The suit argues that Disney allows its technical partners including Upsight, Unity, Kochava, and other ad tech companies install proprietary code—so-called "software development kits" or SDKs—within Disney's gaming apps such as the Disney Princess Palace Pets app.
"These persistent identifiers allow SDK providers to detect a child's activity across multiple apps and platforms on the internet, and across different devices, effectively providing a full chronology of the child's actions across devices and apps,” the class action lawyers said in the complaint. "Permitting technology companies to obtain persistent identifiers associated with children exposes them to the behavioral advertising (as well as other privacy violations that COPPA was designed to prevent."
The class action lawyers argue the software is used to capture children's personal information along with information about their online behavior, which is then sold to third party companies which track the children's behavior across multiple apps and devices for subsequent ad targeting.
A Disney Company Spokesperson told SC Media: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”
Security pros agree it's too soon to make assumptions in the case, and High-Tech Bridge CEO Ilia Kolochenko said even if Disney is found liable it's unlikly that the class action will recover much money. Other researchers said they felt they lawsuit is worrisome from an overall privacy standpoint.
COPPA mandates that parents must provide consent if personally identifiable information about a child is collected and stored by the company or service, Dasha Cherepennikova, chief strategy officer at One World Identity, told SC Media.
“The definition of personally identifiable information includes the concept of persistent identifiers -- mechanisms such as cookies, unique device identifiers, or IP addresses, that can be used to identify a user over time and across different sites, even if the user's name and address are not collected,” Cherepennikova said. “Unfortunately, the very definition of what constitutes 'personally identifiable' is open for debate as new technologies and services emerge.”
The case also has potential to answer unresolved questions concerning COPPA laws.
It's important the truth comes to light and that Disney will have its day in court, HYPR CEO George Avetisov told SC Media. “It will either exonerate Disney and its partners, or help fill previously unknown COPPA loopholes,” Avetisov said. “Finding these answers is critical to living in a technically secure world we all are excited to be a part of.”