The People of the State of California have filed a lawsuit against Tilting Point Media LLC (hereinafter referred to as “Tilting Point”) with the California Attorney General and the Los Angeles City Attorney. The lawsuit alleges violations of the Children’s Online Privacy Protection Act (CoPPA), the California Consumer Privacy Act (CCPA), and the Business and Professions Code regarding unfair and deceptive business practices. The claims arise from Tilting Point’s mobile game, SpongeBob: Krusty Cook-Off (hereinafter referred to as “SpongeBob”), which failed to obtain parental consent, did not offer players an “opt-in” option before collecting, disclosing, selling, or sharing children’s personal information, and displayed advertisements inappropriate for children’s ages. After a hearing, on June 18, 2024, the prosecution reached a settlement with Tilting Point, imposing a civil fine of $500,000 and requiring Tilting Point to comply with injunctions to correct its violations and meet the child privacy protection requirements of CoPPA and CCPA.

Case Background Tilting Point is a game developer that generates revenue through advertisements and in-app purchases in its free mobile games. Tilting Point’s clientele includes children, and for business purposes, Tilting Point collects, discloses, sells, and/or shares personal information of its clients.

The game SpongeBob, launched in 2020, is rated “4+” on the Apple App Store and “E” (Everyone) on the Google Play Store. Despite Tilting Point’s terms of service and privacy policy stating that consumers under 13 years old are not allowed to use Tilting Point’s services, SpongeBob, based on a beloved children’s character, features background music, gameplay, and animation that appeal to children under 13. Therefore, Tilting Point was aware that many children were playing this mobile game.

In September 2022, the Children’s Advertising Review Unit (CARU) issued an investigation report stating that Tilting Point’s SpongeBob application violated COPPA and CARU’s Advertising Self-Regulatory Guidelines and Children’s Online Privacy Protection Guidelines. CARU noted that Tilting Point failed to provide neutral and effective age screening to limit the collection, use, or disclosure of personal information from users under 13, nor did it obtain verifiable parental consent before collecting, using, or disclosing any child’s personal information. CARU also found that Tilting Point used deceptive advertising strategies and displayed advertisements unsuitable for children. Although Tilting Point agreed to make corrections at that time, a joint investigation by the California Attorney General and the Los Angeles City Attorney found that Tilting Point continued its illegal practices.

Specifically, since the launch of SpongeBob in 2020, Tilting Point has committed the following violations:

1. Using age screening that did not neutrally inquire about age. For example, when SpongeBob is first downloaded, the default birth year on the birthday selection interface is set to 1953, requiring users under 13 to scroll through over 50 years to select their correct birth year.
2. Collecting, disclosing, selling, or sharing personal information from consumers who self-identified as under 13 without obtaining parental consent; and collecting, disclosing, selling, or sharing personal information from consumers who self-identified as over 13 but under 16 without obtaining their “opt-in” consent, including disclosing to third parties for “personalized” advertising purposes.
3. Incorrectly configuring third-party Software Development Kits (SDKs) in SpongeBob, leading to the collection and disclosure of children’s personal information without parental consent or opt-in consent.
4. Using deceptive advertising, including not providing an option to exit ads, not labeling them as ads, coercing players into downloading other applications, and displaying inappropriate ads for gambling and marijuana games to children.

As a result, the People of the State of California filed a lawsuit against Tilting Point, requesting penalties for violations of CoPPA, CCPA, and UCL and an injunction to correct the violations.

Law Enforcement Analysis

1. Knowingly but willfully ignoring the presence of children under 13 among consumers CoPPA Section 312.2 defines a child as a person under 13 years old. In this case, SpongeBob is based on a beloved children’s character and features elements appealing to children. The game’s ratings (“4+” on the Apple App Store and “E” on Google Play) indicate a significant presence of minors, including children under 13. Tilting Point cannot deny this fact through its privacy policy stating the product is not for children under 13. Furthermore, the default age setting of 1953 on SpongeBob’s registration interface creates difficulty for children to select their correct age, indicating Tilting Point’s intent to obstruct children from selecting their correct age and to pretend they are adults. Overall, Tilting Point’s policies and default age settings show that it knowingly but unwillingly accepts legal obligations towards its child users, creating a false impression of having no child users to legitimize its willful ignorance.

Tilting Point’s willful ignorance of child users resulted in the following violations: 2) Failing to notify and obtain parental or “opt-in” consent CCPA Section 1798.100 requires businesses to inform consumers prominently and clearly before collecting information, detailing the categories of information collected, the purposes of collection, and whether the information is sold or shared. CoPPA Section 312.4 mandates that businesses provide notice and obtain verifiable parental consent before collecting, using, or disclosing a child’s personal information. The notice must be clear, complete, and accessible directly by parents, who must give explicit consent or opt-in authorization before businesses can collect, use, or sell children’s personal information, as stipulated in CCPA Section 1798.120(c) and CoPPA Section 312.5.

In this case, Tilting Point failed to post clear privacy policy links on SpongeBob’s login page and in areas where SpongeBob collects children’s personal information. It did not notify parents of users under 13 or obtain parental consent, nor did it provide an opt-in button for users aged 13 to 16.

Regulatory authorities pointed out that Tilting Point should provide timely notice when selling and/or sharing personal information of children or consumers aged 13 to 16, including: (i) providing consumers with brief information explaining what information is collected, the purposes, and whether it will be sold and/or shared, (ii) linking to relevant parts of the privacy policy, and (iii) for children, clear and explicit notice that parental opt-in authorization is required before selling and/or sharing personal information; and for consumers aged 13 to 16, clear and explicit notice that opt-in authorization is required before selling or sharing their personal information. 3) Unauthorized collection, use, and disclosure of children’s personal information by SDK CCPA Section 1798.120(c) stipulates that if a business knows a consumer is under 16, it may not sell or share the consumer’s personal information unless the consumer (for those aged 13 to 16) or the consumer’s parent or guardian (for those under 13) explicitly authorizes the sale or sharing of the personal information. A business willfully disregarding a consumer’s age is deemed to know the consumer’s age.

