–UPDATE (8/5/17): The Walt Disney Company has released a response to the pending lawsuit. Their official statement reads:
“Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”—
Most of us realize that when we go online and click those “allow” tabs without reading, companies might be collecting or selling personal data on us for advertising purposes. Many of us make the assumption, though, that when we let our children use “kid-friendly” apps from trusted creators like Disney, that at least our kids are safe from privacy violations. According to a class-action lawsuit filed against The Walt Disney Company, this is not the case.
The lawsuit was filed Thursday, April 3rd in the US District Court for the Northern District of California; it was filed by the law firms of Lieff Cabraser and Carney Bates & Pulliam and names Amanda Rushing and her child as plaintiffs, as well as other parents and children with the same grievance.
There are certain federal laws in place to protect children’s rights, one of which being the Children’s Online Privacy Protection Act (COPPA). It is this law, which places special restrictions and requirements on websites and online services marketed to those 13-years-old and younger, that Disney is accused of violating.
The suit claims that Disney identified and stored data of children playing Disney mobile games, such as “Disney Princess Palace Pets”, to later use for “commercial exploitation”. It did so with software embedded in the apps.
The ad companies named as responsible for embedding the software were Upsight, Unity, and Kochava. The purpose of the software is to track, collect, and export children’s personal information. This lawsuit states that the information collected is then sold to third-party companies to track a child’s behavior “across multiple apps and devices”.
The suit alleges that the embedded technology, known as “software development kits”, were collecting data on children in secret to “facilitate behavioral advertising or marketing analysis”. Children’s browsing history, app usage, and even their locations were collected for use in marketing and advertising.
While most adults unconsciously click those “allow” tabs without paying too much attention to where our info is going, we might expect that an adult authorization is required for our children’s information to be tracked. Rushing says Disney provided no such requirements, and so she was unaware Disney “collected, disclosed, or used her child’s personal information”. The suit faults Disney for not providing “any of the required disclosures”, saying that the company “never sought verifiable parental consent”. Disney did not provided a means for parents or even children to give consent.
One of the attorneys filing on behalf of the plaintiffs, Michael Sobol, provided a statement, saying,
“As a company long-engaged in the practice of engaging—and profiting from—children, Disney needs to make sure its games and apps comply with the law. They and the companies they work with always have to obtain verifiable parental consent before extracting kids’ data from their mobile devices when kids play Disney’s mobile apps.”
This is not the first time Disney has been on the wrong side of COPPA. In 2011, Disney subsidiary Playdom Inc. faced a similar problem when they were accused of collecting and disclosing hundreds of thousands of children’s personal information, and were required to pay a penalty.
Disney has yet to comment on the lawsuit.