Skip to main content

Are there hotter topics these days than data security and kids’ privacy?  An FTC law enforcement settlement with the social networking site RockYou ticks both of those topical boxes and challenges a course of conduct the FTC says made it easier for hackers to access the personal information of 32 million users.  The complaint also alleges the company collected info from kids in violation of the Children’s Online Privacy Protection Act.

What was going on at the RockYou site? In addition to playing games and using other features, RockYou allowed Scorcese wannabes to create slideshows of their uploaded photos.  To register and save content for later, users had to provide a valid email address and the password for that address — as well as their birth year, gender, country, and zip code.

Once users filled out the registration fields, RockYou sent a welcome email with an activation link.  When returning to the site, users were prompted to create another password.  But they didn’t have to change it and could just re-enter the password of their email address.

The FTC’s complaint alleged that RockYou’s practices posed a significant risk of harm to consumers.  First, the company stored passwords in clear text, allowing unauthorized access to private data stored in RockYou accounts.  Second, the FTC alleged that RockYou’s practice of initially collecting email account passwords and storing them in clear text — even temporarily — created the risk of unauthorized access to people's email.  How so?  It’s not unusual for people to use the same password for different accounts. Thus, the FTC alleged that RockYou’s practice of storing RockYou account passwords in clear text with users’ email addresses increased the likelihood that if intruders gained access to users RockYou passwords, many users’ email accounts also would be exposed to unauthorized access.

Although the RockYou privacy policy said that the company “cannot . . . ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk,” it also promised that it “uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.”  The FTC charged that contrary to this claim, RockYou failed to defend against commonly known forms of hack attacks.  As a result, hackers got a hold of the personal information of 32 million RockYou members.  If people used their email passwords as their RockYou passwords, hackers could access other personally identifiable information about them. That practice, said the agency, violated the FTC Act.

What about kids who visited RockYou?  For a two-year period, RockYou accepted registrations from children under 13.  During that time, it collected email addresses and associated passwords — along with birth year, sex, zip code, and country information — from approximately 179,000 kids 12 and under.  As a result, children were able to create personal profiles and upload content, including photos.  Once kids were registered, they could post comments about other slide shows and people could comment about their public content, too.  The FTC says all this was done without the parental consent required by COPPA.

The FTC charged that RockYou violated COPPA by:

  • not spelling out its collection, use and disclosure policy for children’s information;
  • not getting verifiable parental consent before collecting kids' personal information; and
  • not maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

What about the statements in its privacy policy describing the company’s commitment to children’s privacy:  "Protecting the privacy of young children is especially important. For that reason, RockYou! does not knowingly collect or maintain personally identifiable information or non-personally-identifiable information on the RockYou! sites from persons under 13 years of age, and no part of our website is directed to persons under 13. If you are under 13 years of age then please do not use or access the RockYou! sites at any time or in any manner. . .  ."

The company’s practices rendered those statements false, alleged the FTC.  In addition, the FTC charged that the company’s security failures put kids’ personal information at risk.

The proposed settlement bars deceptive claims and requires RockYou to put a data security program in place that includes independent third-party security audits every other year for 20 years.  It also requires RockYou to delete information collected from kids under age 13 and mandates future COPPA compliance.  RockYou will pay a $250,000 civil penalty for the alleged COPPA violations.

Looking for resources to share with family and friends about helping kids stay safer when using technology?  Visit or the FTC's Living Life Online site for tweens and teens.


Get Business Blog updates