The FTC Charges For COPPA Violation

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

UNITED STATES OF AMERICA, Plaintiff, vs. UNIXIZ, Inc., a corporation doing business as i-Dressup.com, and ZHIJUN LIU and XICHEN ZHANG, individually and as officers of UNIXIZ, Inc.,

 
Case No. 5:19-cv-2222

 

COMPLAINT FOR CIVIL PENALTIES, PERMANENT INJUNCTION, AND OTHER EQUITABLE RELIEF

Plaintiff, the United States of America, acting upon notification and on behalf of the Federal Trade Commission (“FTC” or “Commission”), for its Complaint alleges that:

  • Plaintiff brings this action under Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of
    the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a), and Sections 1303(c) and 1306(d) of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6502(c) and 6505(d), to obtain monetary civil penalties, a permanent injunction, and other equitable relief for Defendants’ violations of Section 5 of the FTC Act, 15 U.S.C. § 45, and the Children’s Online Privacy Protection Rule (“Rule” or “COPPA Rule”), 16 C.F.R. Part 312.

JURISDICTION AND VENUE

  • This Court has subject matter jurisdiction over this matter under 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355, and under 15 U.S.C. §§ 45(m)(1)(A), 53(b), and 56(a).
  • Venue is proper in the Northern District of California under 15 U.S.C. § 53(b) and
  • 28 U.S.C. §§ 1391(b) – (d) and 1395(a).

INTRADISTRICT ASSIGNMENT

  • The conduct at issue in this action took place in substantial part in Santa Clara County.

SECTION FIVE OF THE FTC ACT

  • Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits unfair and deceptive acts or practices in or affecting commerce.

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT RULE

  • Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children’s personal information online by operators of Internet Web sites and online services. COPPA directed the Commission to promulgate a rule implementing COPPA. The Commission promulgated the COPPA Rule on November 3, 1999, under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The Rule went into effect on April 21, 2000. The Commission promulgated revisions to the Rule that went into effect on July 1, 2013. Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

DEFENDANTS

  • Defendant Unixiz, Inc., which also does business as i-Dressup.com (“i-Dressup”), is a California corporation established on June 27, 2016, with its principal place of business in Mountain View, California. Unixiz, Inc. transacts or has transacted business in this district and throughout the United States. At all times material to this Complaint, acting alone or in concert with others, Unixiz, Inc. has advertised, marketed, and distributed its online content and website activities to consumers throughout the United States. Prior to the establishment of Unixiz, Inc., Defendant Liu and Defendant Zhang owned and operated i-Dressup as an unincorporated business from January 2016 to June 2016. From 2008 to 2015, Intellineur, Inc., a predecessor California corporation formed by Defendant Zhang, operated i-Dressup.com. Defendant Zhang was the Chief Executive Officer of Intellineur, Inc. and Defendant Zhijun Liu was Intellineur’s Registered Agent. Intellineur, Inc. was dissolved in December 2015.

  • Defendant Zhijun Liu is the Chief Executive Officer and the Chief Financial Officer of Unixiz, Inc. At all times material to this Complaint, acting alone or in concert with others, he has formulated, directed, controlled, had the authority to control, or participated in the acts or practices of Unixiz, Inc. d/b/a i-Dressup.com, including the acts or practices set forth in this Complaint. Defendant Liu, in connection with the matters alleged herein, transacts or has transacted business in this district and throughout the United States.

  • Defendant Xichen Zhang is the Secretary of Unixiz, Inc. At all times material to this Complaint, acting alone or in concert with others, she has formulated, directed, controlled, had the authority to control, or participated in the acts or practices of Unixiz, Inc. d/b/a i-Dressup.com, including the acts or practices set forth in this Complaint. Defendant Zhang, in connection with the matters alleged herein, transacts or has transacted business in this district and throughout the United States.

COMMERCE

  • At all times material to this Complaint, Defendants have maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

DEFENDANTS’ BUSINESS PRACTICES

  • Defendants operated i-Dressup.com, a website where users including children played dress-up games, designed clothes, and decorated their space. In addition, by participating in i-Dressup’s online community, users would make friends and blog. i-Dressup’s online community encouraged users to “explore their creativity and fashion sense with unique personal profiles.”

