The Walt Disney Co. is facing a novel class-action lawsuit related to its Princess Palace Pets app. According to the complaint, Disney and the software companies that helped design the app violated the Children’s Online Privacy and Protection Act (COPPA) because the app tracks children’s online activity to facilitate targeted advertisements. The case is significant given the popularity of mobile applications directed at children as well as Disney’s already considerable COPPA-compliance efforts.

[caption id="attachment_21730" align="aligncenter" width="550"] Photo courtesy of[/caption]

Obligations Under the Children’s Online Privacy and Protection Act

Under COPPA, operators of online services directed to children under age 13 are required to provide notice and obtain parental consent before collecting items
of “personal information” from children. Under COPPA, “personal information” includes more commonly understood information like names, email addresses, and social security numbers, as well as “persistent identifier[s] that can be used to recognize a user over time and across different Web sites or online services.”

In addition, COPPA not only applies to websites and online services dedicated to children, but also to operators of general audience websites or online services with “actual knowledge that they are collecting, using, or disclosing personal information from children under 13.”

Under COPPA, operators are required to implement certain safeguards to protect children’s privacy. They include:

  • Posting a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;
  • Providing direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
  • Offering parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
  • Authorizing parents to access their child’s personal information to review and/or have the information deleted;
  • Providing parents the opportunity to prevent further use or online collection of a child’s personal information; and
  • Maintaining confidentiality, security, and integrity of information they collect from children.

Class-Action Suit Against Disney

According to the COPPA class-action complaint, several software companies, which are also named in the suit, provided their own proprietary computer code to Disney, known as software development kits (SDK), for installation and use in the Disney Princess Palace Pets app. The SDKs in Disney’s gaming apps subsequently collected app users’ personally identifying information in the form of “persistent identifiers,” typically a unique number linked to a specific mobile device, and transmitted it to the defendants to facilitate subsequent behavioral advertising. 

“These persistent identifiers allow SDK providers to detect a child’s activity across multiple apps and platforms on the internet, and across different devices, effectively providing a full chronology of the child’s actions across devices and apps,” the complaint contends. “This information is then sold to various third-parties who sell targeted online advertising.”

The lawsuit further maintains that companies no longer need to rely on traditional forms of personal information, such as email addresses or phone numbers, to serve targeted ads. Rather, it is more effective to simply track a users’ digital habits across platforms.

According to the plaintiffs, when linked to other data points about the same user, persistent identifiers can disclose a personal profile that can be exploited in a commercial context. “Permitting technology companies to obtain persistent identifiers associated with children exposes them to the behavioral advertising (as well as other privacy violations) that COPPA was designed to prevent,” the complaint states.

Message for Businesses

Regulation and enforcement of online privacy continues to be a hot topic in regard to children’s applications, with several federal agencies including the Federal Trade Commission (FTC) evaluating whether additional regulation may be needed. In the meantime, COPPA remains the primary enforcement mechanism.

As the class-action suit highlights, COPPA violations can lead to significant liability. There is a considerable incentive for plaintiffs’ class action attorneys, who tend to be paid fees out of funds recovered for the plaintiffs, to press novel theories of violation. In 2011, Disney subsidiary Playdom Inc. paid a $3 million civil penalty for violating COPPA when it allegedly collected and disclosed personal information from children without obtaining their parents’ prior verifiable consent. This settlement is currently the largest civil penalty for a violation of COPPA.

Do you have any questions? Would you like to discuss the matter further? If so, please contact me, Charles Yuen, at 201-806-3364.