about factors the FTC considers could give rise to actual knowledge. 

Arguments that persistent identifiers and other data alleged to be collected fall within the “operations exception” to COPPA missed the mark.

  • The court was not persuaded that data alleged to be collected (persistent identifiers, GPS, and other personal information) falls within the internal operations exception to COPPA as necessary to facilitate contextual advertising. Instead, the court predicted that, if proven, allegations of the collection of this type of information from Tiny Lab users would require parental consent. 

Attempting to contract one’s way out of COPPA compliance through TOS representations does not negate independent duties under COPPA.

  • The court rejected Google’s arguments that it could rely on contractual promises of app developers to obtain parental notice and consent when required by COPPA. In doing so, the court made clear that contractual language to comply with COPPA does not negate any independent duties. 

Free apps do not fall within UPA’s scope of unfair or deceptive trade practices claims.

  • Users of free apps have not purchased, leased, rented, or borrowed anything in connection with their use of the apps. These users therefore cannot meet this element of a UPA claim, even if use of an app involves a license of technology. Unfair and deceptive trade practice claims do not encompass claimants who did not actually purchase anything.

Whether the conduct at issue establishes an intrusion upon seclusion claim is a question for the jury. 

  • The court pointed to precedent from the Northern District of California and allowed Plaintiffs to proceed on claims that collection of persistent identifiers constitutes highly offensive conduct, noting the context-specific nature of the privacy inquiry and that social norms on privacy are not static.