United States v. RockYou, Inc., Civil Action No. 12-CV-1487, (N.D. Cal. filed Mar. 26, 2012).
- Complaint (full-text).
- Consent Decree and Order for Civil Penalties, Injunction and Other Relief (full-text).
Factual Background Edit
Users were required to register with RockYou, using an email address and password, if they wanted to save or edit their slideshows. Registrants were also required to enter a birth year, gender, zip code and country with their registration. RockYou stored the email addresses and passwords in their internal database.
The Commission alleged that from December 2008 through January 2010, RockYou accepted approximately 179,000 registrations from children under the age of 13 without parental consent. Since the website asked for registrant's date of birth and other personal information, RockYou fell within the FTC's definition of operator under the COPPA Rule and it put children's personal information at risk because the slideshows that the children created could be shared online.
Specifically, the FTC charged that RockYou violated the COPPA Rule by: (1) failing to spell out its collection, use and disclosure policy for children's information; (2) failing to obtain verifiable parental consent before collecting children's personal information; and (3) failing to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Consent Decree Edit
RockYou and the FTC entered into a consent agreement and settlement order on March 27, 2012. The consent decree enjoined RockYou from future collection of information from children online and forced the company to delete the information it had already collected in violation of the COPPA Rule.
Moreover, the FTC fined RockYou $250,000 and ordered the company to post a link to the Commission's consumer education website on its own website for five years. Finally, the settlement required RockYou to implement a data security program, submit compliance reports to the Commission, and allow security audits by independent third-party auditors every other year for 20 years.