  • i-Dressup allowed users to register as members. When a user first registered as a member, i-Dressup required the user to submit a user name, password, birthdate, and email address. If a prospective member indicated that he/she was over 13, the member had access to all of the features of the website, including the ability to participate in i-Dressup’s social features, such as writing about themselves and their interests on an “About Me” page, creating blog posts, adding friends, and sending direct online messages.

  • If a prospective member submitted a birthdate that indicated that he/she was under 13, the heading for the email field on a registration screen changed in real-time to “Parent’s Email.” Once the under-13 user entered a user name, password, birthdate, and email address, and he/she clicked the “Join Now” button, i-Dressup collected the registration information entered and sent an email notice to the email address entered in the “Parent’s Email” field.

  • The email notice described the i-Dressup website, along with the social features that were available only if the parent provided consent.

  • The email notice contained a hyperlink through which i-Dressup sought consent from a parent to activate i-Dressup’s social features. If the recipient of the parental email notice clicked on the hyperlink in the email, he/she was taken to an online screen that contained the child’s user name and a pre-populated activation code. The individual receiving the parental email could consent by clicking the “Activate Now!” button on this screen.

  • If a parent did not provide consent, Defendants provided these under-13 users with “Safe Mode” membership, which allowed them to login to access all of i-Dressup’s doll-related games and features, but not its social features. Defendants collected the Safe Mode members’ registration information, such as their user name, password, and birthdate, and allowed child members to provide Defendants, through the account settings webpage, their first and last name and gender. Under-13 users could remain Safe Mode members indefinitely, and Defendants retained the child’s personal information as well as the parent’s email address, even if the child’s parent did not provide consent.

  • As of January 1, 2016, i-Dressup had at least 2.1 million users, of which approximately 245,000 entered an under-13 birthdate.

DEFENDANTS ARE SUBJECT TO THE COPPA RULE

  • For purposes of Paragraphs 6 through 35 herein, the terms “child,” “collects,” “collection,” “disclosure,” “Internet,” “online contact information,” “operator,” “parent,” “personal information,” “obtaining verifiable consent,” and “Web site or online service directed to children,” are defined as those terms are defined in Section 312.2 of the COPPA Rule, 16 C.F.R. § 312.2.

  • The COPPA Rule applies to any operator of a commercial Web site or online service directed to children that collects, uses, and/or discloses personal information from children, or on whose behalf such information is collected or maintained, and to any operator of a commercial Web site or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Defendants operated i-Dressup.com, which was a Web site directed to children. i-Dressup stated that ”[m]ost of our members are girls and boys between 7 and 17.” Because Defendants collected personal information from users who indicated that they are under thirteen years of age when they registered with i-Dressup, Defendants also have actual knowledge that they collected personal information from children through i-Dressup.

  • The COPPA Rule defines “personal information” to include, among other things, a first and last name; a home or other physical address, including street name and name of a city or town; online contact information (i.e., an email address or other substantially similar identifier that permits direct contact with a person online, such as an instant messaging user identifier, screen name, or user name); a persistent identifier that can be used to recognize a user over time and across different Web sites or online services; a photograph, video, or audio file where such file contains a child’s image or voice; or information concerning the child or parents of that child that the operator collects online from the child and combines with an identifier described in this definition. Through i-Dressup.com, Defendants collected personal information as defined in the Rule in the form of first and last name, an email address, and the child’s user name that the child can use to communicate with other users. They also collected other information that they combined with this information, such as passwords. Finally, they “collected” personal information under the Rule by enabling children to make personal information publicly available via i-Dressup’s social features.

  • Because Defendants collected and maintained personal information from their users through i-Dressup, Defendants are operators as defined by the COPPA Rule, 16 C.F.R. § 312.2.

  • Among other things, the Rule requires that an operator of a child-directed Web site or online service meet specific requirements prior to collecting online, using, or disclosing personal information from children, including but not limited to:

    • Posting a privacy policy on its Web site or online service providing clear, understandable, and complete notice of its information practices, including what information it collects from children, how it uses such information, and its disclosure practices for such information, and other specific disclosures set forth in the Rule such as the operator’s contact information.

    • Providing clear, understandable, and complete notice of its information practices, directly to parents, including specific disclosures about the operator’s obligation to delete parental online contact information if consent is not obtained and a hyperlink to the privacy policy.

