In a pair of essentially identical lawsuits, a parent alleged that The Walt Disney Co. and Viacom Inc. ran afoul of the Children’s Online Privacy Protection Act (COPPA) by tracking her child through their apps.

In January 2014, Amanda Rushing downloaded the Disney Princess Palace Pets app, which her child has played on an ongoing basis. Earlier this year, she downloaded Viacom’s Llama Spit Spit app. Both contain embedded software development kits (SDKs) that transmit the personally identifying information of the app user to facilitate behavioral advertising, she alleged.

The app developer and the SDK partners track children’s behavior while they play online games with their mobile devices, by obtaining information such as persistent identifiers. The information allows SDK providers “to detect a child’s activity across multiple apps and platforms on the Internet, and across different devices, effectively providing a full chronology of the child’s actions across devices and apps,” according to Rushing’s complaints filed in California federal court.

App developers and SDKs then use this and other data to “build robust online profiles,” Rushing added. “Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data points about the same user, such as app usage, geographic location (including likely domicile), and Internet navigation, it discloses a personal profile that can be exploited in a commercial context.”

These practices expose children to the very behavioral advertising and other privacy violations COPPA was designed to prevent, the plaintiff claimed. Neither defendant asked Rushing for her verifiable parental consent to collect, disclose or use her child’s personal information, as required by the statute, nor did either provide direct notice with regard to the collection, use and disclosure of her child’s data, she alleged.

Both companies marketed dozens of additional games to children, including Disney’s Star Wars, Puzzle Droids and Frozen Free Fall as well as Viacom’s PAW Patrol Pups to the Rescue and SpongeBob Bubble Party.

The plaintiff cited prior COPPA incidents involving both defendants, such as Viacom’s 2016 settlement with the New York attorney general as part of its Operation Child Tracker investigation, in which the company agreed to pay a $500,000 fine and make “comprehensive reforms” to prevent the improper tracking or commercial profiling of children under the age of 13. The company has also been the subject of multiple complaints filed with the Federal Trade Commission regarding its failure to comply with the statute, she said.

In Disney’s case, Rushing referenced a complaint filed by the Center for Digital Democracy with the FTC asserting COPPA violations found on the MarvelKids.com website, and a $3 million settlement—the largest to date in a COPPA case—by Disney subsidiary Playdom Inc. for violations of the statute.

Both complaints request injunctive and monetary relief (including punitive damages) for violations of COPPA and California privacy law.

To read the complaint in Rushing v. The Walt Disney Company, click here.

To read the complaint in Rushing v. Viacom Inc., click here.

Why it matters: Both companies vowed to fight the lawsuits. “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families,” the company said. “The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.” Viacom took a similar position, stating that the company “takes its COPPA compliance very seriously, and we are deeply committed to protecting children’s privacy. We believe the claims are without merit, and we intend to vigorously defend against this action.”