Privacy Insider Newsletter | Data Privacy News Delivered Weekly

Another CCPA Enforcement Action Issued

Written by Arlo Gilbert | Jun 20, 2024 3:17:48 PM

Hello all, and happy Thursday! 

Data privacy enforcement is ramping up in the Golden State. California’s Office of the Attorney General has officially issued its third enforcement action against mobile app developer Tilting Point Media. Specifically, its game, “SpongeBob: Krusty Cook-Off," was found to collect and share children’s data without parental consent in the mobile game. Unsurprisingly, a game based off of the SpongeBob cartoon show meets the criteria for being targeted at a “known child” under California and Federal law. As a result, Titling Point Media was hit with a $500,000 fine for violations of both the CCPA and COPPA. 

How did this happen? 

Tilting Point’s game did have a more child-friendly version of its game but access to that version was dependent on the child entering their age correctly. The state AG found that Tilting Point’s age screen was not neutral, encouraging inaccurate entries. That’s no good, but perhaps more significantly, Titling Point also accidentally misconfigured the third-party SDKs used to develop the app resulting in the collection and sale of kids’ data without parental consent. 

Two things stand out to me. The first is that the crux of this violation hinged on poor SDK governance, a bad practice that is very easy to fall into. As a result, this enforcement action should serve as a reminder that developers need to be trained on data privacy. It’s perfectly possible your applications are collecting user data without your knowledge if your development team isn’t aware of the data privacy implications of the SDKs it uses. 

Second, the state AG’s press release (which you can find in our news stories below), indicates that Tilting Point media was given the opportunity to take corrective action and did so—but not to the extent that it fully cured the violations. It’s possible this contributed to the lower financial penalty in this action, especially considering that the violation involved children’s data.  

What this signifies is that data privacy is hard to do after the fact. It’s always going to be easier to become proactively compliant than it is to go into firefighting mode once you receive a letter from a regulator. 

Best, 

Arlo 


Top Privacy Stories of the Week

EU Artificial Intelligence Act Signed Into Law 

The EU AI Act has officially been signed into law. The long-awaited act will regulate how developers and deployers may use AI systems if EU citizens use those citizens, regardless of whether the developer/deployer is based in the EU or not. Once the act is published in the Official Journal, it will go into effect 20 days later. 

Read more 

Pope Francis Becomes First Pontiff to Address a G7 Summit, Raising Alarm About AI. The G7 Responds. 

Pope Francis challenged leaders of the world’s wealthy democracies to keep human dignity foremost in developing and using artificial intelligence during a special session at their annual summit on the perils and promises of AI. In doing so, he became the first pope to attend the G7, offering an ethical take on an issue that is increasingly on the agenda of international summits, government policy, and corporate boards alike. 

Read more 

The AI Bill That Has Big Tech Panicked 

California’s SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, would mandate that companies that spend more than $100 million on AI training also do safety testing and be held liable for harms associated with the technology. Though the act has received criticism from tech companies, it recently passed the California state senate. 

Read more 

EU AI Act: Overview and FAQs 

The EU AI Act will soon enter into force with most obligations to take effect within 24 months. This resource provides an overview of the key elements of the Act alongside frequently asked questions as to what it might mean for organizations in practice 

Read more 

The Vermont Veto Is a Step Backward for Privacy 

Vermont Governor Phil Scott recently vetoed a data privacy bill declaring that it "created an unnecessary and avoidable level of risk," in large part because it had a "narrow" private right of action. This op ed criticizes Scott’s decision to veto the bill and explains how doing so erodes data privacy rights and trust in business. 

Read more 

California Attorney General Bonta Announce $500,000 Settlement with Tilting Point Media for Illegally Collecting and Sharing Children’s Data 

Recently, the California AG issued the third enforcement action under the CCPA against Tilting Point Media, a game developer behind the mobile app game "SpongeBob: Krusty Cook-Off". Tilting Point Media violated both the CCPA and COPPA by collecting and sharing children’s data without parental consent in the mobile game. In addition to $500,000 in civil penalties, Tilting Point must comply with injunctive terms ensuring legal data collection and disclosure, including obtaining parental consent and diligence in configuring third-party software in their mobile games. 

Read more 

Osano Blog: An Analysis of the Sephora Enforcement Action 

In light of the recent CCPA enforcement action against Tilting Point Media, you may want to review other enforcement actions under the California law to understand more about how to comply. Our breakdown of the first enforcement action under the CCPA gets into detail about how popular makeup retailer Sephora ran afoul of the law. 

Read more 

If you’re interested in working at Osano, check out our Careers page