(CN) — A New Mexico judge found that while Twitter and other software development kit creators can’t be held responsible for collecting the personal information of children using kid-focused apps and games, Google is not off the hook.
In a lawsuit filed in September 2018, New Mexico’s attorney general claimed the maker of a children’s gaming app available on Google sends kids’ location, demographic and other personal information to advertisers without parental consent, risking their safety and violating their privacy. The suit accuses Lithuania-based app maker Tiny Lab Productions and its contracted advertisers of violating the Children’s Online Privacy Protection Act, New Mexico’s Unfair Business Practices Act and the Federal Trade Commission Act.
Other defendants include advertising partners Google and Twitter among other companies.
The lawsuit references 91 Tiny Lab apps designed to be played by children, including “Fun Kid Racing,” “Candy Land Racing,” “Baby Toilet Race: Cleanup Fun,” and “GummyBear and Friends Speed Racing.”
According to the lawsuit, Tiny Lab apps failed to obtain explicit, verifiable parental consent to collect data from children under the age of 13 and did not give notice of the data collection and its use or ensure protection of the data.
“This conduct endangers the children of New Mexico, undermines the ability of their parents to protect children and their privacy, and violates state and federal law,” the complaint states.
The personal information the state says the apps collected included geolocation data — which can reveal the precise location of the child using the app — and identifiers which provide information that can be “reasonably” connected to a specific child, such as their behaviors, demographics and preferences.
In a statement when the lawsuit was filed, Attorney General Hector Baldereas said, “These apps can track where children live, play, and go to school with incredible precision. These multimillion-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”
On Wednesday, U.S. District Judge Martha Vazquez found the ad exchanges and networks Twitter, MoPub, AerServ, InMobi PTE, Applovin, and ironSource USA, all named defendants in the suit, cannot be held responsible for the information gathered through their software developer kits by Tiny Labs and other app developers. Because the data gathered and aggregated isn’t necessarily monitored by a human reviewer, Vazquez found the developer-kit creators cannot be expected to have actual knowledge that Tiny Lab’s apps were directed at children.
“It is clear from the complaint that the ad networks are able to send targeted advertising not because they are aware of who is using the apps, but rather because their servers were designed to process the data collected from the app users and match it with advertising data,” Vazquez wrote. “The only knowledge that this functionality reveals is the knowledge of the coding-savvy individuals who designed the ad networks’ computer programs in the first instance.”
However, because Tiny Lab’s apps were marketed and distributed through Google Play Marketplace, and because the developer’s apps were reviewed on two separate occasions by Google, Vazquez finds that the tech giant did have first-hand awareness that the apps were targeted to children and so cannot claim ignorance of privacy act violations.
Claims against Twitter and the other developer-kit defendants, including Google’s SDK and ad network services, were dismissed, but claims claims against Google under the Children’s Online Privacy Protection Act will advance.
Google is also a defendant in a February 2020 suit brought by the New Mexico attorney general which claims the company has been illegally collecting the personal information of children under the age of 13 through the Google Education service. The state says the company has used Google Education to collect troves of personal information from kids and their families, ranging from the websites users of the service visited to their physical locations, passwords, personal contact lists and even voice recordings. Google categorically denies the claims and the lawsuit is pending.
Tiny Lab’s games are currently unavailable on the Google Play network, though a statement by company president Jonas Abromaitis on the developer’s website asserts the company has not violated privacy rules and is working to resolve the issue with Google.
Regarding the ruling, the Attorney General’s Office offered the following statement: “The judge ruled that the Children’s Online Privacy Protection Act is the more appropriate action against Google for protecting children’s safety online; and we will continue to aggressively litigate to protect children’s safety.”
Google could not be reached for comment on the ruling as of the time of publication.