Unixiz Settles COPPA Allegations with NJ AG
Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental consent. The AG’s investigation into Unixiz’s privacy practices began after Unixiz disclosed a data breach in 2016. Users of the i-Dressup site created accounts with the site (and thus established usernames and passwords). In 2016 hackers accessed approximately 2.2 million users’ names and passwords. In response to the breach, the New Jersey AG launched an investigation into the company. The investigation revealed that in addition to failing to safeguard its users’ information, Unixiz did not get parental consent before collecting children’s personal information, as required under COPPA. Included among its users were 2,519 New Jersey children.
Unusual for a COPPA-consent decree, Unixiz is required to shut down the i-Dressup website. If it operates a site again, it has agreed to get verifiable parental consent before collecting personal information from children. It must otherwise follow COPPA, including allowing parents to review the information the website has about their child and revoke their consent for the use and maintenance of that information. Additionally, Unixiz agreed to put in place policies and procedures to protect all users’ information. Finally, Unixiz must pay almost $100,000 in penalties, with two thirds of that amount being suspended and vacated if the company complies with the other provisions of the order.
Putting it Into Practice: This case is a reminder that after a data breach, regulators may look not only at a company’s security practices, but its privacy compliance practices more generally. Post-breach, companies may thus want to look back at their data collection activities and ensure that they are compliant with data privacy laws.