A class action suit has been brought against the game developers and partners of the mobile game “Subway Surfers.” The parents of children who played the game allege that the mobile game collected their children’s personally identifiable information without their consent or knowledge, violating the Children’s online Privacy Protection Rule (“COPPA”)

Congress enacted COPPA in 1999 with the aim of protecting the vulnerability of children in a digital age. It outlaws the collection of any child under thirteen’s personally identifiable information without verifiable parent consent.

As stated in the complaint, children under the age of thirteen are still in the early stages of cognitive development. Subsequently, they are more susceptible to being thwarted by sophisticated advertising tactics. This can make it difficult for children to understand the difference between in-game functions and third-party marketing, enabling them to engage with content outside of the app without their knowledge.

So, what is personally identifiable information? According to the Federal Trade Commission, if the information can be “reasonably linked” to a particular child, it is classified as a “persistent identifier” and falls under the category of personally identifiable information. This means that personally identifiable information can include anything from email addresses to geolocations to usernames to social security numbers.

Advertising-specific SDKs programmed in the game that track player information, such as a unique number linked to a particular mobile device, are considered to be collecting “persistent identifiers.” Developers often collect, arrange, and sell the information of these user profiles to third-party advertisers.

The petitioning parents allege that the developers and providers of “Subway Surfers” used these advertising-specific SDKs to collect the persistent identifiers of their children without the parental consent required under COPPA. The parents argue that themselves nor their children were in no way informed that behavioral advertising SDKs were incorporated in “Subway Surfers” to collect information about their children’s gaming behavior.

Additionally, the parents are taking action against several of the game tracking applications that develop and release programs to collect this identifiable information including AdColony, Chartboost, and Flurry among others.

Kiloo and Sybo co-developed the “Subway Surfers” game. Since its release in 2012, “Subway Surfers” has been downloaded more than 1 billion times, making it one of the most downloaded mobile games ever. Since its success, Kiloo and Sybo have both developed and marketed games along the same lines that, much like “Subway Surfers”, tracks user behavior.

Is it fair that “Subway Surfers” is getting heat for this data mining practice? COPPA makes it pretty clear that in order to collect, use, or disclose personal information, an operator must have a clear and complete privacy policy, a clear notice of information practices, and a way to obtain verifiable parental consent. “Subway Surfer” apparently had none of this. With over 1 billion downloads and plenty of marketing and advertising tactics that are obviously targeted at children, it should have made sure to cover itself in the event of a disastrous suit like this. There’s a lesson here, gamedevs: always talk to a lawyer.

Author and frequent D.Va cosplayer, Caroline Womack. Caroline is a rising 2L at Quinnipiac University School of Law and primarily studies intellectual property law, focusing on video game and internet law.