On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA. The New Jersey Attorney General further alleged that the data breach resulted from Unixiz’s failure to appropriately safeguard user account information. Pursuant to the terms of the consent order, Unixiz agreed to pay a $98,618 civil penalty (suspended to $34,000 if, after two years, Unixiz undertakes certain steps to safeguard users’ personal information). Unixiz also agreed to shut down the i-Dressup website, comply with all applicable state and federal laws (including the New Jersey Consumer Fraud Act and COPPA), and implement policies and procedures to safeguard user account information.