FTC Settles Deceptive Data Security Practices and COPPA Violation Charges Against RockYou | Practical Law

FTC Settles Deceptive Data Security Practices and COPPA Violation Charges Against RockYou | Practical Law

The Federal Trade Commission has announced a settlement with RockYou, Inc., an online game provider, over charges that RockYou violated the FTC Act by misrepresenting its safeguards for protecting consumer information and violated the Children's Online Privacy Protection Act Rule by collecting children's information without proper notice and parental consent.

FTC Settles Deceptive Data Security Practices and COPPA Violation Charges Against RockYou

by PLC Intellectual Property & Technology
Published on 29 Mar 2012USA (National/Federal)
The Federal Trade Commission has announced a settlement with RockYou, Inc., an online game provider, over charges that RockYou violated the FTC Act by misrepresenting its safeguards for protecting consumer information and violated the Children's Online Privacy Protection Act Rule by collecting children's information without proper notice and parental consent.
On March 27, 2012, the FTC announced in a press release that it has reached a settlement with RockYou, Inc., an online game provider, concerning charges relating to RockYou's privacy and data security practices. The FTC's complaint charged that RockYou's information security practices were not consistent with the representations of its privacy policy, which indicated that it used reasonable safeguards. The FTC charged that RockYou's security failures allowed hackers to access the e-mail addresses and RockYou passwords of 32 million users. The FTC complaint further charged that RockYou collected personal information from approximately 179,000 children without parental consent.
Among other charges, the FTC's complaint alleged that RockYou violated:
  • The FTC Act by deceptively representing to consumers that it provided reasonable security for personal information that it collected when in fact its measures where not reasonable.
  • The Children's Online Privacy Protection Act Rule (COPPA Rule) by failing to:
    • provide sufficient notice on its website of its practices for the collection, use and disclosure of children's information;
    • provide direct notice to parents of its practices for the collection, use and disclosure practices of children's information;
    • obtain verifiable parental consent before collecting, using or disclosing personal information from children; and
    • establish and maintain reasonable procedures to protect the confidentiality, security and integrity of children's information that it collected.
The proposed consent decree and order, which is subject to court approval, provides, among other things, that RockYou is:
  • Enjoined from misrepresenting its privacy and data security practices.
  • Enjoined from future COPPA Rule violations.
  • Required to implement and maintain an adequate data security program and submit to security audits.
  • Required to pay a $250,000 civil penalty for its alleged COPPA Rule violations.
The FTC noted in its press release that this action is part of the FTC's ongoing efforts to ensure that companies meet their privacy promises to consumers and that children's information is not collected or shared online without parental consent.