Search
circle_violation_icons

History of COPPA & GDPR Violations
Here is a list of significant COPPA & GDPR violations as they relate to children. 

Information about enforcement actions, including the amounts of civil penalties obtained, can be found in the timeline below. Each violation highlights a key lesson.

 

COPPA Violation Penalties

Operators who violate the Rule can be held liable for civil penalties of up to $50,120 per violation by a court. The amount of civil penalties sought by the FTC or assessed by a court may depend on various factors, such as the severity of the violations, any prior breaches of the Rule by the operator, the number of children affected, the nature and quantity of collected personal information, the utilization of such information, any sharing with third parties, and the company's size. The assessment of the suitable civil penalty is subject to case-specific considerations. 
EU GDPR & UK Children's Code Violation Penalties

The GDPR includes special protections for children’s data. Less severe infringements can result in a fine of €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm's annual revenue from the preceding year, depending on what is higher. Failure to comply with the UK Children’s Code could lead to a GDPR violation as the Code informs the regulation.

Learn more about COPPA and GDPR enforcement and penalties by clicking here

Timeline of Violations

Last updated September 15, 2023

GDPRviolation
€345,000,000
September 15, 2023

TikTok

The Irish Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok (TTL). 

The decision records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR. The decision further exercises the following corrective powers: A reprimand; An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and administrative fines totalling €345 million. Read more

 

ew
$20,000,000
June 05, 2023

Microsoft

Illegally collected personal information from children without their parents’ consent. The proposed order will require Microsoft to bolster protections for children; makes clear that avatars and biometric and health data are protected under COPPA. Read more

ew
$25,000,000
May 31, 2023

Amazon

FTC and DOJ Charge Amazon with violating COPPA by keeping kids’ Alexa voice recordings forever and undermining parents’ deletion requests. Proposed order to require Amazon to pay $25 million and delete children’s data, geolocation data, and other voice recording. Read more

COPPA Violation Fine image
$6,000,000
May 22, 2023

Edmodo

The proposed order includes a $6 million monetary penalty, which will be suspended due to the company’s inability to pay in addition to other order provisions, which will provide protections for children’s data should Edmodo resume operations in the United States.  Read more

GDPR Violation
£12.700,000
April 4, 2023

TikTok

TikTok hit with $15.7M UK fine for misusing children’s data. More than one million UK children under 13 estimated by the ICO to be on TikTok in 2020, contrary to its terms of service. Personal data belonging to children under 13 was used without parental consent and they failed to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. TikTok “did not do enough” to check who was using their platform and take sufficient action to remove the underage children that were. Read more

ew
$520,000,000
December 19, 2022

Fortnite (Epic Games)

Epic will pay a $275 million penalty for violating children’s privacy law, change default privacy settings, and pay $245 million in refunds for tricking users into making unwanted charges.
Read more

GDPRviolation
€405,000,000
September 2, 2022

Instagram (Meta IE)

The Irish Data Protection Commission (DPC) has issued a penalty of €405m (£349m) against Instagram in relation to an alleged failure to protect children’s data. Children (users between 13 and 17 years old) using Instagram were allowed to activate “business accounts”; however, given default privacy settings for business accounts, operating such accounts, resulted in the publication of child user’s personal contact information (e.g.; phone number and/or email address). As part of the Instagram user registration process, the platform had a setting through which child user accounts could, by default, be “public”. In such instances, the individual (child) user would have to know to change the account settings to “private”. 

Violated the GDPR for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation (GDPR). Read more

COPPA violation
$1,500,000
February 18, 2022

WW International and Kurbo Inc.

