Tilting Point Media LLC, (Tilting Point) which describes itself as a “free-to-play publisher” of dozens of apps and video games, has reached a $500,000 settlement with the Attorney General of California and the Los Angeles City Attorney for violating laws that prohibit the collecting and dissemination of children’s data without parental consent. The settlement agreement, reached on June 18, also enjoins Tilting Point from selling or sharing personal information about children under 13 and requires the company to get “Opt-in consent” from children between the ages of 13 to 16.

The civil penalties stemmed from Tilting Point’s sharing of data gathered when kids play “SpongeBob: Krusty Cook-Off.” The demographic for this popular “cooking simulation game” is children under the age of 13 and when kids play it, they also receive ads and in-app purchase offers. Other age-targeted offers are aimed at older teens and adults.

According to the complaint, the app invites players to “…join SpongeBob SquarePants on a hilarious culinary adventure through the restaurants and kitchens of Bikini Bottom! Players must manage a virtual kitchen while trying to fill customer’s orders.” It also displays personalized ads and in-app purchases and uses animated characters and “fun background music,” as well as the simplistic nature of playing the same, making it simple and basic for those under 13.

The app also used “age screens” that did not ask about age in a “neutral manner.” For example, the complaint said, “…starting in 2020, when the SpongeBob app was first downloaded, an initial screen asked users to select their birthday, defaulting to the year 1953. Users under the age of 13 would need to scroll through more than 50 years to select an accurate birth year.” Thus, children under 13 were able to “consent to the processing of their data for the purpose of receiving “personalized” advertising, without parental consent.”

These characteristics violate both the federal Children’s Online Privacy Protection Act (COPPA) and the

California Consumer Privacy Act (CCPA). COPPA, enacted in 1998, prohibits “unfair or deceptive practices in connection with the collection, use, and/or disclosure of personal information from and about children on the internet.” It is enforced by the Federal Trade Commission. The CCPA, meanwhile, forbids California businesses from selling personal information about children they know to be 13 or under without getting “affirmative authorization (opt-in)” from parents or guardians. Those aged 13 to 16 may opt-in themselves.

A press release from the office of California Attorney General Rob Bonta, who was one of the plaintiffs in the civil suit against the gaming company, said, “Businesses have a legal obligation to protect kids’ data and to comply with important state and federal privacy laws designed to protect children online. Failing to do so puts our kids at risk.”

The complaint against Tilting Point built on an investigation of the SpongeBob game by the Better Business Bureau’s Children’s Advertising Review Unit (CARU). Bonta explains that after the CARU’s study, Tilting Point did take some corrective action, but the plaintiffs found the company was still in violation of both the COPPA and CCPA. They discovered that the game publisher “did not ask age in a neutral manner,” meaning that children were not encouraged to enter their age correctly to be directed to a child-version of the game. Additionally, Tilting Point “inadvertently misconfigured third-party software development kits (SDKs) resulting in the collection and sale of kids’ data without parental consent.”

In addition to the $500,000 in civil penalties, the settlement agreement requires Tilting Point to comply with COPPA by adhering to all laws pertaining to individuals under 13 as stated in 16 Code of Federal Regulations Section 312.2. This section defines personal information gathered from a child by “any means, including “requesting, prompting, or encouraging a child to submit personal information online.”

It also permits website operators to avoid legal liability if they “take reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public.” In addition, COPPA prohibits “passive tracking of a child online.” This section of the law automatically applies to all apps and games that feature characters from SpongeBob SquarePants, according to the settlement’s injunctive remedies. The settlement also requires Tilting Point to give direct notice to parents of its information practices on its home or landing page.

Similarly, Tilting Point is ordered by the settlement to comply with California Civil Code 2018, Section 1798.135, which requires businesses to “provide a clear and conspicuous line to the business’s internet page, titled “Do Not Sell My Personal Information.” It prohibits the company from selling or sharing any personal information about children if it has “actual information” about a consumer who is under 16.

Another section of the CCPA regulates SDKs aimed at children. These are collections of software development tools combined into one package that permit “advanced functionalities” such as ads. The settlement requires Tilting Point to implement policies that assure SDKs are used in compliance with state and federal consumer protection and privacy laws.

To assure long-term compliance, the settlement also requires Tilting Point to “implement and maintain a program to assess and monitor its websites and online services directed to children…: to document and share the results of this review and assessment with the People in an annual report.” This report must assess its compliance with the settlement, evaluate its privacy and policies, and report on parental consent requirements. The settlement divides the $500,000 in half between the offices of California’s Attorney General and the Los Angeles City Attorney.

Bonta’s press release includes a strong statement of justification for the Attorney General’s actions and the new settlement. He said, “As children spend an increasing amount of time online, both on websites and using mobile apps, we will use every enforcement tool to ensure compliance with the law and that companies exercise diligence with privacy law requirements.”