Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance.
As a quick summary, the three complaints were all brought by the same two law firms and filed within a week of each other in the U.S. District Court for the Northern District of California. The first complaint was brought against Kiloo, the second against Disney, and the third against Viacom. The complaints allege that each of the companies placed third-party tracking technologies in their child-directed mobile apps and games for online behavioral advertising purposes. According to the complaints, these technologies collected from children persistent identifiers (i.e., unique device IDs) considered to be “personal information” under COPPA, therefore requiring verifiable parental consent — something allegedly not obtained by the defendants. Notably, COPPA allows for enforcement by the FTC and state attorneys general, but does not provide for a private right of action.
If there is no private right of action, what is for the basis for the lawsuits?
To get around the fact that COPPA has no private right of action, the plaintiffs argue that by violating COPPA, the companies and their technology providers violated the plaintiffs’ reasonable expectations of privacy in their mobile devices and online behavior. According to the plaintiffs, such violations constituted: (i) a breach of the common law claim for intrusion upon seclusion; (ii) a violation of the right to privacy under the California Constitution, Article I, Section 1; and (3) for the Kiloo matter, a violation of the New York General Business Law § 349. The plaintiffs seek actual, statutory, and punitive damages, injunctive relief, and attorneys’ fees and costs.
While these claims might seem far-fetched, similar allegations have survived the pleading stage in at least one Circuit. According to the Second Restatement of Torts, an intrusion upon seclusion claim requires a plaintiff to show: (i) an intentional intrusion; (ii) upon the seclusion of another; (iii) that is highly offensive to a reasonable person. Last year, the U.S. Court of Appeals for the Third Circuit in In Re Nickelodeon Consumer Privacy Litigation vacated a District Court’s dismissal of a similar intrusion upon seclusion claim also predicated on alleged COPPA violations. In that case, the Court of Appeals found that the plaintiffs’ intrusion upon seclusion claim was not preempted by COPPA and that the plaintiffs had adequately alleged the elements of a claim. The case was remanded and is still pending at the District Court level.
Throwing an additional wrench into the analysis is that courts recently have been softening the burden on plaintiffs for establishing Article III standing in connection with alleged violations of federal privacy statutes. Last week, on remand from the Supreme Court, the U.S. Court of Appeals for the Ninth Circuit in Spokeo issued a decision that the plaintiff’s allegations of harm under the Fair Credit Reporting Act were not mere technical violations but rather sufficiently concrete and particularized injuries as to satisfy Article III standing. Although COPPA does not provide a private right of action, it is not impossible that a court might allow an intrusion upon seclusion claim predicated on an alleged COPPA violation to proceed past the pleadings stage based on the seemingly low bar for establishing Article III standing in connection with an alleged violation of a federal privacy statute.
However the court ultimately treats the claims, there are some key takeaways:
- Remember that the definition of personal information under COPPA is much broader than simply names, email addresses, and phone numbers. The passive collection of data through cookies, tags, pixels, and other tracking technologies also triggers the rule. If you are operating a child-directed service, make sure you understand what tracking technologies are on your service, and that your use of the technologies complies with COPPA.
- The plaintiffs did not just name the app operators in their complaints; they also named the technology providers. Most parties in the app ecosystem have responsibilities and obligations under COPPA and other applicable laws and regulations. Know yours.
- Consumer awareness of COPPA is increasing. Expect to encounter more requests for information about your compliance with COPPA. Record your compliance and have policies in place for responding to requests from both consumers and regulators.
- The potential penalty for noncompliance is high, even if there is not a private right of action. Don’t lose your business to COPPA violations like the characters in Silicon Valley.