Only a day after releasing a framework to help companies "self-regulate" online privacy, the US Federal Trade Commission has settled with social gaming site RockYou, which the FTC says advertised a secure service while implementing poor practices that resulted in 32 million accounts being stolen by hackers in 2009. The FTC had filed a civil complaint alleging that RockYou deceptively represented its services as secure when, in reality, it stored a plaintext database of account information and encouraged short, weak passwords.
The site also apparently collected 179,000 email addresses from children under thirteen without notifying parents or admitting that it collected such information from children, a violation of the Children's Online Privacy Protection Act. RockYou's operator has agreed to the terms of a proposed settlement. As part of the settlement, RockYou will need to delete any information that it has collected from children, maintain a stronger security program, and pay a fine of $250,000. RockYou was widely criticized after the hack, so we're sure this settlement was a long time coming. Even so, its timing suggests that the FTC is letting businesses know that it expects them to follow through with their security promises.