WW International — previously Weight Watchers — has agreed to pay $1.5 million to resolve claims from the Federal Trade Commission (FTC) that it illegally gathered the data of underage users of its Kurbo program. Read more

ew
$2,000,000
Dec 15, 2021

OpenX

California-based online advertising platform OpenX Technologies, Inc. will be required to pay $2 million to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent. Read more

ew
$3,000,000
July 1st, 2021

Recolor

In its complaint, the FTC alleged that the Recolor app collected personal information from children under the age of 13 who used the app’s social media features and allowed third-party advertising networks to collect personal information from users in the form of persistent identifiers, also known as cookies, for targeted ads. The companies failed to instruct the ad networks to refrain from using children’s persistent identifiers for behavioral advertising, according to the compliant. Read more

 

GDPRviolation
€750,000 
July 2021

TikTok

The Dutch Data Protection Authority (DPA) has imposed a fine for violating the privacy of young children. The information provided by TikTok to Dutch users – many of whom are young children – when installing and using the app was in English and thus not readily understandable. By not offering their privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. This is an infringement of privacy legislation, which is based on the principle that people must always be given a clear idea of what is being done with their personal data. Many children in the Netherlands have TikTok on their phones. Read more

ew
July 6, 2020

Miniclip

Miniclip falsely claimed from 2015 through mid-2019 that it was a member of the Children’s Advertising Review Unit’s (CARU) COPPA safe harbor program even though Miniclip’s membership had been terminated in 2015. Miniclip is prohibited from misrepresenting its participation or certification in any privacy or security program sponsored by a government or any self-regulatory organization, including the CARU COPPA safe harbor program. Miniclip is also subject to compliance and record keeping requirements. Read more

ew
$100,000
June 24, 2020

We Heart It

The Washington AG alleged that We Heart It, which has approximately 500,000 monthly active U.S. users, allowed children under the age of 13 to create accounts, collected U13 users’ personal information, and allowed third-party advertisers to collect data from U13 users, all without obtaining COPPA-compliant verifiable parental consent. Read more

ew
$150,000
June 4, 2020

HyperBeard

The app developer violated COPPA by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent.

HyperBeard has an array of children's apps including Axolochi, BunnyBuns, Chichens, Claberta, Clawbert, KleptoCats, KleptoCats 2, KleptoDogs, MonkeyNauts, and NomNoms.

GDPRviolation
$8,000,000
2020

Google

Sweden’s Data Protection Authority (DPA) 

Google was fined for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after they reportedly failed to adequately remove search result links under right-to-be-forgotten requests. Read more

ew
Consent Agreement
October 22, 2019

Retina-X Studios, LLC

The apps—MobileSpy, PhoneSheriff and TeenShield—referred to as "stalking apps", allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.

Retina-X violated the COPPA by failing to take reasonable measures to secure the personal information it collected from children. Read more 

ew
$170,000,000
September 4, 2019

YouTube

Google LLC and its subsidiary YouTube, LLC paid a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General that the YouTube video sharing service illegally collected personal information from children without their parents’ consent.

The settlement required Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the COPPA.
Read more

GDPRviolation
SEK200,000
August 20, 2019

Secondary Education Board (Gymnasienämnden)

Supervision pursuant to the General Data Protection Regulation (EU) 2016/679 – facial recognition used to monitor the attendance of students. The Swedish Data Protection Authority has concluded that, by using facial recognition via a camera to monitor the attendance of students, the Secondary Education Board (Gymnasienämnden) in the municipality of Skellefteå (Skellefteå kommun) has processed personal data in breach of: - Article 5, Article and - Articles 35 and 36 by failing to fulfil the requirements for an impact assessment and failing to carry out prior consultation with the Swedish Data Protection Authority.  Read more

ew
$5,700,000
February 27, 2019

Musical.ly (TikTok)

Musical.ly, now known as TikTok, has agreed to pay $5.7 million to settle FTC allegations that the company illegally collected personal information from children. The operators knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,

At the time, it was the largest civil penalty ever obtained by the Commission in a children’s privacy case. Read more

ew
$4,950,000
December 1, 2018

Oath (AOL)

TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay $4.95 Million – and adopt comprehensive reforms to protect children from improper tracking. The company conducted billions of auctions for targeted ads on hundreds of children’s websites in violation of COPPA. Read more

 

 

 

ew
$35,000
August 3, 2018

Unixiz Inc. (i-Dressup)

i-Dressup collected and retained personal information from children without parental consent. In addition to violating COPPA’s parental consent provisions, i-Dressup violated COPPA’s data security requirements.

