New Mexico Attorney General Hector Balderas. (AP Photo/Susan Montoya Bryan, File)

A lawsuit out of New Mexico accuses several tech companies of illegally monitoring the location and activity of children to sell that data to advertisers.

Filed in the U.S. District Court for the District of New Mexico by state Attorney General Hector Balderas, the lawsuit alleges that several apps “clearly and indisputably designed for children” made by Lithuanian company Tiny Lab Productions are collecting and exfiltrating user data to third parties to provide children-targeted advertisements without parental consent.

Such activity, the complaint alleges, is in violation of the Children’s Online Privacy Protection Act, which poses restrictions on collecting data on children younger than 13, and Tiny Lab isn’t the only company accused of violating it. Also being sued are Google Inc. and its advertising company AdMob, along with Twitter Inc. and its own advertising arm, MoPub. Also listed as defendants are mobile marketing and advertising outfits AerServ, AppLovin, ironSource USA Inc. and InMobi PTE.

According to the complaint, Tiny Lab and other defendants “work together” in embedding “bits of coding” referred to as “software development kits” that “exfiltrate children’s data as they play.” This basically allows the apps to “communicate directly with the advertisement companies” and send “data and advertisements back and forth.” That data is allegedly “analyzed, stored, and used to build increasingly-detailed profiles of child users” and “shared with and sold to myriad third parties so that each can continue to build their own profiles.”

“All of this activity serves one primary purpose: to learn more about the child in order to send  her highly-targeted advertisements,” Balderas says in the complaint. COPPA, the lawsuit claims, requires that parents be provided complete disclosure of the information being collected from their children and how it will be used after providing explicit consent to collect that information.

Among the types of data allegedly collected and sold are demographic characteristics, online activity, and “precise location” within “+/- 5 meters” of a user. Most commonly collected from users, the complaint alleges, are “persistent identifiers,” like numbers “akin to a Social Security number” and letters that can link an individual to their devices’ apps, then track that user across other devices.

According to the Tiny Lab website, the company’s “Racing Games” are no longer available on Google Play as of Sept. 11, the same date Balderas’ lawsuit dropped. What’s more, Tiny Labs denies violating COPPA “as far as we know.”

“We have an age gate to determine the user’s age by asking their birth date as per FTC guidelines. If according to the entered birthdate user is under 13 none of the personal information is collected,” the website says, noting that the COPPA “compliance guide” states a company is covered if a user lies about their age. “COPPA simply does not apply to the 14 years old and older persons.”

As to University of California, Berkeley research mentioned in the complaint indicating the company violated COPPA, Tiny Labs says it was performed “with automated tools where nobody actually read the privacy policy, terms of use or entered the correct information into age gate. That is why the automated tools specified the birthdate of over 13 years old persons and was not treated per COPPA requirements.”

“We use industrywide practices and publicly available guidelines issued by government to ensure the privacy and safety of players under 13 years old. We have taken all measures available to us to protect privacy of young players,” Tiny Lab CEO Jonas Abromaitis said in an email to The Recorder. “It is our sincere hope that this incident is all but a misunderstanding and it will be resolved with a satisfactory outcome for all related parties.”

Twitter, for its part, says its relationship with the company is currently on hiatus. A company spokesperson said in an email that “Tiny Lab was suspended from the MoPub platform in September 2017 for violating our policies regarding child-directed apps. As per our privacy policy, MoPub does not permit the MoPub Services to be used to collect information from apps directed to children under the age of 13 for purposes of personalized advertising.”

The defendants are also being charged with violating New Mexico’s Unfair Trade Practices Act, with the state alleging the defendants made “material misrepresentations and omissions” through “public-facing documents such as websites, privacy policies, marketing materials, app interfaces, and public statements.”

The state is seeking injunctive relief via ceasing of tracking practices that violate COPPA, destruction of the data already obtained as well as punitive damages due to the defendants’ “malicious, oppressive, and willful” actions “calculated to injure New Mexico citizens and made in conscious disregard of New Mexico citizens’ rights.”

Major tech companies have come under fire recently for their data collection practices. Google was sued in the U.S. District Court for the Northern District of California over allegations of surreptitious user location tracking. That came on the heels of an Associated Press report that Google was tracking user location even when they arranged their privacy settings to do otherwise. Facebook was sued in two separate lawsuits shortly after, also in California’s Northern District, for collecting and sharing user data with third  parties to build profiles.

Balderas was unavailable for comment by press time. Google, Aerserv, AppLovin Corp. and ironSource USA didn’t respond to requests for comment.