On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.
The FTC’s complaint alleged multiple violations of the COPPA Rule, specifically that RockYou failed to (1) clearly articulate its collection, use and disclosure policy for children’s information, (2) obtain verifiable parental consent to collect personal information from children, and (3) maintain reasonable procedures to safeguard the personal information it collected from children. The complaint also alleged that RockYou violated the FTC Act by falsely representing to consumers that the company had implemented reasonable and appropriate measures to protect against unauthorized access to their personal information.
RockYou has agreed to pay a $250,000 civil penalty for the alleged COPPA violations. The settlement order also prohibits further COPPA violations, requires RockYou to delete all information collected from children under the age of 13, bars RockYou from making deceptive claims regarding its privacy and data security practices, and requires the company to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.
As we previously reported, similar allegations were the subject of a class action lawsuit filed against RockYou following the breach incident in 2009. In November 2011, the parties to the suit filed a proposed settlement in which RockYou agreed to pay the plaintiff $2,000, and the plaintiff’s counsel $290,000 for fees and expenses. In addition, RockYou agreed to submit to two third party information security audits over the next three years and correct any issues identified by the audits.