On June 18, the California Attorney General (“AG”) and Los Angeles City Attorney announced a settlement with Tilting Point Media, the maker of a mobile app game called “SpongeBob: Krusty Cook-Off,” resolving allegations that Tilting Point violated the California Consumer Privacy Act (CCPA) and Children’s Online Privacy Protection Act (COPPA) by collecting and sharing children’s data without obtaining required parental consent (for users under the age of 13) or affirmative opt-in consent (for users between the ages of 13 and 16). Under the terms of the settlement, Tilting Point must pay a penalty of $500,000 and comply with a host of injunctive terms, including compliance with the CCPA and COPPA, appropriate use of age screens, and implementation of processes to ensure data minimization and the proper use of software development kits (SDKs).

The Tilting Point settlement is the California AG’s third CCPA enforcement action to date, following its February 2024 settlement with DoorDash and August 2022 settlement with Sephora. Notably, the Tilting Point settlement is the first of the three enforcement actions to focus on children’s data, specifically, suggesting that this may be an area of growing enforcement priority for the California AG. Businesses that handle children’s data should take care to ensure that they are collecting and using that data in a manner compliant with legal requirements such as those imposed by COPPA and the CCPA — and should bear in mind that the CCPA imposes heightened protections not just for children under the age of 13 (as under COPPA), but also children between the ages of 13 to 16.

In this post, we discuss key takeaways from the Tilting Point settlement. To stay up to date on the latest California and children’s privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

Key takeaways from the Tilting Point settlement (including the complaint and proposed final judgment) include the following:

1. Consent and Authorization for Processing of Children’s Data. The critical takeaway from the Tilting Point settlement is that companies processing children’s data (to include individuals up to age 16) must ensure that they are doing so with the appropriate consents and authorizations. This includes parental consents (for users under the age of 13, as required under COPPA and the CCPA), as well as affirmative opt-in authorization (for users between the ages of 13 and 16, as required under the CCPA). 

2. Configuration and Governance of SDKs. Tilting Point’s misuse of third-party SDKs resulted in many of the data-use practices that the California AG subsequently found violative of the CCPA and COPPA. (As a reminder, SDKs are bundles of software development tools that aid in the development of applications for specific platforms, operating systems, and programming languages). Essentially, Tilting Point failed to correctly configure or install its SDKs, which led to the SpongeBob app collecting, sharing, and selling the personal information of users without parental consent or affirmative opt-in authorization, even when they had self-identified as being under the age of 16. Tilting Point also lacked appropriate processes to audit its configuration of SDKs and ensure their compliance with relevant legal requirements.

The injunctive terms of the settlement require that Tilting Point implement an “SDK governance framework” to ensure that its future use of SDKs satisfies its legal obligations. Companies that collect children’s data and use SDKs would be well-advised to look to the SDK governance framework requirements articulated by the California AG as a model. Those requirements include:

• Identifying each SDK (including its provider) used in an app that is directed to children and collects personal information;
• Describing the purpose for which each SDK is used; 
• Evaluating the configuration settings of each SDK regarding collection, use, and disclosure of personal information; 
• Evaluating the contracts governing SDKs that collect children’s personal information; and
• Documenting measures taken to ensure that SDKs that collect children’s personal information comply with relevant legal requirements.

3. Privacy Policy Disclosures. This settlement should serve as yet another reminder to businesses of the importance of ensuring that their privacy policy disclosures — particularly with regards to sharing and sale of personal information — are sufficiently detailed. In this case, the California AG alleged that Tilting Point’s privacy policy “was ambiguous and incomplete regarding the use of personal information for targeted and behavioral advertising” and “insufficiently disclosed the collection, sale, or sharing of consumer’s personal information, particularly children’s data, or the use and purpose of SDKs.” The importance of disclosing SDK use in privacy policies, in particular, is further highlighted in the settlement’s injunctive terms, which require Tilting Point to disclose information including “identification of the categories of SDKs, identification of the categories of PERSONAL INFORMATION SOLD or SHARED through SDKs, and the business or commercial purpose for SELLING or SHARING the PERSONAL INFORMATION.” The Tilting Point settlement thus indicates that businesses using SDKs should take care to disclose that use in their privacy policies.

4. Neutral Age Screens. The California AG took issue with the “age screens” that Tilting Point used to determine which of the SpongeBob app’s users were under age 16, alleging that Tilting Point used “a non-neutral age screen [that] failed to encourage users to enter their age accurately and defaulted to older ages.” Companies that use age screens to comply with their obligations under children’s privacy laws can look to this settlement’s injunctive terms for general guidance on how to design a “neutral” age screen, with the California AG asserting, for instance, that such age screens should:

1) ask age information in a neutral manner that does not default to a set age of 16 or above or encourage users to falsify age information; (2) not suggest that certain features will not be available for users who identify as younger than 16 years old; and (3) provide CLEAR AND CONSPICUOUS notice as part of the age screen that the age entered should be accurate to the user (i.e. relating to the player, not the phone’s owner) and is collected to ensure data use and advertising is appropriate for the user’s age.

5. Data Minimization. The Tilting Point settlement makes clear that, if businesses do process children’s data, they should minimize their collection of such data to the extent possible. The injunctive terms, for instance, prohibit Tilting Point from “COLLECTING more PERSONAL INFORMATION than reasonably necessary for a [user under the age of 16] to participate in any activity or game.” This theme of data minimization is one that has gained increasing traction in the state privacy law landscape as of late, such as in the recently enacted Maryland Online Data Privacy Act, which requires that data controllers limit their collection of personal data to “what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”