FTC Settles with RockYou for Violating Kids’ Data Privacy

The Federal Trade Commission has settled with the operator of the social gaming website RockYou, charging that security flaws exposed 32 million email addresses and passwords of customers.
The FTC also alleges that RockYou violated the Children’s Online Privacy Protection Act (COPPA) by collecting about 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent.
RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.
The FTC said RockYou – which produces social games for children such as Zoo World – touted its security features, but failed to protect the privacy of its users, allowing hackers to access the personal information.
RockYou allows consumers to play games and use other applications, including apps for assembling slide shows from photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.
The FTC’s COPPA rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The rule also requires that website operators post a privacy policy that is “clear, understandable and complete.”
The FTC alleged that RockYou enabled children to create personal profiles and post personal information on slide shows that could be shared online.
The company accepted registrations from kids under 13 and the site’s security failures put the children’s personal information at risk, the FTC said.
The FTC charged that RockYou violated the COPPA Rule by:

  • not spelling out its collection, use and disclosure policy for children’s information;
  • not obtaining verifiable parental consent before collecting children’s personal information; and
  • not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

The proposed settlement order requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years.
The order also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA.
The FTC has a new publication, Living Life Online, to help “tweens and teens” navigate the Internet safely.

Leave a Reply

Your email address will not be published. Required fields are marked *