These Fortune 500s Violated the COPPA Rule and Paid the Price - Is Your Online Business at Risk Too?

Last updated: May 9, 2024 Reading time: 7 minutes
Is Your Online Business At Risk Too

For web admins and app owners alike, internet security has become a high-stakes issue that can potentially sink your online business. In 2012, Google had to pay a whopping $22.5 million civil penalty to track Safari users with cookies.

You probably think your site is safe by simply posting a privacy policy in your site’s footer. Still, these days, that’s not enough: one of the most pressing security issues for website operators to emerge is the Children’s Online Privacy Protection Act (COPPA), a security measure that Congress enacted in 1998 to protect children’s privacy under the age of 13.

Since the law’s inception, it has become a more robust regulation. Within the last six years, the Federal Trade Commission (FTC)–the federal branch which enforces the act–has begun targeting app developers, website owners, digital security companies, and even third-party ad networks that violate the COPPA Rule.

So what exactly is the COPPA Rule?

The COPPA Rule determines what website operators and app owners must do to protect children’s privacy and safety online. Of course, this only pertains to you if your website collects personal information from children under 13.

Under the FTC’s terms, personal information includes usernames, email addresses, street addresses, geolocations, phone numbers, photos, videos, audio files, and other persistent identifiers that could be used to identify a child.

By prompting users 13 and under to disclose information or passively tracking their information via cookies or other means, you are collecting their data according to the COPPA Rule.

What are the consequences of a COPPA violation?

Sites guilty of a violation are charged with civil penalties ranging between $16,000 and $40,000 per violation. So, if your online business collected personal information from 100 children 13 and under, you could be liable for up to $1,600,000–or more!

How do you know if your site is at risk of a COPPA Rule violation?

COPPA compliance can get a bit complicated. To give you a clear picture of what COPPA compliance entails, we’ve compiled 7 case studies of Fortune 500 companies caught violating the COPPA Rule and what you can do to ensure your website or mobile app is protected:

1. TinyCo

TincyCo is a San Francisco-based video game studio that creates gaming apps for children. Their most famous games include titles like Tiny Pets, Tiny Zoo, Tiny Castle, and Mermaid Resort, which are free to download and play. TinyCo markets its products for children, which they cover in their privacy policy.

So why did the FTC go after TinyCo?

TinyCo offered users in-game currency and items in exchange for their email addresses. As a result, the company collected thousands of emails from its user base. Of course, the FTC saw this as bypassing parental consent, leaving TinyCo with a $300,000 civil penalty and a mandate to destroy all information collected from users 13 and under.

2. Yelp

If you think apps that typically attract an adult audience are safe from COPPA, think again. Yelp, a crowd-sourced business review, and social networking site, is a prime example of an app that appeals to a vast general audience, yet it still violates the COPPA Rule.

Between 2009-2013, Yelp collected personal information from several thousand underage users who signed up for their mobile app. For some reason, Yelp included an age-screening function on its website but not its mobile app.

This inconsistency ultimately got the company in trouble with the FTC, which claimed that Yelp did not “adequately test its apps to ensure that users under the age of 13 were prohibited from registering.”

Yelp’s violation of the COPPA Rule required them to pay a $450,000 civil penalty. They also had to delete information from all users that reported to be 13 or under during that time, except when Yelp could prove the user was older.

3. Viacom, Mattel, JumpStart, Hasbro

New York Attorney General Eric Schneiderman targeted these companies to allow third-party companies to track users 13 and under on their websites geared towards children. The result was a collective settlement fee of $835,000.

In 2012, the FTC amended the COPPA Rule to prohibit websites from implementing behavioral targeting techniques on users 13 and under. This type of technology, known as “passive tracking technology,” uses persistent cookies and mobile identifiers to establish behavioral profiles of users. Many sites allow ad networks to use passive tracking to understand their target markets better; however, under the COPPA Rule, gathering information about children without parental consent is now illegal.

4. Disney’s Playdom

The now-defunct Disney-owned gaming studio, Playdom, produced multiplayer online games and virtual world websites for children. Between 2006 and 2010, around 400,000 kids registered to play one of the more popular titles, Pony Stars, requiring users to submit their age and email address upon registering. Once signed up, users were prompted to create a player profile, which allowed them to post their full name, age, Instant Messenger ID, and location.

Here is where Playdom went wrong: they didn’t notify parents that they would be collecting their children’s data, they failed to obtain parental consent, and they misrepresented their privacy policy terms, which claimed that Playdom banned children 13 and under from posting personal information. As a result, Playdom paid a $3 million civil penalty, and in September 2016, Disney shuttered the gaming studio for good.

5. InMobi

InMobi, a Singapore-based mobile app advertising company, provides geo-targeted advertising by collecting user data through apps, many of which appeal to children. The FTC went after InMobi because of their duplicitous information tracking policy.

According to the FTC, InMobi collected hundreds of millions of users’ personal information, even after users denied the company permission. Consequently, InMobi was initially charged a $4 million dollar settlement fee, which was reduced to $950,000 based on the company’s financial state. They were also required to draft their comprehensive privacy program detailing what changes they would make to their privacy practices.

6. LAI Systems, LLC & Retro Systems

LAI Systems, a children’s app-game developer, found themselves in the crosshairs of the FTC because they allowed third-party advertisers to collect tracking information from their users. By using persistent identifiers (digital data tied to a specific user), these advertisers could collect valuable personal details about users by observing the information they provided. Of course, LAI did not notify parents or gain their consent, which cost them $60,000.

Retro Systems also allowed third-party advertisers to collect personal information from their user base, mainly children. However, Retro Systems had to pay a steeper fine of $300,000 because they did not cease collecting personal information from underage users even after an advertising affiliate warned them of their COPPA Rule violation.


This San Francisco-based technology security company helps corporations keep their software and websites updated and compliant with government law. As an organization that claims to maintain high digital security standards, it’s baffling that Attorney General Eric T. Schneiderman found TRUSTe at fault for violating the COPPA Rule. Nevertheless, TRUSTe breached the COPPA Rule by failing to keep two primary children’s websites–Roblox and Hasbro– free of information tracking technology.

The company recently reached a settlement requiring TRUSTe to pay a $100,000 civil penalty and to take on higher security standards in the future. Interestingly, this is the first case of a privacy certification program targeted by state or federal law enforcement.

Some Key Takeaways

Suppose your site collects information from children or allows a third-party ad network or plug-in to collect trackable information from underage users. In that case, you need to comply with the COPPA Rule.

Here’s a quick checklist list of what you can do:

Regarding internet security, you must stay updated with current privacy standards. The digital sea is constantly shifting, and the only way to stay afloat is to ensure your site complies with federal and state privacy laws.

Author Credit:

Zach Painter

Zach Painter is an editor and Community Outreach Manager at, where he addresses freelancing queries and strives to help employ and hire writers committed to their craft. When he is not typing up responses or pitching to blogs, he can be found at the nearest record store searching for first-press Black Sabbath vinyl or sampling a flight of IPAs at the gastro bar.

Share this article

About the Author

Rebecca James is an IT consultant with forward thinking approach toward developing IT infrastructures of SMEs. She writes to engage with individuals and raise awareness of digital security, privacy, and better IT infrastructure.

More from Rebecca James

Related Posts