Social Networking Site Settles FTC Charges
The social networking site RockYou has agreed to settle FTC charges that its security flaws allowed hackers to access the personal information of 32 million users. The FTC complaint also alleges that the company collected info from more than 100,000 kids in violation of the Children’s Online Privacy Protection Act (COPPA). RockYou will pay a $250,000 civil penalty for the alleged COPPA violations.
What happened? To save slideshows and other content for later, RockYou users had to provide a valid email address and the password for that address; the form also requested their birth year, gender, country, and zip code. RockYou sent users a confirmation email that asked them to verify their account and change their password – but didn’t require that users enter a different password from the email password already provided.
The company stored users’ RockYou passwords in clear text, which made it easier for hackers to gain access to the information. The FTC charged that RockYou failed to defend against commonly known forms of hack attacks, which led to the data breach. Because many people use the same passwords for different accounts, hackers could have accessed other personal information, as well.
What about kids who visited RockYou? For a two-year period, RockYou accepted registrations from approximately 179,000 kids under 13. The FTC charged that RockYou knowingly collected kids’ email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slideshows that could be shared online. In addition, the FTC alleged that the company’s security failures put kids’ personal information at risk.
The FTC charged that RockYou violated COPPA by:
- not spelling out its collection, use and disclosure policy for children’s information
- not getting verifiable parental consent before collecting children’s personal information
- not maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children
The proposed settlement bars deceptive claims and requires RockYou to put in place a data security program that includes independent third-party security audits every other year for 20 years. It also requires RockYou to delete information collected from kids under age 13 and mandates future COPPA compliance.