Privacy & Information Security Law Blog

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

According to the FTC’s complaint, users who wanted to save content they had uploaded to RockYou’s website were required to provide certain personal information, including email address, password, date of birth, gender, zip code and country. The RockYou privacy policy claimed that “RockYou uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of [its users’] personal information” and that “RockYou does not knowingly collect or maintain personally identifiable information . . . from persons under 13 years of age.” Contrary to these assertions, however, the FTC alleged that RockYou collected personal information from an estimated 179,000 children under the age of 13 and stored user information in an insecure manner that permitted hackers to gain unauthorized access to email addresses, passwords, photographs and other online media that users had elected to keep private.

The FTC’s complaint alleged multiple violations of the COPPA Rule, specifically that RockYou failed to (1) clearly articulate its collection, use and disclosure policy for children’s information, (2) obtain verifiable parental consent to collect personal information from children, and (3) maintain reasonable procedures to safeguard the personal information it collected from children. The complaint also alleged that RockYou violated the FTC Act by falsely representing to consumers that the company had implemented reasonable and appropriate measures to protect against unauthorized access to their personal information.

RockYou has agreed to pay a $250,000 civil penalty for the alleged COPPA violations. The settlement order also prohibits further COPPA violations, requires RockYou to delete all information collected from children under the age of 13, bars RockYou from making deceptive claims regarding its privacy and data security practices, and requires the company to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.

As we previously reported, similar allegations were the subject of a class action lawsuit filed against RockYou following the breach incident in 2009. In November 2011, the parties to the suit filed a proposed settlement in which RockYou agreed to pay the plaintiff $2,000, and the plaintiff’s counsel $290,000 for fees and expenses. In addition, RockYou agreed to submit to two third party information security audits over the next three years and correct any issues identified by the audits.