Data Security at Issue in FTC’s Latest COPPA Action

Last week, the FTC settled an enforcement action against Unixiz, Inc., operator of the website, over several aspects of the site that failed to comply with the Children’s Online Privacy Protection Act (COPPA). i-DressUp has agreed to pay a $35,000 fine to settle the dispute.

COPPA regulates the online collection of personal information from children younger than the age of 13. At a high level, COPPA requires that online services that are directed to children or that have actual knowledge that they are collecting personal information from children (e.g., because they ask users for age information), provide parents with notice of their practices regarding information collection/use and secure verifiable parental consent before collecting a child’s personal information.

Though less discussed than these consent requirements, COPPA also mandates that operators who collect personal information from children “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of that information. While i-DressUp also failed to fully comply with COPPA’s notice-and-consent requirements, the most novel and notable aspect of the FTC’s action is that it is based in part on i-DressUp’s failure to satisfy COPPA’s security requirements.

i-DressUp’s site allowed users to play dress-up games and design clothes. Social features also permitted users to participate in an online community, including posting to blogs and communicating with other users. i-DressUp was principally directed to children and had stated that “[m]ost of our members are boys and girls between 7 and 17.”

Users could register to create an account and, as part of the registration process, provided an email address and date of birth. If the user indicated (s)he was 13 or older, (s)he was given full access to the i-DressUp site. If the user indicated (s)he was younger than 13, the site also requested an email address for the user’s parent. i-DressUp would then email the parent and allow him or her to consent to the child’s use of the site by clicking through an activation link.

If the parent did not follow the email instructions to consent, the site placed the child user into a “Safe Mode” membership that permitted the child to use some of the games and features of the site, but not the social features. Child users would remain in safe mode and i-DressUp would retain personal information previously collected from the child indefinitely.

While the site seems to have made some effort to consider children’s privacy issues, several aspects of this structure fail to comply with COPPA. The parental-consent email structure used did not meet COPPA’s standards for ensuring that the person providing consent was, in fact, a parent. Additionally, where parental consent is requested and not granted within a reasonable time, COPPA requires that the operator delete all personal information it has collected from the child.

Most notably, the FTC’s complaint alleges that i-DressUp “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate data security to protect the personal information” i-DressUp collected from children. The complaint highlighted four specific practices, noting that i-DressUp:

  • “failed to adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as ‘Structured Query Language’ (‘SQL’) injection attacks;

  • stored and transmitted users’ personal information as well as other information submitted by users, including account passwords, in clear text;

  • failed to implement an intrusion detection and prevention system, or similar safeguards, to alert [i-DressUp] of potentially unauthorized access to their computer network; and

  • failed to monitor logs to identify potential security incidents.”

The outcome of these failures came to light in 2016, when a hacker breached i-DressUp’s network using what the FTC described as “commonly known and reasonably foreseeable vulnerabilities.” The hacker was able to access consumer personal information on i-DressUp’s network and subsequently sent the hacked data to journalists (after a warning to the site owner went unheeded).

In announcing the settlement with i-DressUp, the FTC simultaneously announced a separate settlement with ClixSense, a company that pays users to view online ads, complete surveys and perform other online tasks. ClixSense promised its users that it “utilize[d] the latest security and encryption techniques to ensure the security of your account information.” In fact, the FTC alleged, “ClixSense failed to implement minimal data security measures and stored personal information in clear text with no encryption.” Hackers infiltrated ClixSense’s network, accessed clear-text records regarding 6.6m consumers, and ultimately offered for sale information regarding 2.7m of those consumers. ClixSense’s settlement with the FTC requires that it, among other things, implement and maintain a written information security program and undergo third-party security assessments every two years for the next twenty years.

Taken together, the settlements serve as a reminder of the FTC’s continuing interest in using its authority to enforce reasonable data-security standards. The i-DressUp settlement should be particularly interesting to operators of sites subject to COPPA. As the FTC noted in its press releases on the case, “the message for sites and operators covered by COPPA is that an effective system of parental consent is only the first step toward compliance.” Covered operators must also mind COPPA’s other mandates – including the data security, retention, and deletion requirements.

Though speculative, it is also worth considering whether i-DressUp’s failure to take adequate precautions against a preventable security breach is the but-for cause of its run-in with the FTC. COPPA clearly remains an enforcement interest for the FTC, as the Commission has brought COPPA cases consistently for years. However, the total number of COPPA actions is still modest. While i-DressUp appears to have failed to comply with COPPA in many ways – both security-related and not – we wonder whether it would have found itself in the FTC’s COPPA crosshairs in the absence of a security breach.