In an ongoing effort to enforce the California Consumer Privacy Act (CCPA) and the Children’s Online Privacy Protection Act (COPPA), the California Attorney General's Office (CAG) announced a recent settlement against Tilting Point Media, a mobile game publisher. The settlement marks the third public enforcement action under the CCPA and highlights the growing focus and increased nationwide efforts to protect children's online and mobile privacy.
Tilting Point allegedly violated both CCPA and COPPA by collecting and sharing user data, including that of children under 13, without obtaining proper consent. Allegations included:
- Tilting Point’s age screen did not ask for a user’s age in a neutral way, meaning children were not encouraged to enter their age correctly in order to be directed to a child-version of the game.
- Tilting Point misconfigured third-party software development kits (SDKs), resulting in the collection and sale of kids’ data without parental consent.
According to the CAG’s announcement, in addition to the payment of a $500,000 fine, Tilting Point must also implement and ensure compliance with the following:
- Not sell or share the personal information of consumers younger than 13 years old without parental consent, and not sell or share the personal information of consumers who are at least 13 but younger than 16 years old without the consumer’s affirmative “opt-in” consent.
- In instances where Tilting Point sells or shares the personal information of children, provide a “just-in-time notice” explaining what information is collected, the purpose for collection, if the information will be sold or shared, and a link to the privacy policy explaining the required parental or opt-in consent.
- Use only neutral age screens that encourage children to enter their age accurately.
- Appropriately configure third-party SDKs to comply with legal requirements related to children’s data.
- Implement and maintain a SDK governance framework to review the use and configuration of SDKs within its apps.
- Comply with laws and best practices related to advertising to minors and minimize data collection and use from children.
- Implement and maintain a program to assess and monitor its compliance with the judgment, including annual reports.
Continued CCPA Enforcement
Prior to Tilting Point, the CAG secured settlements with:
- DoorDash in February 2024 for $375,000 over allegations of mishandling consumer data and failing to provide sufficient CCPA notices and opt-out mechanisms.
- Sephora in August 2022 for $1.2 million for allegedly failing to disclose the sale of consumer data and not providing a clear opt-out option, both violations of CCPA.
Key Takeaways
The Tilting Point settlement offers valuable lessons for companies, particularly those dealing with children's data:
- Prioritize Transparency: Ensure clear and conspicuous privacy notices that detail data collection practices, use, and sharing.
- Obtain Verifiable Parental Consent: Implement a system to obtain verifiable parental consent before collecting any personal information from users under 13.
- Online Tracking Consent: implement a system to obtain proper opt-in consent before collecting any personal information from users under 16.
- Review Third-Party Relationships: Carefully review data-sharing agreements with third-party vendors, especially those involving user data.
The Tilting Point settlement is just one example of the growing focus on data privacy, particularly when it comes to children. With CCPA enforcement on the rise, and similar laws being enacted across the US and internationally, companies must prioritize data privacy compliance.