    • Obtaining verifiable parental consent prior to collecting, using, and/or disclosing personal information from children.

    • Deleting the parental online contact information if no consent was obtained.

    • Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

DEFENDANTS’ COPPA VIOLATIONS

  • Defendants’ privacy policy failed to include information that the COPPA Rule requires operators of child-directed Web sites to disclose, such as the operator’s name, address, telephone number, and email address.

  • Defendants’ direct notice failed to include the content that the COPPA Rule requires. Among other things, Defendants’ direct notice failed to include a hyperlink to i-Dressup’s privacy policy and failed to inform the recipient that if he/she did not provide consent within a reasonable time, from the date that the direct notice was sent, Defendants would delete the parent’s online contact information from i-Dressup’s records. In fact, contrary to COPPA’s requirements, Defendants did not delete the parent’s online contact information, but kept it indefinitely.

  • Defendants failed to obtain verifiable parental consent. For Safe Mode members, Defendants failed to obtain any parental consent, even though such members were covered by COPPA. For other members, the purported parental consent method was inadequate because it was not reasonably calculated to ensure that the person providing consent was the child’s parent, as required by the COPPA Rule.

  • Defendants engaged in a number of practices that, taken together, failed to provide reasonable and appropriate data security to protect the personal information collected from consumers, including children through i-Dressup.com. Among other things, Defendants:

    • failed to adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;
    • stored and transmitted users’ personal information as well as other information submitted by users, including account passwords, in clear text;
    • failed to implement an intrusion detection and prevention system, or similar safeguards, to alert Defendants of potentially unauthorized access to their computer network; and
    • failed to monitor logs to identify potential security incidents.
  • In late September 2016, Defendants learned that a hacker had accessed their computer network, and accessed the personal information of consumers, including children who used i-Dressup. In August, the hacker remotely accessed Defendants’ network, where Defendants stored in clear text, among other things, users’ user name, password, email address, full name, gender, and date of birth. The hacker accessed information of approximately 2,125,000 users, including 245,000 users who indicated they were under the age of 13.

  • The hacker gained access to Defendants’ computer network by exploiting commonly known and reasonably foreseeable vulnerabilities.

  • Defendants were unaware that the personal information of any consumers had been accessed from their computer network until the hacker sent the hacked data to journalists. One of the journalists, in turn, attempted to contact Defendants, but, after having received no response from Defendants for five days, subsequently contacted Defendant’s web hosting provider, who notified i-Dressup.

  • Defendants could have addressed the failures described in Paragraph 26 by implementing readily available and relatively low-cost security measures.

COUNT I (COPPA)

  • Defendants collected personal information from children under the age of 13 through the i-Dressup Web site, which Defendants operated and was directed to children. Moreover, because Defendants collected children’s birthdate and year, Defendants had actual knowledge that children used this online site.

  • In numerous instances, in connection with the acts and practices described above, Defendants collected, used, and/or disclosed personal information from children in violation of the Rule, including by:

    • Failing to provide sufficient notice on its Web site or online services of the information it collects, or is collected on their behalf, online from children, how it uses such information, its disclosure practices, and all other required content, in violation of Section 312.4(d) of the Rule, 16 C.F.R. § 312.4(d);
    • Failing to provide sufficient direct notice to parents of the information Defendants collect, or information that has been collected on Defendants’ behalf, online from children, how it uses such information, its disclosure practices, and all other required content, in violation of Section 312.4(b) and (c) of the Rule, 16 C.F.R. § 312.4(b)-(c);
    • Failing to obtain verifiable parental consent in violation of Section 312.5 of the Rule, 16 C.F.R. § 312.5;
    • Failing to delete online contact information of the parent after having failed to obtain consent, in violation of Section 312.5(c)(1) of the Rule, 16 C.F.R. § 312.5(c)(1); and
    • Failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, in violation of Section 312.8 of the Rule, 16 C.F.R. § 312.8

    Therefore, Defendants have violated the Rule, 16 C.F.R. Part 312.

  • Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

THIS COURT’S POWER TO GRANT RELIEF

  • Defendants violated the Rule as described above with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).

