Settlement indicates SDKs are on the hook for privacy

While some have waved a dismissive hand at the Disney/adtech settlement approved by a California judge on April 13, others say it could have an impact on the entire adtech ecosystem. 

In three separate class-action lawsuits, plaintiffs alleged Disney, Viacom, Twitter, ViacomCBS and more than 10 adtech companies tracked or allowed tracking technology to be deployed on various children's mobile gaming apps.

The settlement doesn't include any monetary relief, but it does require the companies to stop using tracking technologies to track children. That's where the critics come in: Essentially, the settlement tells the companies to stop doing the illegal things they were doing and start behaving well. That's not a real win for privacy, just a return to what should have been the status quo. 

Typically, the U.S. Federal Trade Commission files complaints about alleged violations of the Children's Online Privacy Protection Act, the governing children's privacy law. But this case relied on children's Constitutional state rights to an "expectation of privacy," as well as a handful of state privacy statutes. 

Besides the novel approach to the lawsuit, the difference between this settlement and others is the implication of SDKs or software development kits. In plain language, SDKs are pieces of code that allow for specific functions within apps, and they're often deployed for sites by third-party developers. 

In 2020, New Mexico's attorney general filed a lawsuit claiming a Google PlayStore app and its advertisers were collecting children's personal data via their SDKs without parental consent, a COPPA violation. A judge found the suit against Google could proceed, dismissed claims against its SDK providers. The judge said the SDKs couldn't have been expected to have "actual knowledge" — important language under COPPA, for what it's worth — that it was collecting children's data. But because Google had reviewed the apps in question twice — including apps called "Fun Kid Racing," "Candy Land Racing" and "GummerBear and Friends Speed Racing" — Google did have actual knowledge it was collecting children's data. It should have protected that data accordingly. 

But there's been a growing push to hold SDKs accountable as well. In October 2020, Google removed three apps targeting children from its GooglePlay store following research from the International Digital Accountability Council. The IDAC found the SDKs the apps deployed were leaking data. 

And that's what makes this settlement important, according to Linette Attai, founder of consulting firm PlayWell. Yes, COPPA has always prohibited the behavioral targeting of children. But this case brought SDK providers into the mix.

"The settlement outlined some specific steps those companies need to take to learn whether the developer's product is intended for children and, if so, to operate accordingly," she said.  

In the past, said Joe Jerome of Common Sense Media, SDKs have relied on COPPA's actual knowledge standard that allowed them to deny they knew they were collecting children's data; that was the developer's domain. 

SDKs have been "a real thorn in the side of privacy advocates," Jerome said. "Almost every developer and app are putting out SDKs, and there are ways data is shared or leaked via SDKs that's not compliant with COPPA. The concern has always been it incentivized a lot of bad behaviors and putting heads in the sand because of this data ecosystem with data going everywhere and SDKs saying: 'I didn't know,' and then not having to comply with COPPA," he said. 

Of course, it's always crucial for operators to vet their third-party vendors, said Attai. The settlements mean SDK providers should no longer shrug their shoulders and expect operators to take the fall. 

"These SDK providers also now need to verify whether the products they're operating in are intended for children by taking steps such as getting affirmations about the audience from the developer, leveraging signals from third parties such as app store platforms, etc., and to configure their services accordingly," she said. That means limiting data collection and avoiding profiling or behavioral targeting. 

While all of the settlements differ from each other on specifics, most require the operator or SDK to sweep its database for kid-related keywords to identify any children's data collected and delete it. The Disney settlement requires it to remove SDKs in any apps directed at kids. Comscore must identify its kids-app categories, and it's prohibited from collecting device IDs from any user of those apps. 

"The keyword provisions of the settlement say it's an app that the SDKs knew or should have known was targeted or directed at kids," Jerome said.

And while many poo-pooed the settlement as a nothing-burger, "The reality is it affects a bunch of really large players," Jerome added. "It's swiping at Disney, which is not nothing, and a lot of the major SDKs that are deployed by thousands and thousands of apps." 

Attai said the last time the Federal Trade Commission updated COPPA, some SDK providers stood down from children's apps, "then quickly came back in with solutions that met the requirements." 

If the settlement has significant implications, it may be that we soon see a similar trend.