The Federal Trade Commission (FTC) announced a recent settlement with RockYou, a game site targeted at kids and tweens. The settlement was a reaction to the security breach of the site, which exposed the data of 32 million users, some of which were children under the age of 13.

This case is interesting because it demonstrates the FTC’s continued focus on websites that collect information from children and teenagers. In this regard, RockYou operates a website that allowed consumers to play games and use other applications, many of which are arguably targeted to kids and tweens, such as Zoo World and Galactic Allies. In addition, the site allowed users to assemble slide shows from their photos and share the content with other users. To save their slide shows, users were asked to enter their email address and email password. Further, to register on the site, the user was also asked to provide his or her birth year and gender.

The FTC alleged the company’s practices violated Section 5 of the FTC Act, as well as the Children’s Online Privacy Protection Act of 1998 (COPPA). In particular, the FTC complaint alleged that RockYou had failed to obtain parental consent when it collected data from children under the age of 13, which is a requirement of COPPA. Further, in its complaint, the FTC also pointed to security failures in the operation of the website, as well as statements in RockYou’s privacy policy that seemed inaccurate.

COPPA requires website operators to notify parents and obtain their consent before collecting, using or disclosing personal information from any child who is under 13. Typically, website operators do this by email or telephone, although the mechanism for consent depends upon the nature of information that is collected, and the purpose for the collection. COPPA also requires website operators to post a privacy policy that is clear, understandable, and complete. The policy also must accurately describe a company’s practices with respect to data collection and use.

The FTC alleged that RockYou violated COPPA because it did not comply with these requirements. Specifically, it alleged that the FTC knowingly collected approximately 179,000 children's email addresses and associated passwords during registration without their parents' consent. Further, the website allowed children to create personal profiles and post personal information on slide shows that could be shared online without consent. In the complaint, the FTC pointed to a statement in RockYou’s privacy policy — which said that the company did not collect data from children under the age of 13 — as evidence of RockYou’s failure to have a clear and recognizable policy with respect to the collection and use of data from children.

Finally, the FTC alleged that RockYou’s security features were not effective and put users' personal information at risk. In this regard, the FTC complaint pointed to a statement in RockYou’s privacy policy that promised visitors that it would provide “commercially reasonable efforts to ensure the security of its systems” when, in fact, the company was not encrypting data or segmenting its servers. Also, the FTC noted that the company failed to address vulnerabilities in its system to address web-based application attacks, such as “Structured Query Language” and “Cross-Site Scripting” attacks. In the complaint, the FTC explained that such attacks were “well-known and well-publicized forms of hacking attacks, and solutions to prevent such attacks were readily available and inexpensive.”

In response, RockYou agreed to settle with the FTC. The proposed settlement order prohibits future deceptive claims regarding privacy and data security and requires RockYou to implement a data security program. It also requires the company to submit to security audits by independent third-party auditors every other year for 20 years. RockYou must also delete information collected from children under age 13 in violation of COPPA, and pay a $250,000 civil penalty for the alleged COPPA violations.

The case against RockYou is part of the FTC’s ongoing focus on children’s privacy. Further, it may have been a reaction to a security breach at RockYou late in 2009. Companies collecting data — especially from children — should ensure they have clear, accurate, and compliant programs in place to comply with COPPA and FTC guidance.

For additional articles on the FTC’s recent activity, please click here or here. Arent Fox is continuing to monitor information related to privacy. Please contact the attorneys listed next to the article with questions.