CCPA Radar tracks publicly announced enforcement actions, settlements, and penalty decisions under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its purpose is to provide a clear, practical view of how California regulators interpret and enforce privacy obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the organization involved, the amount of the penalty, the legal basis of the violation, and the core compliance issues identified in each matter. By presenting these cases in one place, CCPA Radar helps privacy, legal, compliance, and security teams better understand which failures most often lead to regulatory action.
More than a list of fines, CCPA Radar is designed as a working compliance resource. It shows how regulators approach topics such as opt-out mechanisms, dark patterns, children’s data, privacy notices, vendor contracts, and the technical implementation of consumer rights. This makes it easier to translate enforcement activity into concrete lessons for internal privacy governance and risk management.
Tilting Point Media LLC
Penalty:
500,00 USD
Children's data; lack of parental consent; non-neutral age screen; misconfigured SDKs
Core issue:
June 17, 2024
Date:
Main public findings:
California DOJ and the Los Angeles City Attorney announced that the SpongeBob: Krusty Cook-Off mobile app collected and shared children's data without required parental consent. The investigation also found that the age screen was not neutral and that third-party SDKs were misconfigured.
Cause of the violation:
Description of events
Recommendations:
Source:
The app's design and third-party SDK setup failed to properly separate child users from the standard data collection and advertising environment, resulting in unlawful collection and sharing of children's data.
The joint investigation concluded that Tilting Point violated the CCPA and COPPA in connection with how the app handled children's data. The settlement required a USD 500,000 payment and imposed injunctive terms covering age screens, notices, consent, and SDK governance.
Use neutral age-gating; configure child-directed versions before any non-essential tracking; review and monitor all SDKs; minimize collection from children; implement separate flows for under-13 users and for teens aged 13 to 15 where opt-in rules apply.