Naked Security Naked Security

Parents sue Disney over breaching privacy rules in kids’ apps

Tools built in to Disney apps collect, track and share personal data in breach of law designed to protect kids, alleges lawsuit

Welcome to Disney Princess Palace Pets: according to its Google Play store listing, the mobile game is an “enchanted world” where you can meet Pumpkin, Teacup, Petit and other “adorable pets” that you can e-love and e-groom.

According to a federal lawsuit filed on Thursday in California, it’s also the place where the Walt Disney Co. secretly collects the personal data of children.

In fact, it’s one of 43 Disney apps that embed tracking software that can then “exfiltrate that information off the smart device for advertising and other commercial purposes,” according to the class action suit (PDF).

Named plaintiff Amanda Rushing is suing on behalf of herself and a class of all parents whose kids have played the Disney-branded mobile games, which the lawsuit claims run afoul of the Children’s Online Privacy Protection Act (COPPA).

The lawsuit is against Disney and three makers of software tools embedded in the games that collect and then share the kids’ personally identifying information (PII) in order to “facilitate subsequent behavioral advertising”.

The suit claims that the Disney apps for both iOS and Android fail to ask for parental permission before the apps, using third-party tools, assign unique identifiers to users, and then use those identifiers to track users’ location, as well as what they do in the game and across multiple apps, platforms and devices.

They don’t need the kids’ names or email addresses to do that: they just need to follow them around online to build a “robust online profile”, the suit says:

The ability to serve behavioral advertisements to a specific user no longer turns upon obtaining the kinds of data with which most consumers are familiar (email addresses, etc), but instead on the surreptitious collection of persistent identifiers, which are used in conjunction with other data points to build robust online profiles.

…which is exactly what COPPA was designed to prevent. Congress enacted the legislation in 1999 with the express goal of protecting children’s privacy while they’re online. COPPA prohibits developers of child-focused apps, or any third parties working with such app developers, from obtaining the personal information of children 12 and younger without first obtaining verifiable parental consent.

App developers don’t build their own ad-tracking code; rather, they typically add a third party’s toolkit or library to their code to create, collect and track persistent identifiers that will then be sold to an advertising network or data aggregator.

Other developers will sell additional data on the same child to an advertising network, which will then have that much more data on the child and be able to craft targeted ads ever more precisely. Data on the child can be bought and sold as multiple ad networks swap databases, creating what the suit describes as …

… an increasingly sophisticated and merchantable profile of how, when, and why a child uses her mobile device, along with all of the demographic and psychographic inferences that can be drawn therefrom.

This is far from the first time that Disney’s been sued over alleged COPPA violations. In 2011, the Federal Trade Commission (FTC) fined a Disney subsidiary, Playdom, $3m after finding that it registered about 1.2m users, most of them children, for online games. The FTC’s lawsuit said Disney collected children’s email addresses and ages, and allowed them to volunteer information such as their full names, instant messenger handles and physical locations as part of their online profiles.

In 2014, the Center for Digital Democracy (CDC), a privacy watchdog, asked the FTC to look into Disney’s MarvelKids.com website, which contained a privacy policy in which Disney acknowledged that it collected personal information from children, including persistent identifiers, for reasons that were allegedly impermissible under COPPA.

It also appeard that Disney was permitting third-party advertising SDKs — including two SDK developers named in the current suit — to collect and use children’s persistent identifiers. The CDC concluded that MarvelKids.com was violating COPPA and the same was likely true “on Disney’s other child-directed websites”.

This is the full list of games named in the complaint filed last week:

  • AvengersNet
  • Beauty and the Beast
  • Perfect Match
  • Cars Lightening League
  • Club Penguin Island
  • Color by Disney
  • Disney Color and Play
  • Disney Crossy Road
  • Disney Dream Treats
  • Disney Emoji Blitz
  • Disney Gif
  • Disney Jigsaw Puzzle!
  • Disney LOL
  • Disney Princess: Story Theater
  • Disney Store Become
  • Disney Story Central
  • Disney’s Magic Timer by Oral-B
  • Disney Princess: Charmed Adventures
  • Dodo Pop
  • Disney Build It Frozen
  • DuckTales: Remastered
  • Frozen Free Fall
  • Frozen Free Fall: Icy Shot
  • Good Dinosaur Storybook Deluxe
  • Inside Out Thought Bubbles
  • Maleficent Free Fall
  • Miles from Tomorrowland: Missions
  • Moana Island Life
  • Olaf’s Adventures
  • Palace Pets in Whisker Haven
  • Sofia the First Color and Play
  • Sofia the First Secret Library
  • Star Wars: Puzzle DroidsTM
  • Star WarsTM: Commander
  • Temple Run: Oz
  • Temple Run: Brave
  • The Lion Guard
  • Toy Story: Story Theater
  • Where’s My Water?
  • Where’s My Mickey?
  • Where’s My Water? 2
  • Where’s My Water? Lite/Where’s My Water? Free
  • Zootopia Crime Files: Hidden Object