Parent company of now-shuttered site receives a dressing down from consumer protection agency
The owner of i-Dressup, a fashion and social media website aimed at youngsters, have agreed to pay a $35,000 civil penalty after the site was found to be in violation of US child privacy and data protection laws.
As previously reported by The Daily Swig, i-Dressup was forced offline in August 2018 following allegations that the site improperly collected the personal data of children aged under 13.
A complaint launched by the Federal Trade Commission (FTC) alleged that i-Dressup “failed to provide sufficient notice… of the information it collected online from children, how it used it, its disclosure practices”, and other specifics required by the Children’s Online Privacy Protection Act (COPPA).
In addition to violating US parental consent provisions, i-Dressup allegedly violated COPPA’s data security requirements, as explained in a recent post on the FTC’s business blog:
According to the FTC, i-Dressup stored and transmitted users’ personal information (including passwords) in plain text. In addition, the company failed to perform network vulnerability testing of its network, even for well-known threats like SQL attacks; it didn’t implement an intrusion detection and prevention system; and it didn’t monitor for potential security incidents.
The upshot? The company learned that a hacker had gained entry to its network and accessed information [of] about 2.1 million users, including approximately 245,000 users who indicated they were under 13.
To settle the case, i-Dressup’s parent company, Unixis, will pay a $35,000 civil penalty.
“They’re also prohibited from violating COPPA in the future, and can’t sell, share, or collect any personal information until they implement a comprehensive data security program and get independent biennial assessments,” said the FTC.
The settlement comes amid renewed efforts by the FTC to help parents improve their children’s online safety.