  • Each collection, use, or disclosure of a child’s personal information in which Defendants violated the Rule in one or more ways described above constitutes a separate violation for which Plaintiff seeks monetary civil penalties.

  • Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), as modified by Section 4 of the Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. §2461, amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Public Law 114-74, sec. 701, 129 Stat. 599 (2015), and Section 1.98(d) of the FTC’s Rules of Practice, 16 C.F.R. § 1.98(d), authorizes this Court to award monetary civil penalties of not more than $41,484 for each such violation of the Rule assessed after January 22, 2018.

  • Section 13(b) of the FTC Act, U.S.C. § 53(b), empowers this Court to grant injunctive and such other relief as the Court may deem appropriate to halt and redress violations of any provision of law enforced by the FTC.

PRAYER FOR RELIEF

Wherefore, Plaintiff United States of America, pursuant to Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the FTC Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a) and the Court’s own equitable powers, requests that the Court:

  • Enter a permanent injunction to prevent future violations of the FTC Act and the Rule by Defendants;
  • Award Plaintiff monetary civil penalties from Defendants for each violation of the Rule alleged in this Complaint; and
  • Award other and additional relief the Court may determine to be just and proper.

DATED this 24th day of April, 2019.

FOR THE FEDERAL TRADE COMMISSION:

MANEESHA MITHAL
Associate Director
Division of Privacy and Identity Protection

ROBERT SCHOSHINSKI
Assistant Director
Division of Privacy and Identity Protection

MONIQUE F. EINHORN
Attorney
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Tel: (202) 326-2575
Fax: (202) 326-3062

RYAN M. MEHM
Attorney
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Tel: (202) 326-2918
Fax: (202) 326-3062

FOR PLAINTIFF THE UNITED STATES OF AMERICA:

JOSEPH H. HUNT
Assistant Attorney General
Civil Division

GUSTAV W. EYLER
Acting Director

KENDRACK D. LEWIS
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice, Civil Division
P.O. Box 386
Washington, DC 20044-0386
Tel: (202) 353-3881

STIPULATED ORDER FOR CIVIL PENALTIES, PERMANENT INJUNCTION, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and on behalf of the Federal Trade Commission ("Commission"), filed its Complaint for Permanent Injunction and Other Equitable Relief ("Complaint"), in this matter, pursuant to Sections 13(b) and 16(a)(1) of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 53(b) and 56(a)(1), the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission's Children's Online Privacy Protection Rule ("COPPA Rule"), 16 C.F.R. Part 312. Defendants have waived service of the summons and the Complaint. Plaintiff and Defendants stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Order") to resolve all matters in dispute in this action between them.

THEREFORE, IT IS ORDERED as follows:

FINDINGS

  • This Court has jurisdiction over this matter.
  • The Complaint charges that Defendants violated COPPA and the FTC Act by failing to
    include information required by COPPA in i-Dressup's notice of information practices;
    failing to provide sufficient direct notice of their information practices to Parents; failing
    to Obtain Verifiable Parental Consent; and failing to delete Online Contact Information
    of a Parent after having failed to obtain consent.
  • Defendants neither admit nor deny any of the allegations in this Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendants admit the facts necessary to establish jurisdiction.
  • Defendants waive any claim they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agree to bear their own costs and attorney fees.
  • Defendants and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order.

DEFINITIONS

For the purpose of this Order, the following definitions apply:

  • "Child" or "Children" means an individual or individuals under the age of 13.

  • Except for purposes of Parts III and IV of this Order, "Collects" or "Collect" or "Collection" or "Collected" or "Collecting" means the gathering of any Personal Information from a Child by any means, including but not limited to:

    • Requesting, prompting, or encouraging a Child to submit Personal Information online;
    • Enabling a Child to make Personal Information publicly available in identifiable form; or
    • Passive tracking of a Child online.
  • "Covered Incident" means any instance in which any United States federal, state, or local law or regulation requires a Covered Business or Individual Defendant to notify any U.S. federal, state, or local government entity that information Collected or received, directly or indirectly, by a Covered Business from or about an individual consumer was, or is reasonably believed to have been, accessed or acquired without authorization.

  • "Covered Business" means Corporate Defendant and any business that Individual Defendants, individually, collectively, or in any combination, control, directly or indirectly.

