By now you’ve likely read the headlines: Disney and Viacom have been hit with proposed class-action lawsuits claiming that these companies allegedly “violate state and federal privacy protection laws by exporting children’s personal information from mobile games aimed at children to advertising networks without the parental consent required by federal and state law.”

Forty-two Disney apps are referenced in the suit, while Viacom is cited for its Llama Spit Spit game, as well as “numerous other games for children on mobile platforms.” The legal action doesn’t stop there: Unity, Upsight and Kochava have been included in the suits, and Kiloo, Sybo Games, AdColony, Altaba, ChartBoost, Flurry, InMobi, IronSource, TapJoy and Vungle have been hit with a separate legal action.

At issue is the use of third parties in children’s apps, and questions over whether or not persistent identifiers are being shared with third parties without parental consent in a way that allows for behavioral targeting or other purposes not permitted under the US Children’s Online Privacy Protection Rule (COPPA).  Additional issues include alleged violations of state privacy laws.

The question is, do the suits have merit? Is this a case of companies spying on children and illegally tracking them, or is it something less nefarious? The suits claim that the actions are “malicious, oppressive, willful” and “calculated to injure.” According to Disney, “The complaint is based on a fundamental misunderstanding of COPPA principles.” And Viacom has noted, “We believe the claims are without merit.”

What is clear is that regulators, advocates and parents are looking carefully for COPPA issues related to the third parties that operate within apps, and any company caught up in the scrutiny will pay a heavy price for it.

What should operators know?

As an operator, you are responsible for compliance of the app. That includes responsibility for every third party in the product and every item of data collected, processed, shared or stored. If you share personal information with third parties, you are also required to “take reasonable steps” to ensure that you are sharing that information only with parties that are capable of protecting it adequately, and that provide assurances that they will do so. Similarly, if you know that your company’s product or service is being used within an app that is directed in whole or in part to children under the age of 13, or you know that you are collecting personal information from under-13s, you are also responsible for ensuring that you operate in compliance with COPPA.  See below for information about personal information and persistent identifiers.

What should operators do now?

Take stock of every third party operating in your app, and every item of data provided to each party. Repeat your privacy and security diligence on each third party. Also, consider these questions:

• Do they receive personal information from or about children?
• If so, is it the minimally required information necessary for them to provide their service?
• Does their service strictly qualify as “internal operations” under COPPA?
• Does their business model suggest that they may use the information for other purposes?
• Has incorporating a third party in your app opened the door for that third party to bring other parties in?
• Do you have contractual agreements in place that specify the limitations on data use?
• Is each third party able to protect the information adequately, and delete it when no longer necessary to perform the internal operations?  What sort of assurances do you have that this happens?
• Have you disclosed all of these operators properly in your privacy policy?
• Are your third parties configured properly, given that they are operating on a children’s site?

Be sure you have controls in place to ensure that third parties are not incorporated into your product without a thorough vetting and proper contractual controls. Maintain your audit trail around your process, and repeat your full audit on an annual basis. Staying on the right side of the law, with a robust governance process to back it up, will help you stay out of the regulatory spotlight, and put any questions from parents and advocates to rest quickly.

A note about persistent identifiers

COPPA requires that you obtain verifiable parental consent prior to collecting personal information from children under the age of 13, and personal information does include a persistent identifier that can be used to recognize a user over time and across different sites or online services. This persistent identifier could include, for example, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier. COPPA does allow an operator to collect and share persistent identifiers without prior parental consent, only when the persistent identifier is used for specific, limited internal operations:  maintaining or analyzing the functioning of the site or online service; performing network communications; authenticating users of, or personalizing the content on, the site or online service; serving contextual advertising on the site or online service or capping the frequency of advertising; protecting the security or integrity of the user, site, or online service; ensuring legal or regulatory compliance; or fulfilling a request of a child when it fits within additional, specific constraints and restrictions COPPA.

Linnette Attai has more than 25 years of experience guiding clients through the complex compliance obligations governing data privacy matters, online user safety and marketing, with a focus in the education and entertainment sectors. As the founder of PlayWell, LLC, Linnette works with private and public companies, schools and school districts, youth groups, education leadership, lawmakers and policy influencers, children and parents. Linnette is Project Director for the CoSN Privacy Initiative and Trusted Learning Environment programs, an Adjunct Professor of marketing at the Fordham Graduate School of Business, an Adjunct Professor of marketing at The New School, serves as a virtual Chief Privacy Officer and Data Protection Officer to a number of companies, and speaks nationally on online privacy, safety and marketing matters. She may be reached at Linnette@PlayWell-LLC.com.