ew
$500,000
February 5, 2018

Explore Talent

Along with collecting names, contact information and age, the company also asked users for their mailing address, weight, “body type,” and measurements for waist, hips, bust, shirt, etc. In addition, they urged users to upload a photo because “agents & casting directors choose only serious candidates with pictures. All of this was done without collecting parent permission.

ew
$650,000
February 5, 2018

VTech

The company was found collecting information from children without parents permission through connected toys violating children's privacy.

ew
$835,000
September 13, 2016

Operation Child Tracker

Operation Child Tracker was a two-year investigation by the NY Attorney General’s office, discovered that websites operated by Mattel, Viacom, Hasbro and Jumpstart were home to tracking technology that illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity in violation of COPPA.

Mattel $250,000   Viacom $500,000
Hasbro No fine.  Jumpstart $85,000.

ew
$650,000
June 22, 2016

InMobi

The FTC charged the company for deceptively tracking the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.

ew
$300,000
December 17, 2015

Retro Dreamer & its principals

The company created a number of apps targeted to children, including Ice Cream Jump, Happy Pudding Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket and Tappy Pop and allowed third-party advertisers to collect children’s personal information through the apps.

ew
$60,000
December 17, 2015

LAI Systems, LLC

The company created a number of apps directed to children, including My Cake Shop, My Pizza Shop, Hair Salon Makeover, Friday Night Makeover, Marley the Talking Dog and Animal Sounds and allowed third-party advertisers to collect personal information from children in the form of persistent identifiers. Defendant failed to inform the ad networks that the apps were directed to children and did not provide notice or get consent from children’s parents for collecting and using the information.

ew
$300,000
September 17, 2014

Tiny Co

Tiny Co runs many games and applications including Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters and more. In exchange for in-app currency to buy game enhancements, TinyCo encouraged kids to turn over their email addresses, but the company didn't get parental permission as required by COPPA.

ew
$450,000
September 17, 2014

Yelp

The lawsuit also alleged that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering

ew
Feb 13, 2013

Path, Inc.

The Path social networking app was charged for deceiving users by collecting personal information from their mobile device address books without their knowledge and consent. In addition to the civil penalty, the settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. Read more.

ew
$1M
Oct 4, 2012

Artist Arena

The operator of fan websites for music stars Justin Bieber, Rihanna, Demi Lovato, and Selena Gomez violated COPPA by improperly collecting personal information from children under 13 letting them register to join the fan clubs, create profiles and post on members’ walls without their parents’ consent.  Read more

ew
$250,000
March 27, 2012

RockYou

While touting its security features, RockYou failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users and violated COPPA in collecting information from approximately 179,000 children. As part of settlement, the FTC required RockYou to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay fine.

ew
$100,000
November 8, 2011

Skid-e-kids

The operator of www.skidekids.com(link is external), a website that advertises itself as the “Facebook and Myspace for Kids,” targeted children ages 7-14 to register, create and update profile information, create public posts, upload pictures and videos, and “friend” and send messages to other Skid-e-kids members.

ew
$50,000
August 15, 2011

Broken Thumbs Apps

This was the Commission’s first case involving mobile applications, known as apps, collecting children's information. 

ew
$3,000,000
May 12, 2011

Playdom, Inc.

The operators of 20 online virtual worlds have agreed to pay $3 million to settle Federal Trade Commission charges that they violated COPPA by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent. 

ew
$250,000
October 20, 2009

Iconix Brand Group

Iconix required consumers on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features.

ew
$1,000,000
December 11, 2008

Sony BMG Music

The Commission’s complaint alleges that, through its music fan Web sites, Sony Music improperly collected, maintained and disclosed personal information from thousands of children under the age of 13, without their parents’ consent.

ew
$130,000
January 30, 2008

Industrious Kid, Inc.

