Alleging violations of the Children’s Online Privacy Protection Act (COPPA) and state consumer protection law, New Mexico Attorney General Hector Balderas filed suit against app maker Tiny Lab Productions.
The AG charged that the Lithuania-based company and its contracted advertisers failed to obtain explicit, verifiable parental consent to collect data, including identifiers and geolocation data, from children under the age of 13 and neglected to give notice of the data collection and use.
According to the complaint, Tiny Lab’s apps, including Fun Kid Racing, GummyBear and Candy Land Racing, are “clearly and indisputably designed for children.” They are classified as “E for Everyone” and advertised as for kids age 2–10 years.
“While children and their parents think that the Tiny Lab Gaming Apps are innocent, online games—the digital equivalent of puzzles, blocks or books—Defendants have embedded coding in the apps that allows them to exfiltrate children’s data as they play,” the AG alleged. “These bits of coding are called software development kits (or SDKs). Tiny Lab and each SDK Defendant work together to place the SDKs in the Gaming Apps. Once embedded, the SDKs allow the app to communicate directly with the advertising companies, sending data and advertisements back and forth.”
In addition to the building of detailed profiles of the child users, the data is also shared with and sold to “myriad third parties,” the AG added. “All this activity serves one primary purpose: to learn more about the child in order to send her highly-targeted advertisements.”
The state uncovered the conduct by using advanced custom analytics and network analysis tools, the complaint explained. As a result, the AG was able to record network traffic as personal data left the child’s device and identify when the defendants received the information.
“This action is brought to protect children in the State of New Mexico from Defendants’ surreptitious acquisition of their personal information for the purposes of profiling and targeting them for commercial exploitation,” the complaint alleged. “The risks associated with exfiltration of personal data, including but not limited to location data, apply with greatest force when the privacy of children is at stake. Children have a long- and widely-recognized vulnerability which can be—and here is—exploited through the immediacy and ease with which information can be collected from them, and the ability of the online medium—including apps on smartphones and tablets—to circumvent the traditional gatekeeping role of their parents and guardians.”
The complaint seeks a permanent injunction to prevent future violations of federal and state law, as well as monetary civil penalties, the costs of investigation and reasonable attorneys’ fees for the state.
To read the complaint in New Mexico v. Tiny Lab Productions, click here.
Why it matters: The 85-page complaint details the defendants’ alleged violations of both COPPA and New Mexico’s Unfair Practices Act. The high-profile lawsuit was meant to capture the attention not just of tech companies, as the New Mexico AG hopes to spark a trend to enforce privacy rights. “This is as much a black eye on the federal government as [on] the tech space,” Balderas told the New York Times. “I’m trying to get lawmakers at the federal level to wake up.”