  • "Covered Information" means any "Personal Information" as defined in this Order and any of the following individually identifiable information from or about an individual consumer, obtained online, including:
    • Date of Birth;
    • Other government-issued identification numbers, such as a driver's license number, military identification number, passport number, or other personal identification number;
    • Financial institution account number;
    • Credit or debit card information; or
    • Authentication credentials, such as a username or password.
  • "Defendants" means all of the Individual Defendants and the Corporate Defendant, individually, collectively, or in any combination.
  • "Corporate Defendant" means Unixiz, Inc., d/b/a i-Dressup.com, and its successors and assigns.
  • "Individual Defendants" means Zhijun Liu and Xichen Zhang.
  • Except for purposes of Part VII of this Order, "Disclose" or "Disclosure" or "Disclosed" means, with respect to Personal Information:
    • The release of Personal Information Collected by an Operator from a Child in identifiable form for any purpose, except where an Operator provides such information to a Person who provides Support For The Internal Operations Of The Web Site Or Online Service; and
    • Making Personal Information Collected by an Operator from a Child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service; a pen pal service; an electronic mail service; a message board, or a chat room.
  • "Internet" means collectively the myriad of computer and telecommunication facilities, including equipment and operating software, which comprises the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
  • "Obtaining Verifiable Parental Consent" or "Obtain Verifiable Parental Consent" means making any reasonable effort (taking into consideration available technology) to ensure that before Personal Information is Collected from a Child, a Parent of the Child:
    • Receives notice of the Operator's Personal Information Collection, use, and Disclosure practices; and
    • Authorizes any Collection, use, and/or Disclosure of the Personal Information.
  • "Online Contact Information" means an email address or any other substantially similar identifier that permits direct contact with a Person online, including but not limited to, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat identifier.
  • "Operator" means any person who operates a Web site located on the Internet or an online service and who Collects or maintains Personal Information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is Collected or maintained, or offers products or services for sale through the Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States, or with one (1) or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation.
  • "Parent" includes a legal guardian, except for purposes of Part IX of this Order.

  • "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

  • "Personal Information" means individually identifiable information about an individual Collected online, including:

    • A first and last name;
    • A home or other physical address including street name and name of a city or town;
    • Online Contact Information, as defined in 16 C.F.R. § 312.2;
    • A screen or user name where it functions in the same manner as online contact information, as defined in 16 C.F.R. § 312.2;
    • A telephone number;
    • A Social Security number;
    • A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
    • A photograph, video, or audio file where such file contains a Child's image or voice.
    • Geolocation information sufficient to identify street name and name of a city or town; or

       

    • Information concerning the Child or the Parents of that Child that the Operator Collects online from the Child and combines with an identifier described in this section.

       

  • "Release Of Personal Information" means the sharing, selling, renting, or transfer of Personal Information to any Third Party.

  • "Support For The Internal Operations Of The Web Site or Online Service" means:

    • Those activities necessary to:
      • Maintain or analyze the functioning of the Web site or online service;
      • Perform network communications;
      • Authenticate users of, or personalize the content on, the Web site or online service;
      • Serve contextual advertising on the Web site or online service or cap the frequency of advertising;
      • Protect the security or integrity of the user, Web site, or online service;
      • Ensure legal or regulatory compliance; or
      • Fulfill a request of a Child as permitted by 16 C.F.R. §§ 312.5(c)(3) and (4) of COPPA.
    • So long as the information Collected for the activities listed in paragraphs (1)(a)-(g) of this definition is not used or Disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.
  • "Third Party" means any Person who is not:

    • An Operator with respect to the Collection or maintenance of Personal Information on the Web site or online service; or
    • A Person who provides support for the internal operations of the Web site or online service and who does not use or Disclose information protected under 16 C.F.R. Part 312 for any other purpose.
  • "Web Site Or Online Service Directed To Children" means a commercial Web site or online service, or portion thereof, that is targeted to Children.

