Disney Faces Children’s Privacy Class Claims Over Mobile App

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The Walt Disney Co. allegedly allowed mobile gaming applications to collect and export children’s personal information to advertising partners without parental consent, according to a federal court complaint ( Rushing v. Walt Disney, Co., N.D. Cal., 17-cv-4419, complaint filed 8/3/17 ).

The case highlights legal questions surrounding the use of big data analytics to gain knowledge about app user activity. The practice leaves open the possibility that individual pieces of data can be aggregated with other information to identify individuals, exposing companies to potential liability for privacy violations.

“The power of data aggregation is a real game-changer,” said Michael Bahar, Washington-based partner at Eversheds Sutherland (US) LLP and leader of the firm’s cybersecurity and privacy practice.

Individual pieces of data may not be personally identifiable information by themselves, but big data analytics can reveal a “pretty holistic picture of individuals,” Bahar told Bloomberg BNA Aug. 4.

When the users at issue are children, class plaintiffs may argue that alleged violations of the Children’s Online Privacy Protection Act, while not providing them a direct claim, bolster their other privacy claims.

The plaintiffs, a parent and her child who used the Disney Princess Palace Pets mobile gaming app, alleged in an Aug. 3 complaint filed in the U.S. District Court for the Northern District of California that Disney’s user tracking system violates COPPA. The law requires websites and apps targeted at children to gain parental consent to collect and use the personal information of children under the age of 13.

Big Data Game Changer

Disney allowed technology companies Upsight Inc., Unity Technologies SF, and Kochava Inc. to embed codes in the app to collect users’ personal information and track them across different websites and online services, the plaintiffs alleged. When the data points are combined with other information about the same user, “it discloses a personal profile that can be exploited in a commercial context,” the plaintiffs alleged.

Walt Disney Co., Upsight Inc., Unity Technologies SF, and Kochava Inc. didn’t immediately respond to Bloomberg BNA requests for comment.

Bahar said that it is increasingly incumbent upon companies to understand the privacy implications raised by “smart elements” in their products.

“It’s like a Russian doll—open up each layer and see if there are any legal obligations triggered” by the smart element, he said.

Citing COPPA

Stacey Gray, policy counsel at Future Privacy Forum, told Bloomberg BNA Aug. 4 that the “lawsuit is very unusual because despite the way it is framed, in reality it is not a COPPA complaint.”

COPPA doesn’t allow individuals to sue, leaving that power to the Federal Trade Commission and state attorneys general. The allegations in the complaint are based on multi-state common law intrusion upon seclusion and California constitutional right to privacy claims, Gray said.

Stacey Steinberg, associate director of the Center on Children and Families at the University of Florida Levin College of Law, told Bloomberg BNA Aug. 4 that in most circumstances companies can’t disclose children’s information to third parties, even after obtaining parental consent.

Lieff Cabraser Heimann & Bernstein LLP and Carney Bates & Pulliam PLLC filed the complaint on behalf of the proposed plaintiff class.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the complaint is available at http://src.bna.com/rpi.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.