Social game developer RockYou has agreed to pay $250,000 to settle charges that it violated the Children's Online Privacy Protection Act by collecting email addresses from children under the age of 13, the Federal Trade Commission announced.
RockYou also promised to delete the personal data it allegedly gathered from children, and to take steps to avoid collecting such information in the future. The company did not admit wrongdoing.
Although RockYou wasn't specifically aimed at kids, between December 2008 and January 2010 the company allegedly collected email addresses from 179,000 minors under the age of 13, the FTC charged in a complaint made public on Tuesday.
Children that registered with RockYou were able to create profiles, upload photos and post comments, the FTC alleged.
The federal COPPA law prohibits Web site operators from collecting data from children under 13 without their parents' consent.
The FTC also charged RockYou with violating its privacy policy by failing to secure data of all of its users -- adults as well as children. Those allegations stem from a RockYou data breach that occurred in late 2009, when someone who went by the name "igigi" reportedly accessed a database with 32 million user names and passwords.
RockYou allegedly stored that information in clear text, which rendered the data vulnerable to hackers. The company settled FTC charges relating to the data breach by agreeing to establish a security program and obtain independent audits.
The 2009 data breach also resulted in a civil class-action lawsuit against RockYou. Last November, the company agreed to settle that matter by agreeing to an injunction requiring it to undergo security audits, among other terms.
Jeffrey Greenbaum, an advertising and marketing lawyer with Frankfurt Kurnit Klein & Selz, says the FTC is sending a clear message to developers that it's concerned about privacy and social networks.
"If, in your business plan, you have the word 'kids,' and you have the words 'personal information,' and you have the words 'social networking,' you better make sure you understand data security and privacy," Greenbaum says.
He adds that the case also shows that companies that say they'll keep users' data secure must undertake reasonable measures to do so. "It's a reminder that you can be held resonsible for privacy promises," he says. "You have to make sure you understand the technology you're using," he says.