The FTC announced an enforcement action against i-Dressup.com (a website that allows users to play fashion-based games), and its CEO and Secretary individually, for practices that violated the Children’s Online Privacy Protection Act’s (COPPA) parental consent and data security requirements. According to the FTC, these practices ultimately resulted in a large-scale data breach.
Specifically, the FTC alleges that i-Dressup.com collected children’s personal information even in instances where parents had withheld consent and failed to comply with COPPA’s requirement that the personal information of users under 13 be properly secured. As to the latter, the company allegedly neglected to perform vulnerability testing on its network or monitor for security incidents, and both stored and transmitted users’ personal information in an unencrypted form. Ultimately, these practices allowed a hacker to access i-Dressup.com, exposing 2.1 million users’ information, of whom 245,000 were under the age of 13.
The FTC and i-Dressup.com have entered into a settlement that, if approved, will result in a $35,000 civil penalty, as well as a moratorium on the company selling, sharing , or collecting any personal information until the company puts in place an appropriate security program. In addition, i-Dressup.com will have to obtain independent biennial audits of its security program and submit an annual compliance certification to the FTC.