The Walt Disney Company is being sued for allegedly using 42 of its apps and games to illegally collect children’s personal data.
Plaintiff Amanda Rushing argues that Disney tracked her child’s data excessively, did so without parental consent and sold information on to third-party companies that used it for advertising and other commercial purposes. She claims that this is a violation of the Children’s Online Privacy Protection Act (COPPA), a US federal law designed to protect the privacy of children on the web.
Rushing has filed a class action that seeks to represent residents of 35 states, as well as a sub-class of California residents who cite the state’s right to privacy.
Apps can track children’s browsing habits
According to the lawsuit, Disney allowed the software companies that designed the apps and games to embed trackers that can be used to “detect a child’s activity across multiple apps and platforms on the Internet, and across different devices, effectively providing a full chronology of the child’s actions across devices and apps”.
Michael W. Sobol, one of the attorneys who filed the suit, says this is exactly the kind of practice that the COPPA was designed to prevent. In a statement, he said: “As a company long-engaged in the practice of engaging – and profiting from – children, Disney needs to make sure its games and apps comply with the law. They and the companies they work with always have to obtain verifiable parental consent before extracting kids’ data from their mobile devices when kids play Disney’s mobile apps.”
Speaking to the Washington Post, the executive director of the Center of Digital Democracy, Jeffrey Chester, said: “These are heavy-duty technologies, industrial-strength data and analytic companies whose role is to track and monetize individuals. These should not be in little children’s apps.”
However, Disney refuted the allegations in a statement: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in court.”
Prepare for the GDPR
Organisations will need to pay extra attention to their obligations for collecting and processing personal data when the EU General Data Protection Regulation (GDPR) comes into effect in May 2018. Although this lawsuit is only looking to represent US residents, Disney – like many companies in the US and across the world – collects vast amounts of data on EU residents.
The GDPR strengthens and expands data subjects’ rights and introduces changes to the way organisations seek consent – particularly when it comes to children.
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course can help you understand how the GDPR affects your organisation and what you can do to make sure you comply with it.
This one-day course is available in locations across Europe and is delivered by experienced data protection practitioners. It builds on the foundations of our extensive practical guidance gained advising on compliance with data privacy laws and information security standards, such as ISO 27001.