Protecting the privacy of young children is especially important. For that reason, RockYou! does not knowingly collect or maintain personally identifiable information or non-personally-identifiable information on the RockYoul Sites from persons under 13 years of age, and no part of our website is directed to persons under 13. If you are under 13 years of age, then please do not use or access the RockYou! Sites at any time or in any manner. If RockYou! learns that personally identifiable information of persons under 13 years of age has been collected on the RockYoul Sites without verified parental consent, then RockYou! will take the appropriate steps to delete this information

But, in fact, such information was not deleted, and so was exposed during the hack.

Here is the most important takeaway for anyone conducting business on the Internet: Do not store your customers’ or users’ data in plain text! And, ideally, don’t even store it on a machine that is connected to the Internet.

Here is the FTC announcement about the case:

FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords
Settlement Order Requires Company to Implement Comprehensive Data Security Program

The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.

The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent.

According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:

not spelling out its collection, use and disclosure policy for children’s information;
not obtaining verifiable parental consent before collecting children’s personal information; and
not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.

The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.

The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendants have actually violated the law. This consent decree is for settlement purposes only and does not constitute an admission by the defendants of a law violation. Consent decrees have the force of law when signed by the District Court judge.FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords
Settlement Order Requires Company to Implement Comprehensive Data Security Program

The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.

The case against RockYou is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ information isn’t collected or shared online without their parents’ consent.

According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:

not spelling out its collection, use and disclosure policy for children’s information;
not obtaining verifiable parental consent before collecting children’s personal information; and
not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.

The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.

The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendants have actually violated the law. This consent decree is for settlement purposes only and does not constitute an admission by the defendants of a law violation. Consent decrees have the force of law when signed by the District Court judge.

Get New Internet Patrol Articles by Email!

We respect your email privacy | Powered by AWeber Email Marketing

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us

Venmo us

Paypal us