U.S. v. RockYou

Citation
United States v. RockYou, Inc., Civil Action No. 12-CV-1487, (N.D. Cal. filed Mar. 26, 2012).


 * Complaint (full-text).

On March 26, 2012, the [[FTC filed an action in the United States District Court for the Northern District against RockYou, Inc., alleging that RockYou violated the FTC’s COPPA rule. RockYou is a social game website where users could play games and use the site to upload photos from their computers or web, add captions, and choose music to create a slideshow.172 Users were required to register with RockYou, using an email address and password, if they wanted to save or edit their slideshows. Registrants were also required to enter a birth year, gender, zip code and country with their registration.173 RockYou stored the email addresses and passwords in their internal database. The Commission alleged that from December 2008 through January 2010, RockYou accepted approximately 179,000 registrations from children under the age of 13 without parent consent.174 Since the website asked for registrant’s date of birth and other personal information, RockYou fell within the FTC’s definition of operator under the rule and it put children’s personal information at risk because the slideshows that the children created could be shared online. Specifically, the FTC charged that RockYou violated the COPPA rule by: (1) failing to spell out its collection, use and disclosure policy for children’s information; (2) failing to obtain verifiable parental consent before collecting children’s personal information; and (3) failing to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.175 RockYou and the FTC entered into a consent agreement and settlement order on March 27, 2012.176 The consent decree enjoined RockYou from future collection of information from children online and forced the company to delete the information it had already collected in violation of the COPPA rule.177 Moreover, the FTC fined RockYou $250,000 and ordered the company to post a link to the Commission’s consumer education website on its own website for five years.178 Finally, the settlement required RockYou to implement a data security program, submit compliance reports to the Commission allow security audits by independent third-party auditors every other year for 20 years.179