Lessons from Bikini Bottom: Privacy and the Tilting Point Settlement
On June 18, 2024, the California Attorney General announced a settlement with mobile game developer and publisher Tilting Point Media LLC, resolving allegations that the company had violated the federal Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the California Unfair Competition Law (UCL). The proposed settlement includes a $500,000 fine, an additional $10,000 for cost recovery, and injunctive terms ensuring legal data collection and disclosure for Tilting Point.
So what practices exactly was Tilting Point engaged in that attracted the enforcement attentions of the Attorney General, and what can other game publishers learn from this latest settlement to help avoid falling into a similar expensive situation?
CARU and the Attorney General’s Investigation
Tilting Point is the publisher of the mobile game “SpongeBob: Krusty Cook-Off,” first released in 2020 and which features characters from the popular Nickelodeon animated children’s television series SpongeBob SquarePants. The gameplay is relatively simplistic, with players managing a virtual kitchen and filling customers’ orders in the cartoon setting of Bikini Bottom. It is rated “4+” on The Apple App Store and “E” for everyone on Google Play. While Tilting Point’s terms of service and privacy policy stated that users under the age of 13 were not authorized to use their services, they were allegedly aware both that the game was directed towards children and that children under the age of 13 were in fact playing it.
In September 2022, the Children’s Advertising Review Unit (CARU) issued findings that Tilting Point was in violation of COPPA and CARU’s advertising guidelines in relation to their SpongeBob game. CARU found that Tilting Point failed to provide a neutral and effective age screen in the game and failed to obtain parental consent before collecting, using, or disclosing the information of children under 13. Additionally, Tilting Point allegedly displayed deceptive and age-inappropriate advertisements in the game to children, including ads for gambling apps and a game about growing marijuana.
Following CARU’s report, the California Attorney General’s office opened an investigation and determined that Tilting Point was in violation of the CCPA, COPPA, and the UCL. The AG’s office filed a complaint in the Central District of California on behalf of the People of the State of California alleging that Tilting Point violated the CCPA by failing to obtain the proper consent—either that of the user for those aged 13 to 15, or from the parent for users under the age of 13—before selling or sharing the user’s personal information. According to the AG, Tilting Point’s failure to implement a neutral age screen also discouraged users from accurately enter their ages by defaulting to a birth year of 1953 and requiring significant scrolling for younger users to reach their actual birth year. Thus, instead of receiving an age-appropriate version of the game with the required consent options, this resulted in users under the age of 16 receiving the 16+ version of the game, complete with its data collection and advertising practices. Tilting Point also allegedly failed to configure or diligently review software development kits (SDKs) included in the SpongeBob game such that these SDKs would separately collect, disclose, sell, or share children’s personal information. And finally, Tilting Point’s privacy policy insufficiently disclosed their user collection and use practices of consumers’ personal information as required under the CCPA.
In addition to these alleged CCPA violations, the AG’s office determined that the SpongeBob app was directed at children and that Tilting Point had actual knowledge that it collected personal information from children, and so was subject to COPPA. It alleged violations of COPPA for many of the same reasons listed above, notably the failure to obtain parental consent or provide sufficient notice as to their information collection and disclosure practices. And finally, the AG alleged violations of the UCL including unfair and fraudulent advertising to minors, such as ads that were not clearly advertisements, did not provide easy exit methods, and were not age appropriate.
The AG’s office announced it had reached a settlement with Tilting Point the same day it filed its complaint in the Central District, making it the third such settlement under the CCPA since enforcement began in January 2020.
The Takeaway
The AG’s complaint and the settlement offer game developers and publishers several valuable insights and reminders regarding their privacy practices, as well as the potential financial and injunctive penalties that may arise for failure to adhere to them. It is a reminder that regulators and executive offices are keenly interested in enforcing privacy laws, especially those that pertain to data associated with children. While implementing a policy of privacy by design at the outset of any game development process is best (and under certain laws like the GDPR, a requirement), it’s also advisable to review privacy policies and practices for compliance at regular intervals, especially given the ever-changing landscape for these laws.
A few reminders to highlight based on the Tilting Point settlement include:
Implement a neutral age screen to check for users’ ages. The purpose of an age gate or age screen is to filter out children under a certain age and limit the collection, use, and disclosure of their personal information. An age or birth year slider is one way of implementing this, but it needs to be easy to use and understand by the children it is meant to filter out. If the age gate counts by birth year, start from the current year and let users work back from there as it means a shorter distance to scroll for children and makes it likelier that they will provide an accurate response. Alternatively have the age gate count using the player’s numerical age starting from zero and consider implementing an easy to use and visually understandable slider as opposed to a drop-down or form-fill option.
Ensure you have obtained informed consent if you are going to collect, use, or distribute children’s personal information. Under the CCPA this consent must be “opt-in” for children under 16 and cannot be activated in the app by default. While this consent can come from the user if they are between the ages of 13 and 16, for those under the age of 13 it must be parental consent. You may also consider engaging in more general data minimization practices with your programs, avoiding collecting personal information in excess of what is necessary for the intended purpose in the first place.
Audit your SDKs to ensure they are compliant with the law. The above requirement extends to any SDKs that may be incorporated into your game—including application programming interfaces (APIs)—so double check their configurations to ensure they are also appropriately limiting the collection, disclosure, and use of personal information.
Regularly review and update your Privacy Policy. Privacy policies need to be unambiguous regarding the use of personal information for targeting and behavioral advertising. For compliance with the CCPA and other privacy laws, privacy policies need to include complete disclosures of the categories of personal information collected, as well as the categories of parties to whom that information is disclosed, sold, and/or shared, and should be updated regularly, under some laws as frequently as at least once a year.
Take steps to eliminate deceptive or inappropriate in-app advertising. This is especially true for advertisements directed at minors, but in general in-app advertisements should be clearly labeled as advertising, provide clear exit methods, and be age-appropriate for the audience. For publishers working with external service providers to implement in-app advertising, those partners may have methods (e.g., block lists by advertiser or category) that can be leveraged.