<b><i>Online Extra</b></i><br> Disney, App Partners Hit With Suit Under Child Privacy Law

The Disney Princess Palace Pets app allows children to play with, bathe and accessorize about 10 different virtual pets. Sounds innocent enough.

But according to a new lawsuit, The Walt Disney Co. and its software partners are illegally using the app — and dozens of others aimed at kids — to track the online activity of youngsters to serve them targeted ads. Disney and three software companies were hit with a class action complaint last month claiming Princess Palace Pets violates a federal law designed to protect children's privacy while online.

Lawyers at Carney Bates & Pulliam and Lieff Cabraser Heimann & Bernstein filed the suit on behalf of a San Francisco woman whose daughter uses the app. The suit claims Disney's software partners—Upsight Inc., Unity Technologies SF and Kochava Inc.—harvested personally identifiable information from players under the age of 13 in violation of the Children's Online Privacy Protection Act, or COPPA. The suit seeks unspecified damages and an injunction barring further violation of COPPA, the 1999 federal law that requires online services to get parental permission before collecting identifying information of anyone younger than 13.

Disney previously agreed to pay $3 million in May 2011, the largest COPPA penalty to date, to settle charges the Federal Trade Commission brought against its gaming subsidiary Playdom Inc.

A Disney spokesman said in an emailed statement the company has ”a robust COPPA compliance program” and that Disney has strict data collection policies for apps created for children. “The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in court,” the spokesman wrote.

In the complaint, plaintiffs claim Disney allows its technical partners to install their own proprietary code — so-called “software development kits” or SDKs — within Disney's gaming apps. According to the complaint, although that code doesn't track traditional identifiers like names, email addresses or Social Security numbers, it does detect persistent identifiers such as the unique numbers associated with a particular mobile device.

“These persistent identifiers allow SDK providers to detect a child's activity across multiple apps and platforms on the internet, and across different devices, effectively providing a full chronology of the child's actions across devices and apps,” wrote Hank Bates of Carney Bates and Michael Sobol of Lieff Cabraser. “Permitting technology companies to obtain persistent identifiers associated with children exposes them to the behavioral advertising (as well as other privacy violations) that COPPA was designed to prevent.”

The suit seeks to certify a class covering about three dozen states to bring invasion of privacy claims. It also seeks to certify a California subclass to pursue claims under the state's constitutional right to privacy.

Neither Bates nor Sobol responded to messages.

*****
Ross Todd is bureau chief of The Recorder in San Francisco, an ALM sibling of Internet Law & Strategy. He writes about litigation in the Bay Area and around California. Contact Ross at [email protected]. On Twitter: @Ross_Todd.