On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.