Toymakers have recently received more than their share of scrutiny concerning the collection, storage and breaches of data belonging to children.  Cases involving this data move past questions of whether a data breach was avoidable and, instead, ask whether certain data can be collected in the first place.  A recent lawsuit against The Walt Disney Company and its related companies (“Disney”) sheds new light on how companies may be using “free” apps to gather data on their youngest customers and how that data can be used.

On August 3, 2017, a class action lawsuit was filed against in the United States District Court for the Northern District of California against Disney seeking recovery based on allegations “by parents of children, who while playing online games via smart phone apps, have had their personally identifying information exfiltrated by [Disney], for future commercial exploitation…”  (Complaint at ¶1)  In particular, the plaintiff, Amanda Rushing (“Rushing”), claims her child’s private information was improperly stored as her child used Disney’s app “Princess Palace Pets.” The Class Action Complaint includes claims against the “SDK Defendants” which were the companies that provided their own code to Disney’s apps for use in the games, known as “software development kits.”  The Complaint asserts that the SDK Defendants embedded software in Disney’s gaming apps that allowed for the app users’ personal information to be collected without authorization and “to facilitate subsequent behavior advertising.”  (Complaint at ¶7)

Before the specific allegations against Disney and the SDK Defendants, the Complaint contains a number of allegations against the app and gaming industry in general including that “[m]ost consumers, including parents of children consumers, do not know that apps created for children are engineered to surreptitiously and unlawfully collect the child-users’ personal information, and then exfiltrate that information off the smart device for advertising and commercial purposes.” (Complaint at 16) The plaintiff’s theories underpinning the allegations against Disney include:

“When children are tracked over time across the internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given smart device.  Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data point about the same user, such as app usage, geographic location (including likely domicile), and internet navigation, it discloses a personal profile that can be exploited in a commercial context.” (Complaint at ¶22)

The Complaint contains allegations that these actions taken by Disney and the SDK Defendants give rise to a violation of the Children’s Online Privacy Protection Act (“COPPA”) In short, COPPA prohibits gathering personal information of children under the age of 13 “without first obtaining verifiable consent from their parents.”   While the plaintiffs acknowledge that COPPA typically protects data more commonly understood to be personal information (names, email addresses, social security numbers, etc.), it also protects against the authorized collection of “persistent indentifier[s] that can be used to recognize a user over time and across different Web sites or online services.” (Complaint at ¶28)  In short, the Class Action Plaintiff claims the defendants violated COPPA by “incorporating the SDK Defendants’ behavioral advertising SDK’s into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent…”) (Complaint at ¶63)

The Complaint contains two causes of action against the defendants. Under the first cause of action for Intrusion Upon Seclusion, the Plaintiff claims Disney and the other defendants intentionally intruded on Plaintiff’s “solitude, seclusion, or private affairs by intentionally designing the Game Tracking Apps…to surreptitiously obtain, improperly gain knowledge of, review and/or retain Plaintiffs…activities through monitoring technologies and activities” as described in the Class Action Complaint.  Under the Plaintiff’s second cause of action entitled California Constitutional Right to Privacy, the Plaintiff claims her and the other class members have “reasonable expectations of privacy in their mobile devices and their online behavior” which Disney and the other defendants “intentionally intruded on.”

While Disney and the defendants have not responded to the allegations in the Complaint, The Hollywood Reporter reports that it received a statement from Disney related to the lawsuit indicating that it is taking the position that: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Of course, it is still early in this litigation and it may be years before we see whether the class action the Class Action Plaintiffs’ allegations have merit.  Nevertheless, the Class Action Complaint is clear that even if something is being given away for free (in this case apps based on Disney characters), people still expect to control their personal information.  As this area of the law continues to develop, data collectors must consider more than if they have the proper safeguards in place to protect data from a breach.  Rather, data collectors must consider if they have permission to collect data in the first place.  This case provides another example of where a party claims to be injured without their information being breached and what harm, if any, results from the unauthorized collection of data.

For more information, click here to contact a Tressler attorney.