NEWARK, NJ – A California company agreed to shut down its fashion-themed social website for teens and reform its business practices to resolve allegations that the company violated state and federal laws by improperly collecting personal information from more than 2,500 New Jersey children and by failing to appropriately safeguard its users’ account information which was compromised in a 2016 data breach, Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced Friday.
The Division alleged that Unixiz, Inc., the company that owned and operated the online social website “i-Dressup”, violated the federal Children’s Online Privacy Protection Act (COPPA) and the New Jersey Consumer Fraud Act, by, among other things, failing to adequately safeguard user information and failing to obtain verifiable parental consent prior to collecting and processing children’s personal information.
“Children are extremely vulnerable on the internet and we must do all we can to protect them from being exploited by advertisers or tracked by internet predators,” said Attorney General Grewal. “We are committed to vigorously enforcing state and federal privacy protections and we will do everything we can to ensure that website operators comply with their duty to provide an extra layer of security on sites catering to young children.”
The allegations against Unixiz stem from an investigation initiated by the Division after media outlets began reporting that the i-Dressup website had been breached by an unknown hacker and that user accounts were vulnerable.
The Division learned through its investigation that more than 24,000 of the compromised i-Dressup accounts belonged to New Jersey residents, 10,101 of whom were under the age of 18. The Division confirmed that 2,519 accounts belonged to children under the age of 13.
The Division also alleged that Unixiz had improperly collected personal information from the 2,519 children – including first and last names, email addresses, birthdates, and gender – without prior verifiable consent from their parents, as required by law.
“As a result of our investigation, Unixiz agreed to shut down the i-Dressup website and to reform its practices to comply with all laws protecting the privacy of children and others online, said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “Our cyber fraud unit will continue to monitor the internet for reports of data breaches that affect New Jersey residents and take swift action to hold companies accountable.”
In a Consent Order entered with the Division, Unixiz agreed to put in place measures to obtain verifiable parental consent on all company-operated websites that collect children’s information, as well as measures to provide parents with the ability to review the information that the company is collecting from their child, and to revoke the right of that company to collect or maintain their child’s information. Unixiz also agreed to implement policies and procedures to safeguard users’ account information.
The company also agreed to civil penalties in the amount of $98,618, $34,000 of which has been paid and $64,618 of which will be suspended and automatically vacated after two years, provided that the company complies with the terms of the Consent Order.
The i-Dressup website, which billed itself as a “social hangout website” for teens, offered its users access to fashion and fantasy-based games, and a feature which allowed certain approved users to exchange messages.
The Division, through its investigation, confirmed that the website had actual knowledge that many of its members were under the age of 13, which triggered obligations to comply with COPPA.
COPPA and its regulations apply to operators of commercial websites and online services, including mobile apps, directed to children under 13, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
The primary goal of COPPA is to provide parents with control over what information is collected from their young children online, including first and last names, home addresses, screen names and other online contact information, telephone numbers, social security numbers, photographs, and IP addresses and other persistent identifiers that can be used to recognize a user over time and across different web sites or online services.