Over the last week, three very interesting class action lawsuits were filed in the U.S. On Thursday, two law firms announced a class action lawsuit alleging child privacy violations against Kiloo, the publisher of Subway Surfers (among other apps). Kiloo is a Danish game publisher that got its start making Facebook games, and Subway Surfers is one of its long running successes, with well over 1 billion downloads and 17 million 5 star ratings on Android Play.
On Friday the same two law firms announced a second class action suit, this time against a little company you may have heard of .. Disney. Like the first suit, this action includes not just the app publisher, but also the adtech companies that Disney has integrated into the apps for monetization and analytics – Upsight, Unity, and Kochava. On Monday, a third class action suit was filed, this time against Viacom/Nickelodeon. Clearly, by filing three suits against high profile targets, these plaintiffs’ law firms are executing a calculated strategy with a highly anticipated probability of success. The fact that Lieff Cabraser is one of the law firms bringing these suits is worth noting, since they are one of the premier plaintiff’s-side law firms in the country that has achieved favorable verdicts and settlements in countless high-profile class action lawsuits (such as winning $15 billion settlement from Volkswagen over its “clean diesel” emissions fraud).
It is interesting to note that each of these suits includes the third party companies that process private user data. You may recall that the 2013 update of COPPA was specifically drawn up to bring third parties under the gun for managing children’s privacy and holds operators (websites, app publishers, etc) strictly liable for the data collection practices by third party services integrated into their services. In addition, the new EU General Data Protection Regulation (GDPR), a huge overhaul of data protection regulation in the EU, specifically includes third parties it calls ‘data processors’, holding companies based anywhere in the world accountable to make sure ALL EU citizens (not just parents of children under 13) have been clearly informed and have given affirmative consent to have their data processed or that companies have other legitimate means under the GDPR to collect such data without consent.
Many companies in the mobile gaming industry have written COPPA off as an empty threat due to minimal enforcement by the Federal Trade Commission, which is currently limping along with only two of its mandated five commissioners.
But wait.. COPPA is a law that can only be enforced by the FTC or by states, right? Yes, that’s right. COPPA authorizes the FTC and the state attorneys general to enforce it, but doesn’t create a private right of action that would directly allow for the general public to sue companies for COPPA violations on their own (when laws are drafted, some allow for the general public to sue companies for violating that law, others don’t because they are more regulatory in nature).
So how were these firms able to bring these class action suits based on COPPA violations? In order to bring these lawsuits against Kiloo, Disney and Viacom, Lieff Cabraser used the companies’ (and their 3rd party ad tech partners’) violation of COPPA to allege that the class members’ privacy expectations were violated, which they used as a basis to directly sue these companies based on other privacy-related causes of action such as the common law claim for intrusion upon seclusion and the California constitutional right to privacy. These rights give people a reasonable expectation of privacy with respect to their online activities and behavior, so by collecting personal data from children without their knowledge or consent from their parents (i.e. violating COPPA), the suits allege that these companies violated the childrens’ right to privacy and harmed them. These lawsuits allege that the defendants are subject to COPPA because their apps are either directed at children based on their subject matter and scope or that they had actual knowledge that they were collecting personal information from children.
The lawsuits seek punitive damages for violating these laws which may be substantially higher than what the FTC is authorized to fine companies. In the Kiloo lawsuit they also sued for violating a New York law protecting people against deceptive acts or practices by companies (in this case, collecting PII from children without notice or parental consent).
Since plaintiff-side law firms generally operate under contingency models, top firms like Lieff Cabraser don’t devote expensive resources to bringing these types of lawsuits unless they see a high likelihood of success. In choosing to target Disney and Viacom, both of which will likely expend quite a bit of legal resources fighting these lawsuits, the plaintiffs are placing a massive bet that they believe they will win. If these class actions are successful or the companies settle for sizeable amounts, it could open up an entire market for plaintiff-side law firms to bring these types of lawsuits against top mobile gaming companies to collect large settlements or damages from favorable judgments in court.
In the shadow of the massive disruption that is coming in just 10 months with the EU’s GDPR and ePrivacy regulations, I suggest these suits should be a call to action to all game publishers to start paying attention to privacy compliance. I call this disruption “The Privacy Tsunami,” because it is going to deeply affect mobile gaming in numerous ways – user acquisition, monetization methods, CPMs, in app revenues, and retention. Because these risks are augmented by data flowing downstream via third party advertising and analytics partners integrated into almost every app, it will affect the entire mobile ecosystem, not just publishers.
In closing, I respectfully advise you to do your own research and really understand how the privacy tsunami affects your products. To comply with these regulations, you need to inform users how their private data will be used and get consent from all users in the EU and from verified parents in the U.S. Your third party monetization and optimization partners also need to verify that consent each time they collect and use that data. Under the GDPR’s expansion of privacy rights for EU citizens, you must also give users a way to see the data you have collected, correct it, change their consent, request erasure, and be notified within 48 hours of a data breach. With respect to COPPA, you are at risk of costly and reputation-harming litigation or regulatory enforcement today. With respect to the GDPR, you have 10 months left in which to make these changes, or risk having to explain to your board of directors why you didn’t take it seriously.