Over the last few months, we’ve witnessed some major developments around SDKs and privacy. In February, the SDK defendants named in the consolidated McDonald/Rushing putative COPPA class action settled with plaintiffs. In late March, Zoom experienced a PR nightmare due, in part, to its inclusion of the Facebook SDK in its platform (discussed further in our Zoom blog). In mid-April, the Ninth Circuit reinstated a lawsuit against Facebook for alleged privacy violations in connection with its use of tracking technologies on third party websites. And this past Wednesday, the US District Court for New Mexico granted a motion to dismiss, the privacy claims against ad networks providing SDKs in child-directed apps.

In this blog, we’ll break down the New Mexico District Court order, and provide some observations from the decision. We are also using this blog as a springboard for a follow-up webinar that will discuss the state of affairs for SDKs and privacy. More to follow on the webinar soon.

  • Background on the New Mexico District Court Case


Continue Reading SDKs and COPPA: An Overview of the Recent Court Order in the New Mexico Attorney General COPPA Lawsuit

Authored by Shely Berry and Amy Lawrence.

The creativity with which people around the world have responded, and continue to respond, to this pandemic in addressing the needs of others is remarkable. Virtual educational services, or “EdTech”, are one of the most visible needs as schools around the world transition to online learning. Many companies are highlighting the educational aspects of their current products and services or creating entirely new products and services that fall squarely within the EdTech industry. The goal: to assist those who now find themselves trying to figure out how to be safe at home, “teach children,” and focus on the ninety-nine other tasks that have to be completed at the exact same time.

It’s one thing if you made your online guitar lessons free for a general audience (thank you, Fender), but another if you provide products and services for educational purposes. You may find yourself subject to several state and federal privacy laws. At least 40 states have one or more such laws.

This blog post highlights the state laws that regulate the EdTech industry by aligning with California’s 2014 law, known as the Student Online Personal Information Protection Act (“SOPIPA”). Twenty-four states and the District of Columbia have SOPIPA-type laws aimed at limiting the use of personal information (and similarly defined terms) collected from students through EdTech products or services.
Continue Reading When it Comes to Virtual Learning, Privacy Isn’t as Easy as 2 + 2 = 4

This week, the New York State Attorney General announced a $4.95 million settlement with Oath Inc., the result of an investigation into violations of the Children’s Online Privacy Protection Act (“COPPA”).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  And under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information.

But instead of seeking verifiable parental consent, Oath treated all websites (and therefore all user information) the same, despite knowledge that some website inventory on its exchange was directed to children under 13 and subject to COPPA.  And instead of using available technology to avoid the use of children’s information altogether, Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children.  The “flagrant” violations of the law led to the largest-ever penalty under COPPA and a settlement agreement provided some remarkable takeaways:


Continue Reading AdTech Provider Hit with Record COPPA Fine

Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance.
Continue Reading Class Action Lawsuits over Alleged COPPA Violations Reinforce Importance of Compliance

Last week, the Federal Trade Commission (“FTC”) released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children’s Online Privacy Protection Act (“COPPA”). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things (“IoT”). Here’s what you need to know.
Continue Reading Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices

Caution: Spoilers Ahead

The plot of last Sunday’s episode of HBO’s fantastic and hilarious show, Silicon Valley, titled “Terms of Service,” was driven entirely by “COPPA,” a somewhat obscure (though probably not to our blog readers) privacy law that stands for the Children’s Online Privacy Protection Act.  As someone who frequently advises clients on COPPA-related issues, this was a really fun episode for me to watch.  So I thought I’d share some of my musings.

Protection concept: computer keyboard with Key icon and word Privacy, selected focus on enter button, 3d render


Continue Reading My Thoughts on HBO’s Recent “Silicon Valley” Episode, “Terms of Service”