Tilting Point Media Settles Alleged COPPA and CCPA Violations

As part of an ongoing effort to enforce the California Consumer Privacy Act (CCPA) and the Children's Online Privacy Protection Act (COPPA), the California Attorney General's (CAG) office announced a recent settlement against Tilting Point Media , a mobile game publisher. The settlement marks the third public enforcement action under the CCPA and highlights the growing attention and efforts nationwide to protect children's privacy online and on mobile.

Tilting Point allegedly violated both CCPA and COPPA by collecting and sharing user data, including that of children under the age of 13, without obtaining appropriate consent. The allegations included:

• Tilting Point's age screen did not ask for a user's age in a gender-neutral manner, meaning that children were not encouraged to correctly enter their age in order to be directed to a child version of the game.
• Tilting Point misconfigured third-party software development kits (SDKs), resulting in the collection and sale of children's data without parental consent.

According to the CAG announcement, in addition to paying a fine of $500,000, Tilting Point must also implement and ensure compliance with the following:

• Do not sell or share personal information about consumers under the age of 13 without parental consent, and do not sell or share personal information about consumers who are at least 13 but under the age of 16 without the consumer's affirmative “opt-in” consent.
• In cases where Tilting Point sells or shares children's personal information, provide a “just-in-time notice” explaining what information is being collected, the purpose of collection, whether the information will be sold or shared, and a link to the policy. confidentiality explaining parental consent or opt-in required.
• Use only age-neutral displays that encourage children to enter their age accurately.
• Appropriately configure third-party SDKs to comply with legal requirements related to children's data.
• Implement and maintain an SDK governance framework to review the use and configuration of SDKs in its applications.
• Comply with laws and best practices related to advertising to minors and minimize the collection and use of data from children.
• Implement and maintain a program to assess and monitor its compliance with the judgment, including annual reporting.

Continued Application of the CCPA

Before Tilting Point, the CAG obtained settlements with:

• DoorDash in February 2024 for $375,000 following allegations of mishandling consumer data and failing to provide sufficient CCPA notices and opt-out mechanisms.
• Sephora in August 2022, for $1.2 million, for allegedly failing to disclose the sale of consumer data and failing to provide a clear opt-out option, both violations of the CCPA.

Key points to remember

The Tilting Point settlement offers valuable lessons for businesses, particularly those handling children's data:

• Prioritize transparency: Ensure clear and visible privacy notices that detail data collection, use and sharing practices.
• Obtain verifiable parental consent:Implement a system to obtain verifiable parental consent before collecting any personal information from users under the age of 13.
• Consent to online tracking: implement a system to obtain appropriate opt-in consent before collecting personal information from users under 16 years of age.
• Review third-party relationships: Carefully review data sharing agreements with third-party vendors, especially those involving user data.

The Tilting Point deal is just one example of the growing focus on data privacy, especially when it comes to children. With increasing CCPA enforcement and the adoption of similar laws in the United States and around the world, businesses must prioritize data privacy compliance.