SDKs and COPPA: An Overview of the Recent Court Order in the New Mexico Attorney General COPPA Lawsuit, Daniel Goldberg, Amy Lawrence

Over the last few months, we’ve witnessed some major developments around SDKs and privacy. In February, the SDK defendants named in the consolidated McDonald/Rushing putative COPPA class action settled with plaintiffs. In late March, Zoom experienced a PR nightmare due, in part, to its inclusion of the Facebook SDK in its platform (discussed further in our Zoom blog). In mid-April, the Ninth Circuit reinstated a lawsuit against Facebook for alleged privacy violations in connection with its use of tracking technologies on third party websites. And this past Wednesday, the US District Court for New Mexico granted a motion to dismiss, the privacy claims against ad networks providing SDKs in child-directed apps.

In this blog, we’ll break down the New Mexico District Court order, and provide some observations from the decision. We are also using this blog as a springboard for a follow-up webinar that will discuss the state of affairs for SDKs and privacy. More to follow on the webinar soon.

Background on the New Mexico District Court Case

In September 2018, the New Mexico Attorney General filed a lawsuit against the mobile game developer Tiny Lab, app store operator Google, ad network Google/AdMob, and several ad networks including InMobi/AerServ, Applovin, and ironSource (collectively referred to as the “SDK Defendants”). The AG alleged that Tiny Lab embedded SDKs from Google/AdMob and the SDK Defendants in its child-directed apps, which collected personal information from children as they played games like “Fun Kid Racing” and “Candy Land Racing,” in violation of COPPA.

As a quick refresher, SDKs (Software Development Kits) are software tools that help a developer include certain functions in an app. In this case, the SDKs were provided by ad networks to serve ads during gameplay. These SDKs allegedly collected persistent identifiers and geolocation from the apps (both “personal information”’ under COPPPA), relayed that information to servers operated by the ad networks, and then allowed for advertising to be served within the apps based on the user’s behavior both within the game and across the Internet. Although the SDKs in this case were used for advertising, SDKs may be used for many other purposes; for example, some SDKs can be used to authenticate user accounts through a third party service (such as Facebook Sign-In).

Back to the complaint, the New Mexico AG sought three counts of relief against Tiny Lab, Google/AdMob, and the SDK Defendants for:

(1) violation of COPPA, based on the collection and use of “personal information” without first obtaining verifiable parental consent;

(2) violation of New Mexico’s Unfair Practices Act (UPA); and

(3) intrusion upon seclusion. In addition, the New Mexico AG sought a separate count of relief against Google for violation of New Mexico’s UPA in connection with the Google Play Store.

The Ruling

The SDK Defendants and Google brought 12(b)(6) motions to dismiss the complaint for failure to state a claim, and the court issued its ruling on the Wednesday (this followed a separate motion to dismiss based on standing, which was denied). The court granted the SDK Defendants’ motion to dismiss on all counts with prejudice (claims against Google were allowed to proceed, but that’s another blog post).

The COPPA Claim against the SDK Defendants

The court’s dismissal of the COPPA claim against the SDK Defendants hinged on the parties ‘actual knowledge’ that the SDKs collected personal information from children. According to the court, COPPA carries different compliance standards for app operators versus ad networks. App operators, such as Tiny Lab, are subject to a strict liability standard under COPPA where their content is directed to children, even if they don’t know children are on the app. In contrast, ad networks, such as the SDK Defendants, are held to an actual knowledge standard, and only violate COPPA if they actually know that the apps in which their SDKs are embedded are directed toward children.

The AG asserted a number of arguments asserting that the SDK Defendants did have actual knowledge, which can be distilled to three: (1) their servers received the app title, which indicated that the app was child-directed; (2) the SDK Defendants served child-directed ads, demonstrating they knew the users were children; and (3) Tiny Lab directly communicated the child-directed nature of its content to the SDK Defendants.

The court found all arguments unpersuasive.

The court rejected the first argument on the basis that the name of the app constituted, at best, constructive knowledge of the child-directed nature of the apps. But even that was unlikely, because titles are not included in the factors enumerated by COPPA for evaluating whether an app is directed toward children (even if it is “Fun Kid Racing”). COPPA’s enumerated factors include subject matter, language, visual, music, or audio content, and use of animated characters or child-oriented activities, among other things.

The court rejected the second argument on the basis that the ability of a server to collect information and serve ads does not demonstrate that the ad network had awareness of the identity of the user. The court stated that a plaintiff must allege that a person recognized the child-directed nature of the apps, and the plaintiff made no such allegation in the complaint. According to the court, servers are not sentient, and serving targeted ads in response to an SDK signal “would establish no more than that their servers – as opposed to any of their representatives – recognized the data that they received.” It would defeat the purpose of requiring an actual knowledge standard for co-operators under COPPA if transmission of information from an SDK to servers alone could be deemed actual knowledge.

Finally, the court rejected the third argument because the complaint did not allege any direct communications from Tiny Lab to the SDK Defendants, except via servers.

The State Law Claims against the SDK Defendants

The court dismissed the UPA and intrusion upon seclusion claims against the SDK Defendants on grounds that COPPA includes an express preemption of state or local laws that are inconsistent with COPPA. The court found that because the alleged activity of the SDK Defendants did not amount to a violation of COPPA, the plaintiff could not proceed with its state law claims.

Observations

This ruling is good news for SDK developers as the trend toward private COPPA litigation continues. Below are some quick take-aways based on the court’s reasoning:

Actual knowledge is a high standard, and may require allegations that an individual knew of the child-directed content (but not all courts may support that position).
This court found there is no distinction in liability under COPPA between apps primarily directed toward children and those directed toward mixed audiences. An age-gate won’t insulate you from liability if you have actual knowledge that the content is directed to children (and neither will declarations/COPPA flags regarding the audience).
We’ve said it before, but if you are doing an internal review, be prepared to take action to comply with COPPA. You may acquire knowledge that you are serving children.
The court rejected an argument from Google that behavioral advertising fell within support for internal operations. The support for internal operations exception is narrow, and companies should be careful relying on it.
Be careful in your contract wording, you may not be able to rely on provisions shifting COPPA liability to another party.