On June 18, 2024, California Attorney General (“AG”) Rob Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a settlement with a video game developer and publisher regarding allegations that the company violated the California Consumer Privacy Act (the “CCPA”), the federal Children’s Online Privacy Protection Act (“COPPA”) and California’s Unfair Competition Law (the “UCL”). The settlement requires the company to pay $500,000, implement certain privacy practices for the protection of children, and provide annual reports under regulatory monitoring for 3 years. This case marks the third public CCPA enforcement action by the California AG to date, following his prior settlements in August 2022 and February 2024.

Background

The company operates mobile applications for consumers of various ages, including a mobile app game featuring a popular children’s cartoon character (the “Mobile App Game”). The company provided in its terms of service and privacy policy that consumers under 13 years of age were not permitted to use the company’s services. However, in its complaint, AG Bonta alleged that the company directed its Mobile App Game to children and was aware that children used the Mobile App Game.

In September 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs found that the company’s processing of children’s personal data with the Mobile App Game violated COPPA and CARU’s Self-Regulatory Guidelines for Advertising for Children’s Online Privacy Protection. Following CARU’s investigation, AG Bonta and City Attorney Feldstein investigated the company and found CCPA, COPPA, and UCL violations, alleging multiple deficiencies including the following:

• The company did not use a neutral age screen when it set the default birthyear to 1953, failing to encourage users to enter their age accurately. Users under 13 years of age would have needed to scroll through more than 50 years to select their accurate birth year.
• The company sold or shared children’s personal data without obtaining parental or opt-in consent. For instance, the company disclosed children’s personal data to third parties for advertising purposes without obtaining parental consent for children under 13 years of age or opt-in consent from children at least 13 but under 16 years of age.
• The company incorrectly configured or installed third-party software development kits (“SDKs”) on its Mobile App Game and failed to effectively review or audit the configurations, even after receiving CARU’s investigation and report. As a result, the company permitted certain SDKs to process personal data of consumers who self-identified as under 16 years of age for targeted or behavioral advertising without the required consent.
• The company’s privacy policy was ambiguous and incomplete regarding the use of personal data for targeted and behavioral advertising. For instance, the privacy policy did not (i) state that the company sold or shared personal data through the Mobile App Game, including for advertising, as required by the CCPA or (ii) disclose the collection, sale, or sharing of children’s personal data or the use and purpose of SDKs sufficiently to allow children and parents to understand such processing and exercise their CCPA privacy rights.
• The Company provided ads that were not clearly labeled as advertising, did not provide clear exit methods, and displayed ads that were not age-appropriate for children, such as ads for a gambling app and a game about growing marijuana.

The Settlement

The settlement requires the company to comply with the CCPA, COPPA, and the California Online Privacy Protection Act. In addition, the company must pay $500,000 and take certain corrective actions, including:

• Designing the age-screening mechanism implemented by the company to ask for a consumer’s age in a neutral manner.
• Specifying in its privacy policy its practices for the collection, use, selling, and sharing of personal data of consumers who are less than 16 years of age in compliance with the CCPA and the California Online Privacy Protection Act.
• Disclosing in its privacy policy its practices regarding its use of SDKs, including identifying the categories of SDKs and the categories of personal data sold or shared through the SDKs.
• Obtaining parental or consumer consent, as required, before selling or sharing children’s personal data.
• Implementing an SDK governance framework to assess its use of SDKs that collect children’s personal data, including identifying its inventory of SDKs, evaluating the configuration settings for each SDK, reviewing the contracts governing the SDKs, documenting the measures taken by the company to ensure compliance with applicable law and the settlement, training at least annually relevant personnel on data minimization and the configuration and use of SDKs, and assessing at least annually its data minimization practices and SDK governance framework.
• Evaluating the company’s advertising to children.
• Implementing a program to assess and monitor its online services that are directed to children and collect children’s personal data, and, for 3 years, annually reporting the review and assessment results to the California Department of Justice and Los Angeles City Attorney’s Office.

Key Takeaways

The settlement highlights enforcement risk arising from the processing of children’s personal data. Businesses that process personal data of children under the age of 16 should consider taking the following steps to mitigate the risk of privacy investigations:

• Age Screens. Design an age-screening mechanism that is neutral and encourages consumers, particularly children, to accurately report their age.
• Privacy Disclosures. Review privacy policies for compliance with laws relating to the processing of children’s personal data and clear disclosures on the processing of children’s personal data, including the collection, sale, and sharing of children’s personal data and the use and purpose of SDKs.
• Prior Consent. Implement mechanisms to obtain opt-in consent from children between the ages of 13 and 16 under the CCPA and parental consent for children under the age of 13 under the CCPA and COPPA.
• SDK Governance. Establish a program that governs and monitors the use of third-party SDKs and adopt processes for compliance with CCPA, COPPA and other laws relating to the processing of children’s personal data, including contractual restrictions and audits.
• Advertisements. Evaluate advertisements for age-appropriate content and format. For example, ads to children should be subject-matter appropriate for children, clearly indicate that they are ads, and provide children the choice to not engage with such ads without a penalty, for instance, by allowing children to use a service without engaging with the ads.
• Regular Assessments & Inspections. Regularly inspect effectiveness of privacy programs from administrative and technical perspectives, including the practices recommended above. For example, consider whether (i) administratively, the business effectively trains relevant personnel to configure and align the use of SDKs with the business’s written privacy practices and (ii) technically, SDKs are configured to minimize the collection and sharing of children’s personal data.
• Records of Compliance. Document steps taken to demonstrate compliance with privacy laws and show regulators that the business took reasonable steps to avoid non-compliance during an investigation.

[View source.]