Kids love to play dress-up, but parents don’t want them rummaging through the attic or climbing to the top of a closet without permission and proper supervision. The i-Dressup.com website provides users, including children, with a way to virtually dress up and design outfits without these potential dangers. But according to the FTC’s complaint, Unixiz, Inc., the company behind i-Dressup, violated the Children’s Online Privacy Protection Act, creating a different type of risk.
COPPA creates two separate sets of protections to help parents control the personal information collected from their children online. First, companies covered by COPPA must clearly disclose their information policies and obtain parental consent before collecting personal information from children under 13. Second, companies must provide reasonable and appropriate security for the information they collect. According to the FTC settlement agreement, i-Dressup failed to meet two requirements of COPPA.
The complaint alleges that i-Dressup failed to adequately disclose on its website the information it collects from children online, how it uses that information, its disclosure practices and other details required by the COPPA rules. The company’s direct notifications to parents were also flawed. Among other things, they failed to include the statement required by COPPA that if parents do not provide consent within a reasonable time, i-Dressup will delete their online contact information from its records. Stick with the story because this failure is particularly disturbing.
In addition to letting users play online games, i-Dressup also features a community where users can “explore their creativity and fashion sense through unique profiles” and interact with others. To register, i-Dressup requires people to submit a username, password, date of birth and email address. If the date of birth indicates that the person is under 13 years old, the email field will change to “Parent’s Email.” Once users under the age of 13 fill out the required fields and click “Join Now,” i-Dressup collects personal information and sends a message to the address entered in the parent email field. Recipients of the email can give their consent by clicking “Start now!” button.
However, if parents do not consent, i-Dressup will retain personal information collected from children online. The FTC said the company’s failure to remove the information violated COPPA Rule 312.5(c)(1).
In addition to violating the parental consent provisions of COPPA, i-Dressup allegedly violated the data security requirements of the rule. According to the FTC, i-Dressup stores and transmits users’ personal information (including passwords) in plain text. Additionally, the company failed to conduct network vulnerability testing of its network, even against well-known threats such as SQL attacks; it failed to implement an intrusion detection and prevention system; and it failed to monitor potential security incidents. The results of it? The company learned that a hacker had gained access to its network and accessed the information of approximately 2.1 million users, including approximately 245,000 users under the age of 13.
To resolve the case, i-Dressup and its owners will pay a $35,000 civil penalty. They will also be prohibited from violating COPPA in the future and will not sell, share or collect any personal information until they have implemented a comprehensive data security plan and obtained an independent biennial evaluation. Additionally, they must provide annual compliance certifications to the Federal Trade Commission.
COPPA’s message to websites and operators is that an effective parental consent system is only the first step in compliance. COPPA Rule 312.8 also requires you to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
Interested in data security issues? Please read the attached Commission statement to learn more about another FTC action announced today.