Class complaints – [DEFENDANT] allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs implemented in child directed gaming apps. Plaintiffs claimed [DEFENDANT] did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained
Rushing v. Viacom (N.D. CA; 3:17-cv-04492)
App: Llama Spit Spit
SDKs: Upsight, Unity Technologies
Claims: Intrusion Upon Seclusion, California Constitutional Right to Privacy
Rushing v. Disney (N.D. CA; 3:17-cv-04419)
App: Princess Palace Pets
SDKs: Upsight, Unity Technologies, Kochava
Claims: Intrusion Upon Seclusion, California Constitutional Right to Privacy
McDonald v. Kiloo APS (N.D. CA; 3:17-cv-04344)
App: Subway Surfers
SDKs: AdColony, Chartboost, Flurry, InMobi, ironSource, Tapjoy, Vungle
Claims: Intrusion Upon Seclusion, California Constitutional Right to Privacy, N.Y. Gen. Bus. Law §349 (deceptive acts and practices)
jbho: another reminder to make sure you know what your apps are doing. Technological ignorance is no excuse.
Interesting here are the theories of liability. Although COPPA is the centerpoint of the actions, the lack of a private right of action means plaintiffs must get creative in their pleadings. Using the COPPA Rule’s definition will help broaden the types of information deemed ‘personal.’ Per 16 CFR §312.2:
“Personal information means individually identifiable information about an individual collected online, including:
(1) A first and last name;
(2) A home or other physical address including street name and name of a city or town;
(3) Online contact information as defined in this section;
(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
(8) A photograph, video, or audio file where such file contains a child’s image or voice;
(9) Geolocation information sufficient to identify street name and name of a city or town; or
(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” (emphasis added)
Note that all three complaints were filed by the same attorneys from LIEFF CABRASER HEIMANN & BERNSTEIN, LLP and CARNEY BATES & PULLIAM, PLLC
More: ECPA/Wiretap cases
VIDEO: Know Your SDK