The web site in the violation was advertised as a “free, secure, social networking and blogging destination specifically designed for kids ages 8 to 14.” however collected and maintained personal information from children under the age of 13 without first notifying parents and obtaining their consent.

ew
$11,500
December, 2007

TheDollPalace.com

In December 2007, Texas became the first state to file COPPA enforcement actions, by separately suing the entities behind Gamesradar.com and TheDollPalace.com.

ew
December, 2007

Gamesradar.com

In December 2007, Texas became the first state to file COPPA enforcement actions, by separately suing the entities behind Gamesradar.com and TheDollPalace.com.

ew
$1,000,000
September 7, 2006

Xanga

Xanga is a social networking site that collected, used and disclosed information from children under 13. This is the first million-dollar penalty since COPPA was enacted.

ew
$400,000
February 18, 2004

UMG Recordings, Inc.

UMG Recordings operates hundreds of general audience Web sites that advertise and promote its music and artists, many of whom are popular with children.

UMG gained actual knowledge that a child was registering on the site whenever a child entered a birth date indicating he was under the age of 13. Yet, UMG collected this personal information from children without first notifying parents and obtaining verifiable parental consent.

ew
$75,000
February 18, 2004

Bonzi Software

The Bonzi Software case is the first COPPA case to challenge the information collection practices of an online service in connection with a software product

ew
$85,000
February 22, 2003

Hershey

Hershey operates more than 30 Web sites - many of which are candy-related sites directed to children. On a number of these sites, the company allegedly employed a method of obtaining parental consent that does not meet the standard delineated under the COPPA Rule.

ew
$100,000
February 22, 2003

Mrs. Field's Cookies

Portions' of Mrs. Fields web sites were directed to children. The company allegedly collected personal information from more than 84,000 children, without first obtaining parental consent.

ew
$35,000
April 22, 2002

Ohio Art Company (Etch-a-Sketch)

The Ohio Art Company was found collecting personal information from children registering for "Etchy's Birthday Club." The site collected the names, mailing addresses, e-mail addresses, age, and date of birth from children who wanted to qualify to win an Etch-A-Sketch toy on their birthday without parent permission

ew
$10,000

American Pop Corn Company

The company’s website featured a “Kids Club" section that features games, crafts, contests, and jokes directed to children under the age of 13. The company collected personal information without parent consent.

ew
$30,000
October 4, 2001

Lisa Frank

The Lisa Frank website was directed towards children and asked girls to register before they accessed many areas of the site, including the "club" and "shop" areas. The site asked girls for their first and last names, street addresses, phone numbers, e-mail addresses and birth dates, as well as their favorite color and season without parent permission.

ew
$100,000
April 19, 2001

Monarch Services, Inc., Girls Life, Inc., Bigmailbox.com, Inc, Nolan Quan & Looksmart Ltd.

Marking the first anniversary of COPPA, the FTC announced settlements with three Web operators for illegally collecting personally identifying information from children under 13 years of age without parental consent. The companies together will pay a total of $100,000 in civil penalties and are required to comply with COPPA in connection with any future online collection of personally identifying information from children under 13. The settlement also requires the operators to delete all personally identifying information collected from children online at any time since the Rule's effective date. Read more

ew
July 21, 2000

Toysmart.com

This was the first complaint the Commission filed alleging a violation of COPPA. Toysmart collected detailed personal information about its visitors, including name, address, billing information, shopping preferences, and family profiles -- which included the names and birthdates of children. When it ran into financial difficulties, it attempted to sell all of its assets, including its detailed customer databases. Agreement enforces privacy promises, prohibits sale of customer lists except under very restricted circumstances. Read more.

ew
Feb 12, 1999

GeoCities

GeoCities, agreed to settle FTC charges that it misrepresented the purposes for which it was collecting personal identifying information from children and adults. This was the first FTC case involving Internet privacy. Read more

Compliance Matters

Complying with COPPA, the GDPR  and the Children's Code not only protects your organization from legal trouble, but shows that you are willing to go the extra mile to keep kids safe online. Learn more about PRIVO's COPPA Safe Harbor Certification, and GDPRkids™   privacy assured program to see how we can help your organization safely engage with children and their families online.

Contact us for more information on getting your organization in compliance.

Want to receive our biweekly industry newsletter?

Contact Us