[co-author: Stephanie Kozol]*
California Attorney General (AG) Rob Bonta and Los Angeles City Attorney Hyde Feldstein Soto recently settled a lawsuit with Tilting Point Media, LLC (Tilting Point) related to a SpongeBob Square Pants-themed app. In the complaint, Tilting Point is accused of collecting, using, and sharing the personal information of children in violation of the Children’s Online Privacy Protection Act (COPPA).
In addition to the alleged COPPA violations, the company’s privacy policies were also at issue with respect transparency. The issue related to certain third-party Software Development Kits (SDKs) that Tilting Point allegedly improperly configured, which resulted in the collection of children’s personal information without disclosure or consent. The California Consumer Protection Act (CCPA) mandates parental consent for users under 13 and affirmative “opt-in” consent for users aged 13 to 16 before their personal information can be sold or shared. The regulators also asserted that the company’s privacy policy was noncompliant with the CCPA because it was ambiguous and incomplete, and failed to sufficiently disclose the collection, sale, or sharing of personal information in violation of the CCPA.
Tilting Point agreed to pay $500,000 in civil penalties. Additionally, Tilting Point must implement a robust privacy policy that clearly outlines its data collection, use, and sharing practices, especially concerning children. This includes:
- Providing direct notice to parents and obtaining verifiable parental consent before collecting, using, or disclosing children’s personal information;
- Conducting annual assessments of its compliance with these requirements, including the use of age screens and data minimization efforts; and
- Establishing an SDK governance framework to monitor and control the use of SDKs within its apps.
Why It Matters
This settlement is representative of the evolution of California’s data privacy enforcement efforts, including those under the CCPA. Whereas early enforcement efforts primarily related to compliance with satisfying notice and opt-out rights, AG Bonta is now looking into compliance with data privacy requirements in practice — especially when it comes to the data of minors.
*Senior Government Relations Manager