3 minute read
Apps
bid (i.e., paying the highest price to place an ad in the Angry Birds app), or else another ad SDK
might win the bid. Regardless, in its mediation capacity, an SDK is still responsible for acquiring
Advertisement
the child’s Personal Information and passing it on to the winning ad network.
75. Once exfiltrated to the SDK’s servers, the Personal Information harvested from
children playing the Angry Birds Gaming Apps can be combined with other data associated with
those same children via the same persistent identifiers or other data (e.g., online activity or
demographics) which can track and individually identify the children. This is often accomplished
through vast quantities of data obtained by “ad networks.”
76. An ad network is also where advertising space is bought and sold. In this virtual
marketplace, app developers and advertisers buy and sell advertising space and the ads to fill it.
These networks connect advertisers looking to sell data-driven, targeted ads to mobile apps that
want to host advertisements. A key function of an ad network is aggregating available ad space
from developers and matching it with advertisers’ demands.
77. Once the ad call is facilitated bytheSDK, and the ad is placed on the child’s device,
advertising companies then store and analyze the Personal Information to enable continued
tracking of the child. This further analysis and profiling includes storing information such as what
ads they have already seen, what actions they took in response to those ads, other online behavior,
and additional demographic data. This way, the advertising companies that design and maintain
the SDK (and other affiliated entities) can generally monitor, profile, and track them over time,
across devices, and across the Internet. Targeted advertising is driven by individuals’ Personal
Information and employs sophisticated algorithms that interpret the Personal Information to determine the most effective advertising for those individuals.35
78. This entire ecosystem collects and uses children’s Personal Information without
first providing direct parental notice or obtaining verifiable parental consent. This includes the
35 For a detailed discussion of targeted advertising, see Section IV.F.1, infra.
companies that have SDKs embedded in the Angry Birds Gaming Apps, who fail to reasonably
and meaningfully inform parents that, as children play the Angry Birds Gaming Apps, the SDKs
surreptitiously collects their Personal Information and track online behavior to profile children for
targeted advertising. Further, parents are not asked to consent to these practices. This is all the
more egregious given that COPPA does not just require notice in its compliance regime, but also
requires equally-critical verifiable parental consent.
G. On Rovio’s Behalf, Multiple SDKs Exfiltrate Children’s Personal Information While They Play at Least Eight of Rovio’s Most Popular Angry Birds Gaming Apps.
79. To show ads to children via the Angry Birds Gaming Apps (through its ad network
or its mediation services), an SDK embedded in the Angry Birds Gaming Apps communicates
with or “makes a call” to servers used by the advertising company that develops and maintains the
given SDK. For example, for the AdColony SDK—which is found in all of the Angry Birds
Gaming Apps—data might be sent to servers affiliated with AdColony’s web address
ads30.adcolony.com. The call would then request that an ad be shown to a particular child while
he or she is playing the game.
80. Through this call, the given SDK receives the child’s Personal Information, in the
form of persistent identifiers including, among others, the child’s AAID.
81. The SDK also receives the IP address of the child’s device, which enables the
identification of the child’s location, the identification of the child’s device, and cross-device
tracking.
82. The SDK’s call to its servers also discloses other valuable Personal Information in
the form of Device Fingerprint data that can be used to identify, profile, and target specific
children. This information can include, inter alia:
a. the manufacturer, make, and model of the child’s device;
b. the operating system of the child’s device; and
