The Federal Trade Commission (FTC) announced a recent settlement with RockYou, a game site targeted at kids and tweens. The settlement was a reaction to the security breach of the site, which exposed the data of 32 million users, some of which were children under the age of 13.
This case is interesting because it demonstrates the FTC’s continued focus on websites that collect information from children and teenagers. In this regard, RockYou operates a website that allowed consumers to play games and use other applications, many of which are arguably targeted to kids and tweens, such as Zoo World and Galactic Allies. In addition, the site allowed users to assemble slide shows from their photos and share the content with other users. To save their slide shows, users were asked to enter their email address and email password. Further, to register on the site, the user was also asked to provide his or her birth year and gender.
In response, RockYou agreed to settle with the FTC. The proposed settlement order prohibits future deceptive claims regarding privacy and data security and requires RockYou to implement a data security program. It also requires the company to submit to security audits by independent third-party auditors every other year for 20 years. RockYou must also delete information collected from children under age 13 in violation of COPPA, and pay a $250,000 civil penalty for the alleged COPPA violations.
The case against RockYou is part of the FTC’s ongoing focus on children’s privacy. Further, it may have been a reaction to a security breach at RockYou late in 2009. Companies collecting data — especially from children — should ensure they have clear, accurate, and compliant programs in place to comply with COPPA and FTC guidance.