    • In determining whether a Web site or online service, or a portion thereof, is directed to Children, the Commission will consider its subject matter, visual content, use of animated characters or Child-oriented activities and incentives, music or other audio content, age of models, presence of Child celebrities or celebrities who appeal to Children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.
    • A Web site or online service shall be deemed directed to Children when it has actual knowledge that it is Collecting Personal Information directly from users of another Web Site Or Online Service Directed To Children.
    • A Web site or online service that is directed to Children under this criteria set forth in paragraph (1) of this definition, but that does not target Children as its primary audience, shall not be deemed directed to Children if it:
      • Does not Collect Personal Information from any visitor prior to Collecting age information; and

      • Prevents the Collection, use, or Disclosure of Personal Information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of 16 C.F.R. Part 312.

    • A Web site or online service shall not be deemed directed to Children solely because it refers or links to a commercial Web site or online service directed to Children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

ORDER

I. INJUNCTION CONCERNING THE COLLECTION OF PERSONAL INFORMATION

IT IS ORDERED that Defendants and Defendants' officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with being an Operator of any Web Site Or Online Service Directed To Children or of any Web site or online service with actual knowledge that it is Collecting or maintaining Personal Information from a Child, are hereby permanently restrained and enjoined from violating the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, including, but not limited to:

  • Failing to provide sufficient notice on its Web site or online services of the Personal Information it Collects, or is Collected on their behalf, online from Children, how it uses such information, its Disclosure practices, and all other required content.

  • Failing to provide sufficient direct notice to Parents of the Personal Information Defendants Collect, or Personal Information that has been Collected on Defendants' behalf.

  • Failing to provide sufficient notice on its Web site or online services of the Personal Information it Collects, or is Collected on their behalf, online from Children, how it uses such information, its Disclosure practices, and all other required content;
  • Failing to Obtain Verifiable Parental Consent using a method reasonably calculated to ensure that the Person providing consent is the Child's Parent, and failing to Obtain Verifiable Parental Consent for some under-13 users despite Collecting Personal Information from them;
  • Failing to delete Online Contact Information of the Parent after having failed to Obtain Verifiable Parental Consent; and
  • Failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of Personal Information Collected from Children.
    A copy of the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, is attached
    hereto as appendix A.

II. MONETARY JUDGEMENT FOR CIVIL PENALTY

IT IS FURTHER ORDERED that:

  • Judgement in the amount of thirty-five thousand dollars ($35,000) is entered in favor of Plaintiff against Defendants, jointly and severally, as a civil penalty.
  • Defendants are ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, thirty-five thousand dollars ($35,000), which, as Defendants stipulate, their undersigned counsel holds in escrow for no purpose other than payment to Plaintiff. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of Plaintiff.

III. ADDITIONAL MONETARY PROVISIONS

IT IS FURTHER ORDERED that:

  • Defendants relinquish dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
  • The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission, including in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.
  • Defendants agree that the judgment represents a civil penalty owed to the government of the United States, is not compensation for actual pecuniary loss, and, therefore, as to the Individual Defendants, it is not subject to discharge under the Bankruptcy Code pursuant to 11 U.S.C. § 523(a)(7).
  • Defendants acknowledge that their Taxpayer Identification Numbers, which Defendants must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.

IV. MANDATED INFORMATION SECURITY PROGRAM

IT IS FURTHER ORDERED that each Covered Business shall not transfer, sell, share, collect, maintain, or store Covered Information unless it establishes and implements, and thereafter maintains, a comprehensive information security program ("Information Security Program") that is designed to protect the security, confidentiality, and integrity of such Covered Information. To satisfy this requirement, each Covered Business must, at a minimum:

  • Document in writing the content, implementation, and maintenance of the Information Security Program;
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;
  • Assess and document, at least once every twelve months and promptly following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the unauthorized Disclosure, misuse, loss, alteration, destruction, or other compromise of such information;
  • Design, implement, and document safeguards that address the internal and external risks each Covered Business identifies to the security, confidentiality, or integrity of Covered Information identified in response to sub-Provision IV.C. Each safeguard shall take into account the sensitivity of Covered Information at issue;
  • Assess, at least once every twelve months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information. Each such assessment must evaluate safeguards in each area of relevant operation, including: (1) employee training and management; (2) information systems, such as network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
  • Test and monitor the effectiveness of the safeguards at least once every twelve months and promptly following a Covered Incident, and modify the Information Security Program based on the results;
  • Select and retain service providers capable of safeguarding Covered Information they receive from each Covered Business, and contractually require service providers to implement and maintain safeguards for Covered Information; and
  • Evaluate and adjust the Information Security Program in light of any changes to its operations or business arrangements, a Covered Incident, or any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the Information Security Program. At a minimum, Defendants must evaluate the Information Security Program at least once every twelve months.

