Following the Sephora and DoorDash enforcement actions, on June 18, 2024, the California Attorney General announced its third California Consumer Privacy Act (CCPA) enforcement action against Tilting Point Media LLC. Tilting Point is a mobile video game developer, including children’s games. The California AG alleged that Tilting Point collected and shared children’s data without parental consent in violation of the CCPA and the Children’s Online Privacy Protection Act (COPPA). Tilting Point’s mobile app game, “SpongeBob: Krusty Cook-Off,” did not ask for the user’s age in a neutral manner, i.e., children were not encouraged to enter their age correctly. Further, the California AG alleged that Tilting Point misconfigured the third-party software development kits (SDKs) used in the mobile app game, which led to the sale of children’s data without parental consent.

Tilting Point agreed to pay $500,000 to settle these allegations and to take actions to prevent the collection or sale of children’s data without prior parental consent. For example, Tilting Point must:

  • Use only neutral age screens that encourage children to enter their age accurately;
  • Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent;
  • Minimize data collection and use of data from children;
  • Comply with laws and best practices related to advertising to minors; and
  • Implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps.

If your business collects children’s personal information or provides services to children, confirm that your practices are in compliance with federal and state privacy requirements.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.