Keypoint: The settlement, which includes a $500,000 fine and injunctive relief, arises out of alleged violations of the CCPA’s children’s privacy provisions and COPPA.

On June 18, 2024, the California Attorney General announced it had reached a settlement with an online gaming company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and federal Children’s Online Privacy Protection Act (COPPA) “by collecting and sharing children’s data without parental consent in their popular mobile app game ‘SpongeBob: Krusty Cook-Off.'” The Attorney General’s complaint and settlement were pursued in connection with the Los Angeles City Attorney’s office.

In the below article we provide a brief overview of the settlement.

Background

According to the complaint, starting in 2020, the defendant offered a free-to-play mobile app game called “SpongeBob: Krusty Cook-Off.” The defendant’s terms of service and privacy policy stated that consumers were not authorized to use defendant’s services if they are under 13 years of age; however, the defendant allegedly was aware that children under 13 were using the app and that the app is directed to children.

In September 2022, the Children’s Advertising Review Unit (CARU) of the BBB National Programs issued findings that the app violated COPPA and CARU’s self-regulatory guidelines. Among other things, CARU concluded that the app “failed to provide a neutral and effective age screen” and did not obtain verifiable parental consent (VPC) for the collection of personal information from children under 13. The defendant agreed to implement changes but that did not deter the Attorney General’s office and Los Angeles City Attorney from initiating their own investigation.

That investigation determined that the app (1) used age screens that did not ask for the user’s age in a neutral manner, (2) allowed children under 13 to consent to receiving personalized advertising without VPC, and (3) processed the personal information of children who self-identified as under 13 without VPC and who self-identified as between 13 and 15 without the consumer’s consent. The defendant also incorrectly configured software development kits (SDKs) provided by third parties that resulted in the “collection and disclosure of children’s personal information without required parental or opt-in consent.” Further, the defendant’s privacy policy was ambiguous and incomplete for the use of personal information for targeted and behavioral advertising. Finally, the defendant’s advertising to children used deceptive tactics.

The complaint alleges that the app violated the CCPA’s requirements that businesses (1) obtain parental consent for the selling or sharing of personal information of consumers under 13 and (2) obtain the consumer’s consent for the selling or sharing of personal information of consumers between 13 and 15. In addition, the defendant’s privacy policy violated the CCPA’s disclosure requirements by not “sufficiently” disclosing that the defendant “sells or shares personal information in connection with targeted or behavioral advertising, particularly its data practices related to children.” The complaint also states claims for violations of COPPA and California’s Unfair Competition Law.

Settlement

Pursuant to the proposed settlement, the defendant will pay a $500,000 fine and around $10,000 for cost recovery. In addition, the settlement requires the defendant to comply with various provisions of the CCPA and COPPA governing the collection and use of the personal information of children under 16 and 13 years of age, as applicable. It also must make proper disclosures to children and parents, as applicable. Further, the settlement contains provisions relating to the use of age screens, SDKs, and advertising to minors. Finally, for a period of three years, the defendant must implement and maintain a program to assess and monitor its websites and online services that are directed to children and collect personal information for compliance with the settlement.