The Federal Trade Commission has imposed a $35,000 fine on the owners of teen fashion site i-Dressup.com for allegedly collecting personal information from children younger than 13, and for failing to use reasonable security to protect users' data.
News of the FTC's move comes more than two years after a hacker obtained more than email addresses, passwords, birthdates and other personal information of i-Dressup's more than two million users -- including an estimated 245,000 users under the age of 13. i-Dressup allegedly stored the data in “clear text” -- meaning it was unencrypted.
“The hacker gained access to Defendants’ computer network by exploiting commonly known and reasonably foreseeable vulnerabilities,” the FTC alleged in a complaint unveiled last week against site owner, Unixiz.
The complaint alleged that i-Dressup failed to comply with the Children's Online Privacy Protection Act in several respects. Among other provisions, COPPA prohibits companies from knowingly collecting personal information -- including names and email addresses -- from users younger than 13 without their parents' permission. The law also requires website operators to deploy “reasonable” security measures.
The FTC alleged that i-Dressup collected and retained information from some users under 13 without verified parental consent. The agency also alleged that i-Dressup failed to adequately protect the data.
Last year, Unixiz shut down i-Dressup.com as part of a data-breach settlement with the New Jersey Attorney General.
The agreement with the FTC provides that, in the future, Unixiz won't sell, share or collect personal information without first implementing a security program and obtaining independent biennial assessments.
Separately, the FTC also alleged that the site ClixSense.com -- which pays consumers to take surveys and watch ads -- failed to protect consumers' “sensitive” information, including their email and street addresses, passwords, birthdates and, in some instances, social security numbers.
Those allegations also stemmed from a 2016 data breach involving the theft of data from approximately 6.6 million users, including around 500,000 in the U.S,
ClixSense agreed to resolve the allegations by implementing a security program, obtaining independent biennial assessments and certifying compliance annually.