Mom Sues Disney for Privacy Invasion of Kids
Mom’s Lawsuit Against Disney for Invading Kids’ Privacy Settled
A California mom won her lawsuit against Disney and some of its software partners for allegedly collecting personal information about her kids through mobile phone game apps. What’s more, the resulting settlement revises how mobile app developers can collect and use child’s data.
The initial complaint filed by Amanda Rushing alleged that Disney’s software placed unique identifiers on mobile phones that can track app users – both in and out of gameplay – so Disney’s partners could serve targeted advertising.
That set up the usual debate about what constitutes personal information. Corporations that target ads usually claim they anonymize such data. Privacy advocates reject such claims arguing that people can be identified with just a few data points.
Rushing’s case was combined with two others to create a class-action lawsuit against Disney, Viacom, and others.
Settlement protects children’s online privacy
In the settlement, Disney and the other companies agreed to limit data collection and behavioral advertising techniques in children’s apps.
The paperwork filed by the plaintiffs’ lawyer regarding the settlement said, “children will be protected from advertising based on any past online activities or any previously collected data in the subject app or anywhere else on the internet … No personal data collected from a current app session can be used in any manner to target that user in future sessions in the same app, across other apps, or elsewhere on the internet.”
It’s worth noting that the class plaintiffs did not seek any damages in the settlement. There were some small amounts for the named plaintiffs, but otherwise the parties agreed to injunctive relief, which is rare in class action cases.
To better understand the settlement’s impact, it’s worth reviewing how the case unfolded.
Federal Law Shields Kids
Federal law, specifically the Child Online Privacy Protection Act (COPPA), has strict rules about what can be collected from kids under age 13. The Federal Trade Commission weighed in on the issue, making clear that unique identifiers fall under COPPA, meaning they generally shouldn’t be used or collected when kids are involved.
Rushing’s lawsuit claimed Disney and its partners violated COPPA, but COPPA does not provide a “private right of action.” That is to say: Consumers can’t sue “under COPPA” and get anything; they can merely ask a federal agency (the FTC) to fine the violator.
As a result, the lawyers in the case seized upon the “intrusion upon seclusion” tort. This legal strategy is generally used when someone’s physical space is violated – such as sneaking into a home or hotel room. Douglas I. Cuthbertson, a lawyer at the firm pressing the case, noted the concept had been used in previous digital privacy cases – specifically invasion of privacy cases involving Vizio (smart TVs) and Nickelodeon (tracking videos watched).
Insight on Intrusion Upon Seclusion
According to Harvard’s publication of the American Law Institute’s guide to torts, here’s what intrusion upon seclusion requires:
“The invasion may be by physical intrusion into a place in which the plaintiff has secluded himself, as when the defendant forces his way into the plaintiff’s room in a hotel or insists over the plaintiff’s objection in entering his home. It may also be by the use of the defendant’s senses, with or without mechanical aids, to oversee or overhear the plaintiff’s private affairs, as by looking into his upstairs windows with binoculars or tapping his telephone wires. It may be by some other form of investigation or examination into his private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by a forged court order to permit an inspection of his personal documents.”
Criteria Must be Met
To succeed in such a case, the Digital Media Law Project notes it must pass a four-pronged test:
- First, that the defendant, without authorization, must have intentionally invaded the private affairs of the plaintiff;
- Second, the invasion must be offensive to a reasonable person;
- Third, the matter that the defendant intruded upon must involve a private matter; and
- Fourth, the intrusion must have caused mental anguish or suffering to the plaintiff.
In the Disney lawsuit, the plaintiffs’ lawyers used the alleged COPPA violation to establish that the data collection was offensive and passed several of those tests.
Proving Injury Difficult
When the suit was initially filed, some experts noted that while the intrusion upon seclusion legal strategy had been deployed in data breach lawsuits before, the fourth part of the test was the trickiest to meet. After all, while damages and financial compensation for torts such as injury in a car accident are well established, how can you measure the harm in collecting someone’s personal data?
That was essentially the argument that Disney, Viacom, and the other defendants made to the court. They urged U.S. District Court Judge James Donato to dismiss the case because the tracking did not cause any material injury.
Donato rejected that argument. Pointing to changing privacy norms, he wrote, “Current privacy expectations are developing, to say the least, with respect to a key issue raised in these cases – whether the data subject owns and controls his or her personal information, and whether a commercial entity that secretly harvests it commits a highly offensive or egregious act.”
That ruling enabled the class action to move forward, which may have prompted the parties to settle.