Citation[]
United States v. RockYou, Inc., Civil Action No. 12-CV-1487, (N.D. Cal. filed Mar. 26, 2012).
- Complaint (full-text).
- Consent Decree and Order for Civil Penalties, Injunction and Other Relief (full-text).
Factual Background[]
RockYou is a social game website where users can play games and use the site to upload photos from their computers or web, add captions, and choose music to create a slideshow.
Users were required to register with RockYou, using an email address and password, if they wanted to save or edit their slideshows. Registrants were also required to enter a birth year, gender, zip code and country with their registration. RockYou stored the email addresses and passwords in their internal database.
Complaint[]
On March 26, 2012, the FTC filed an action against RockYou, Inc., alleging that RockYou violated the FTC's COPPA Rule.
The Commission alleged that from December 2008 through January 2010, RockYou accepted approximately 179,000 registrations from children under the age of 13 without parental consent. Since the website asked for registrant's date of birth and other personal information, RockYou fell within the FTC's definition of operator under the COPPA Rule and it put children's personal information at risk because the slideshows that the children created could be shared online.
Specifically, the FTC charged that RockYou violated the COPPA Rule by: (1) failing to spell out its collection, use and disclosure policy for children's information; (2) failing to obtain verifiable parental consent before collecting children's personal information; and (3) failing to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Consent Decree[]
RockYou and the FTC entered into a consent agreement and settlement order on March 27, 2012. The consent decree enjoined RockYou from future collection of information from children online and forced the company to delete the information it had already collected in violation of the COPPA Rule.
Moreover, the FTC fined RockYou $250,000 and ordered the company to post a link to the Commission's consumer education website on its own website for five years. Finally, the settlement required RockYou to implement a data security program, submit compliance reports to the Commission, and allow security audits by independent third-party auditors every other year for 20 years.