A United States class action complaint against the Walt Disney Company has alleged that it is collecting personally identifying information via a series of children's smartphone apps "for future commercial exploitation" in contravention of the Children's Online Privacy Protection Act (COPPA).
The complaint [PDF] also names Disney Enterprises, Disney Electronic Content, Upsight, Unity Technologies, and Kochava as defendants, with the latter three companies responsible for supplying SDKs for Disney's apps.
The class action was brought by parents on behalf of their children and filed in the District Court in the Northern District of California San Francisco/Oakland division, and demands a trial by jury.
The parents are seeking punitive damages, injunctive relief preventing the collection of such information, and to sequester the allegedly illegally obtained information.
COPPA protects the data privacy of children under the age of 13, with the complaint alleging that information is being collected and onsold to third parties for the purposes of targeted advertising across different websites and apps.
"Children's personal information is captured from them, as is information of their online behavior, which is then sold to third parties who track multiple data points associated with a personal identifier, analyzed with the sophisticated algorithms of big data to create a user profile, and then used to serve behavioral advertising to children whose profile fits a set of demographic and behavioral traits," the complaint said in explaining the general process.
"Children are especially vulnerable to online tracking and the resulting behavioral advertising. As children's cognitive abilities still are developing, they have limited understanding or awareness of sophisticated advertising and therefore are less likely than adults to distinguish between the actual content of online gaming apps and the advertising content that is targeted to them alongside it."
The apps -- which the plaintiffs collectively referred to as the "game tracking apps" -- named in the complaint include Disney Princess Palace Pets, AvengersNet, Beauty and the Beast: Perfect Match; Cars Lightening League; Zootopia Crime Files: Hidden Object; Frozen Free Fall; Frozen Free Fall: Icy Shot; Inside Out Thought Bubbles; Moana Island Life; Olaf's Adventures; Star Wars: Puzzle Droids; Star Wars: Commander; Maleficent Free Fall; Club Penguin Island; Color by Disney; Disney Color and Play; Disney Crossy Road; Disney Dream Treats; Disney Emoji Blitz; and Disney Gif.
Also named are Disney Jigsaw Puzzle!; Disney LOL; Disney Princess: Story Theater; Disney Store Become; Disney Story Central; Disney's Magic Timer by Oral-B; Disney Princess: Charmed Adventures; Dodo Pop; Disney Build It Frozen; DuckTales: Remastered; Good Dinosaur Storybook Deluxe; Miles from Tomorrowland: Missions; Palace Pets in Whisker Haven; Sofia the First Color and Play; Sofia the First Secret Library; Temple Run: Oz; Temple Run: Brave; The Lion Guard; Toy Story: Story Theater; Where's My Water?; Where's My Mickey?; Where's My Water? 2; and Where's My Water? Lite/Where's My Water? Free.
"Extensive analysis conducted as to each of Disney's game tracking apps and as to each SDK Defendant, found substantial evidence that each of these child-directed apps collects and uses children's persistent identifiers," the complaint alleges.
"Disney collects and maintains personal information about the users of the game tracking apps, including users under the age of 13, and permits the SDK defendants to embed their advertising SDKs to collect those users' personal information and use that information to track those users over time and across different websites and online services.
"Disney has control over and responsibility for any advertising and data mining permitted by or undertaken in the game tracking apps. Disney has failed to safeguard children's personal information and ensure that third-parties' collection of data from children is lawful."
The complaint also referred to Disney's prior contravention of COPPA, when subsidiary Playdom was ordered to pay a $3 million civil penalty -- the largest penalty ever handed down under the legislation -- for allegedly collecting and disclosing personal information from children without obtaining verifiable consent from their parents.
"As part of a consent decree governing the settlement, Playdom, and 'all persons in active concert or participation with them', were enjoined from, among other things, not obtaining verifiable parental consent before collecting, using, or disclosing person information from children from any website or online service directed to children," the complaint added.
According to the complaint, the Center for Digital Democracy had approached the Federal Trade Commission about Disney's MarvelKids.com website back in 2014, concluding that it was in violation of COPPA and that this was likely also the case "on Disney's other child-directed websites".
According to LA Biz Journal, Disney responded to the lawsuit by saying it has "a robust COPPA compliance program".
"We maintain strict data collection and use policies for Disney apps created for children and families," Disney reportedly said.
"The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in court."