Disney Sued for Spying on Kids With Apps

By Christopher Coble, Esq. on August 09, 2017 | Last updated on March 21, 2019

The Child Online Privacy Protection Act (COPPA) makes it illegal for app developers and third-parties to obtain the personal information of children under 13 years of age without first obtaining verifiable consent from their parents. The law was designed to keep companies from tracking kids online and targeting ads to unsuspecting children.

But a San Francisco mother claims Disney is using over 40 apps to spy on children, secretly collecting their personal information and sharing data illegally with advertisers. So is Disney really tracking your kids online? And if so, which apps do you need to look out for?


Under COPPA:

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child [without] provid[ing] notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices for such information; and ... obtain[ing] verifiable parental consent for the collection, use, or disclosure of personal information from children.

According to Amanda Rushing's class action lawsuit, filed on behalf of her child, Disney and app developers use software development kits (SDK) to collect "persistent identifiers," like unique numbers linked to a specific mobile device. "These persistent identifiers allow SDK providers to detect a child's activity across multiple apps and platforms on the internet, and across different devices," the complaint alleges, "effectively providing a full chronology of the child's actions across devices and apps. This information is then sold to various third-parties who sell targeted online advertising."

App-ocalypse Now

Along with Disney Princess Palace Pets, which Rushing claims her child was playing, the lawsuit alleges Disney collected persistent identifiers with the following apps and games:

AvengersNet, Beauty and the Beast: Perfect Match, Cars Lightening League, Club Penguin Island, Color by Disney, Disney Color and Play, Disney Crossy Road, Disney Dream Treats, Disney Emoji Blitz, Disney Gif, Disney Jigsaw Puzzle!, Disney LOL, Disney Princess: Story Theater, Disney Store Become, Disney Story Central, Disney's Magic Timer by Oral-B, Disney Princess: Charmed Adventures, Dodo Pop, Disney Build It Frozen, DuckTales: Remastered, Frozen Free Fall, Frozen Free Fall: Icy Shot, Good Dinosaur Storybook Deluxe, Inside Out Thought Bubbles, Maleficent Free Fall, Miles from Tomorrowland: Missions, Moana Island Life, Olaf's Adventures, Palace Pets in Whisker Haven, Sofia the First Color and Play, Sofia the First Secret Library, Star Wars: Puzzle Droids™, Star Wars™: Commander, Temple Run: Oz, Temple Run: Brave, The Lion Guard, Toy Story: Story Theater, Where's My Water?, Where's My Mickey?, Where's My Water? 2, Where's My Water? Lite/ Where's My Water? Free, Zootopia Crime Files: Hidden Object

Recent guidance from the FTC suggests that persistent identifiers do qualify as personal information under the statute. But Disney told the Hollywood Reporter it "has a robust COPPA compliance program, and ... maintain[s] strict data collection and use policies for Disney apps created for children and families."

Related Resources:

Copied to clipboard