In this case, the third-party SDK used by Tilting Point had the following violations:

1. Misconfiguration: The SDK was misconfigured or installed incorrectly in SpongeBob, preventing it from limiting the collection, disclosure, and use of personal information based on the consumer’s age.
2. Lack of consent: Despite consumers self-identifying as under 16 and being directed to a child-specific version, due to SDK misconfiguration, the SpongeBob application collected, disclosed, sold, or shared these consumers’ personal information without parental consent or explicit opt-in authorization.
3. Lack of review: Tilting Point failed to conduct proper reviews and due diligence in using and configuring the SDK in its mobile application, resulting in violations of CCPA regarding children’s data.

Regulatory authorities noted that when selling and/or sharing consumers’ personal information through SDKs, Tilting Point’s privacy policy should provide clear and explicit notice to consumers, including but not limited to identifying the SDK categories, the types of personal information sold or shared through SDKs, and the business or commercial purposes for selling or sharing personal information. 4) Unfair and deceptive advertising practices Business & Professions Code Section 22580 prohibits operators of internet websites, online services, online applications, or mobile applications directed to minors from marketing or advertising the following products or services: alcoholic beverages; firearms; ammunition; handgun safety certificates; destructive spray paints; destructive etching acids; tobacco; marijuana; obscene content, etc. Minors are defined as persons under 18 years old. CoPPA Section 312.7 prohibits operators from conditioning a child’s participation in games, sweepstakes, or activities on the disclosure of more personal information than is reasonably necessary.

In this case, Tilting Point’s advertisements directed at children included content such as gambling and marijuana games, violating Section 22580. Additionally, Tilting Point engaged in unfair or deceptive advertising practices, including not providing an option to exit ads, not labeling them as ads, coercing players to download other applications, and displaying inappropriate ads. The prosecution noted that Tilting Point must ensure that any ads displayed on its websites or online services are legally directed at children, including mixed audience websites or online services (unless neutral age screening is used in mixed audience websites or online services and such ads are displayed in versions or sections specifically designed for users self-identifying as 13 or older), such as: a. Indicating to consumers that it is an ad and not part of the game; b. Providing a prominent “X” or “Close” button allowing consumers to close the ad immediately without further action beyond clicking; c. Not manipulating or deceiving consumers into participating in ads, downloading or installing unnecessary applications, making unintended purchases, or providing unnecessary personal information; d. Not advertising activities or products that children cannot legally participate in or possess (e.g., gambling, alcohol, tobacco, or other drugs).

Enforcement Outcome On June 18, 2024, the prosecution reached a settlement with Tilting Point, imposing a civil fine of $500,000 and requiring Tilting Point to comply with injunction terms as follows:

• SpongeBob and all games directed at children must comply with CCPA and CoPPA’s children’s data protection requirements.
• Before collecting, selling, or sharing children’s personal information, provide consumers with notice detailing the types of information collected, the purposes of collection, whether the information will be sold or shared, and a link to the privacy policy, and obtain parental consent or the consumer’s opt-in authorization.
• Implement a neutral age screening mechanism to facilitate children accurately entering their age.
• Properly configure third-party SDKs and implement and maintain an SDK governance framework to review SDK use and configuration to comply with children’s data protection laws.
• Adhere to legal requirements for displaying advertisements to minors and minimize the collection and use of children’s data for advertising purposes.
• Implement a special program to evaluate and monitor compliance with the judgment, including submitting annual reports to the prosecution.

Compliance Recommendations When handling children’s personal information and online advertising, companies must take a series of measures to ensure compliance. Firstly, companies should strictly adhere to the Children’s Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA) requirements, ensuring verifiable parental consent is obtained before collecting personal information from children under 13 and affirmative opt-in consent from users aged 13 to 16. Additionally, companies should develop clear and transparent privacy policies, prominently link them on their websites, and clearly inform users about the types of information collected, the purposes, and how the information is handled. Implementing neutral and effective age screening mechanisms to ensure children can accurately input their age and avoid default age settings or inducements to falsely report age is also crucial.

Furthermore, companies should reasonably manage and configure third-party software development kits (SDKs) to ensure they do not collect or share children’s personal information without consent. Protecting the security of children’s personal information is also essential; companies must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the collected children’s personal information. In advertising practices, companies should ensure all advertisements are appropriate for children, do not contain misleading or inappropriate information, and provide clear advertising identifiers and opt-out options. Additionally, special compliance assessment and monitoring programs should be established, including regular self-checks and third-party evaluations, and annual compliance reports should be submitted to regulatory authorities to demonstrate the company’s compliance efforts and achievements. Finally, companies should regularly train employees involved in data processing and advertising to raise awareness of children’s privacy protection and compliance advertising and stay updated on changes in children’s online privacy protection laws to promptly update company policies and practices.

By implementing these comprehensive measures, companies can reduce legal risks, actively protect children’s privacy rights, and maintain their reputation and market position.

Kaamel’s Assistance Kaamel is always at the forefront of privacy protection. We firmly believe in helping companies identify and address privacy compliance risks through technology-driven approaches. The innovative Kaamel AI detection engine, based on mainstream regulations and regulatory cases, can help companies quickly and comprehensively identify their privacy compliance risks. Kaamel also provides comprehensive privacy compliance solutions to help companies effectively address regulatory and user demands in their overseas business operations, reduce privacy risks and compliance hazards, and establish privacy trust in the international market.