Privacy & Information Security Law Blog

On June 24, 2020, the Washington State Attorney General (“Washington AG”) announced that it had settled an enforcement action against the owners of the “We Heart It” social media platform for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and the Washington State Consumer Protection Act. Under the consent decree, the defendants must pay $100,000, with an additional $400,000 suspended contingent upon compliance with the consent decree.

The Washington AG alleged that We Heart It, which has approximately 500,000 monthly active U.S. users, allowed children under the age of 13 (“U13”) to create accounts, collected U13 users’ personal information, and allowed third-party advertisers to collect data from U13 users, all without obtaining COPPA-compliant verifiable parental consent. In addition to the monetary penalties, the consent decree requires the defendants to comply with COPPA, including by:

• utilizing an age gate to prevent U13 users from creating We Heart It accounts;
• obtaining verifiable parental consent before collecting personal information from U13 children; and
• providing direct notice to parents of We Heart It’s data collection and disclosure practices, as well as a clearly labeled link to an online notice of its practices.

The consent decree also requires the We Heart It platform to pass all existing users through an age gate. Defendants must delete the personal information of users who either enter a U13 birthdate or indicated they were U13 at the time of registration, except that such users may be permitted to transfer their photos to their device and retain their usernames. Notably, the consent decree allows the defendants to rely on third-party platforms that utilize age gates as indicia of a user’s age. For accounts that are not confirmed to be over 13 through an age gate or reasonable reliance on a third-party platform that utilizes an age gate, the defendants must, within six months after entry of the consent decree: (1) delete such users’ personal information from their websites and online services; (2) not disclose any personal information about such users; and (3) destroy such users’ personal information within 12 months after entry of the consent decree.

Under the consent decree, the defendants also must perform regular human and automated audits of users’ profiles, tags, posts and activity where either (1) the content is perceived to be relevant to or directed to U13 children or (2) the parties have actual knowledge of use by U13 children, to ensure such content and activity complies with the consent decree. Additionally, the defendants are ordered to continue auditing and moderating their computer-based tagging logic to include words and descriptions of content that may be relevant to or directed to U13 children, and subject any such content to human review. The consent decree also requires the defendants to submit a compliance report to the Washington AG within 15 months of entry of the consent decree.