V. INFORMATION SECURITY ASSESSMENTS BY A THIRD PARTY

IT IS FURTHER ORDERED that in connection with compliance with Provision IV of this Order titled Mandated Information Security Program, Defendants must obtain initial and biennial assessments ("Assessments"):

  • The Assessments must be obtained from a qualified, objective, independent third-party professional ("Assessor"), who uses procedures and standards generally accepted in the profession. The Assessor preparing such Assessments must be: an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission.
  • The reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each 2-year period thereafter for ten (10) years after issuance of the Order for the biennial Assessments.
  • Each Assessment must: (1) determine whether each Covered Business has implemented and maintained Provision IV of this Order titled Mandated Information Security Program; (2) assess the effectiveness of each Covered Business's implementation and maintenance of sub-Provisions IV.AH; and (3) identify any gaps or weaknesses in the Information Security Program.
  • Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendants must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Unixiz, Inc. All subsequent biennial Assessments shall be retained by Defendants until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.

VI. PROHIBITION AGAINST MISREPRESENTATIONS TO THE ASSESSOR

IT IS FURTHER ORDERED that Defendants, whether acting directly or indirectly, in connection with any Assessment required by Provision V of this Order titled Information Security Assessments by a Third Party, must not misrepresent in any manner, expressly or by implication, any fact material to the Assessor's: (1) determination of whether each Covered Business has implemented and maintained Provision IV of this Order titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.AH; or (3) identification of any gaps or weaknesses in the Information Security Program.

VII. ANNUAL CERTIFICATION

IT IS FURTHER ORDERED that in connection with compliance with Provision IV of this Order titled Mandated Information Security Program, Defendants shall:

  • One year after the issuance date of this Order, and each year thereafter for a period of ten (10) years, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of each Covered Business responsible for each Covered Business's Information Security Program that: (1) each Covered Business has established, implemented, and maintained the requirements of this Order; (2) each Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon
    whom the senior corporate manager or senior officer reasonably relies in making the certification.
  • Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Unixiz, Inc.

VIII. ORDER ACKNOWLEDGMENTS

IT IS FURTHER ORDERED that Defendants obtain acknowledgments of receipt of this Order:

  • Each Defendant, within seven (7) days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

  • For 5 years after entry of this Order, each Individual Defendant for any business that such Defendant, individually or collectively with any other Defendants, is the majority owner or controls directly or indirectly, and each Corporate Defendant, must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur within seven (7) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
  • From each individual or entity to which a Defendant delivered a copy of this Order, that Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.

IX. COMPLIANCE REPORTING

IT IS FURTHER ORDERED that Defendants make timely submissions to the Commission:

  • One year after entry of this Order, each Defendant must submit a compliance report, sworn under penalty of perjury.
    • Each Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant; (b) identify all of that Defendant's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales, and the involvement of any other Defendant (which Individual Defendants must describe if they know or should know due to their own involvement); (d) describe in detail whether and how that Defendant is in compliance with each Section of this Order; (e) provide a copy of each different version of any privacy notice posted on each Web site or online service operated by Defendants or sent to Parents of Children that register on each Web site or online service; (f) describe in detail the methods used to Obtain Verifiable Parental Consent prior to any Collection, use, and/or Disclosure of Personal Information from Children through any Web site or online service; (g) describe in detail the means provided for Parents to review the Personal Information Collected from their Children and to refuse to permit its further use or maintenance; and (h) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.
    • Additionally, each Individual Defendant must: (a) identify all telephone numbers and all physical, postal, email and Internet addresses, including all residences; (b) identify all business activities, including any business for which such Defendant performs services whether as an employee or otherwise and any entity in which such Defendant has any ownership interest; and (c) describe in detail such Defendant's involvement in each such business, including title, role, responsibilities, participation, authority, control, and any ownership.
  • For ten (10) years after entry of this Order, each Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following:

    • Each Defendant must report any change in: (a) any designated point of contact: or (b) the structure of any Corporate Defendant or any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
    • Additionally, each Individual Defendant must report any change in: (a) name, including aliases or fictitious name, or residence address; or (b) title or role in any business activity, including any business for which such Defendant performs services whether as an employee or otherwise and any entity in which such Defendant has any ownership interest, and identify the name, physical address, and any Internet address of the business or entity.
  • Each Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Defendant within fourteen (14) days of its filing.

  • Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: "I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: " and supplying the date, signatory's full name, title (if applicable), and signature.

  • Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Unixiz, Inc.

X. RECORDKEEPING

IIT IS FURTHER ORDERED that Defendants must create certain records for ten (10) years after entry of the Order, and retain each such record for five (5) years. Specifically, the Corporate Defendant, in connection with any Web site or online service, and each Individual Defendant for any business that such Defendant, individually or collectively with any other Defendants, is a majority owner or controls directly or indirectly, must create and retain the following records:

  • Accounting records showing the revenues from all goods or services sold;
  • personnel records showing, for each Person providing services, whether as an employee
    or otherwise, that Person's: name; addresses; telephone numbers; job title or position;
    dates of service; and (if applicable) the reason for termination;
  • Records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a Third Party, and any response;

  • All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and

  • A copy of each materially different form, page, or screen created, maintained, or otherwise provided by Defendants through which Personal Information is Collected through any Web site or online service, and a copy of each materially different document containing any representation regarding Collection, use, and Disclosure practices pertaining to Personal Information Collected through such Web site or online service. Each webpage copy shall be accompanied by the URL of the webpage where the material was posted online. Electronic copies shall include all text and graphic files, audio scripts, and other computer files used in presenting information on the Internet.

XI. COMPLIANCE MONITORING

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendants' compliance with this Order, including any failure to transfer any assets as required by this Order:

  • Within fourteen (14) days of receipt of a written request from a representative of the Commission or Plaintiff, each Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
  • For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with each Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview any employee or other Person affiliated with any Defendant who has agreed to such an interview. The Person interviewed may have counsel present.
  • The Commission and Plaintiff may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendants or any individual or entity affiliated with Defendants, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
  • Upon written request from a representative of the Commission or Plaintiff, any consumer reporting agency must furnish consumer reports concerning Individual Defendants, pursuant to Section 604(1) of the Fair Credit Reporting Act, 15 U.S.C. § 1681b(a)(1).

XII. RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.

SO ORDERED this ____ day of ________, 2019.

  NATHANAEL M. COUSINS
UNITED STATES MAGISTRATE JUDGE

SO STIPULATED AND AGREED:


FOR PLAINTIFF UNITED STATES OF AMERICA


JOSEPH H. HUNT
Assistant Attorney General
Civil Division
GUSTAV W. EYLER
Acting Director

KENDRACK D. LEWIS
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice, Civil Division
P.O. Box 386
Washington, DC 20044-0386
Tel: (202) 353-0386
kendrack.lewis@usdoj.gov

FOR THE FEDERAL TRADE COMMISSION


MANEESHA MITHAL
Associate Director
Division of Privacy and Identity Protection


ROBERT SCHOSHINSKI
Assistant Director
Division of Privacy and Identity Protection

MONIQUE F. EINHORN
RYAN M. MEHM
Attorneys
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
Tel: (202) 326-2575
Fax: (202) 326-3062
meinhorn@ftc.gov
rmehm@ftc.gov

FOR DEFENDANTS


STACEY BRANDENBUR
ZwillGen PLLC
1900 M Street, NW
Suite 250
Washington, DC 20036
Tel: (202) 706-5220
stacey@zwillgen.com
Couns el for Unixiz, In and Zhijun Liu and Xichen Zhang

KANDI PARSONS
ZwillGen PLLC
1900 M Street, NW
Suite 250
Washington, DC 20036
Tel: (202) 706-5213
Kandi@zwillgen.com
Counsel for Unixiz, Inc. and Zhijun Liu and Xichen Zhang

DEFENDANTS

ZHIJUN LIU
Individually, and as CEO and CFO of Unixiz, Inc.

XICHEN ZHANG
Individually, and as Secretary of Unixiz, Inc.

 

 

illustration of contact means

Questions?

If you would like to learn more, our compliance experts are happy to support you..

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596