Full Report
A civil complaint filed by the federal government alleges that the Sendit app illegally collected data from users under 13 and tricked people into paying for subscriptions.
Analysis Summary
# Regulation/Compliance: FTC Action Against Messaging App (COPPA, FTC Act, ROSCA Violations)
## Overview
This summary pertains to a civil complaint filed by the Federal Trade Commission (FTC) against Iconic Hearts Holdings, Inc. (operator of the Sendit messaging app) for alleged violations of child privacy laws (COPPA), deceptive subscription practices violating the FTC Act, and dishonest subscription sign-up processes violating the Restore Online Shoppers’ Confidence Act (ROSCA). The core allegations involve illegally collecting personal data from children under 13 without parental consent and deceiving users, including children, into paid subscriptions.
## Key Details
- Issuing Authority: Federal Trade Commission (FTC), via the Department of Justice.
- Effective Date: The underlying statutes (COPPA, FTC Act, ROSCA) are already in effect; the allegations pertain to past actions.
- Jurisdiction: United States federal law, applicable to online services targeting or knowingly interacting with U.S. consumers.
- Status: Alleged violations resulting from pending civil litigation/complaint.
## Requirements
### Mandatory Requirements
1. **COPPA Compliance:** Operators of online services directed to children under 13, or those with actual knowledge that they are collecting personal information from such children, must:
* Provide clear, prominent, and first point-of-contact notice about data collection practices.
* Obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
2. **FTC Act Compliance (General Deception):** Cease deceptive practices. Specifically, stop misleading users (especially children) by sending fake messages (e.g., potentially compromising questions) to induce subscription purchases.
3. **ROSCA Compliance:** Ensure all material disclosures regarding subscription enrollment terms—including the total cost, recurring nature, and cancellation policy—are clearly and conspicuously presented to the consumer *before* obtaining their billing information.
### Recommended Practices
1. **Age Verification:** Implement robust age-screening mechanisms to reliably identify and segment users under 13.
2. **Transparency:** Ensure all subscription activation processes are highly transparent, clearly stating recurring charges without relying on manipulative triggers (like fake, hidden messages).
3. **Data Minimization:** Limit the collection of personal data (phone numbers, photos, specific social media usernames) from users whose age cannot be reliably verified as over 13.
## Affected Organizations
- Industries: Online messaging applications, social platform intermediaries, and any digital service that collects personal information from users and has actual knowledge that a significant portion of its user base is under 13.
- Organization Size: Applies regardless of size, as evidenced by the suit against a specific CEO/company operator.
- Geographic Scope: Organizations operating under U.S. jurisdiction or targeting U.S. consumers.
## Compliance Timeline
- **Pre-Violation:** Compliance with COPPA, FTC Act, and ROSCA should have been ongoing at the time of data collection and billing initiation.
- **Current Status:** Subject to ongoing litigation timelines following the filing of the civil complaint (date undisclosed, but reported September 30th, 2025).
- **Final Resolution/Consent Decree:** Compliance mandated upon settlement or final judgment.
## Implementation Guidance
### Assessment Phase
- Audit all user onboarding flows to determine if verifiable age screening is present to meet COPPA requirements.
- Review mechanisms for anonymous submissions or messages to ensure they do not violate FTC Act standards concerning manipulative design or deception.
- Analyze billing workflows against ROSCA requirements: Are all terms (price, recurrence, process to cancel) clear before payment submission?
### Implementation Phase
- If users under 13 are identified, immediately cease collection of personal information until verifiable parental consent is obtained.
- Redesign subscription purchase paths to ensure clear, non-deceptive disclosure of terms as required by ROSCA.
### Validation Phase
- Conduct third-party audits of privacy policy dissemination and parental consent mechanisms.
- Test subscription opt-out procedures to ensure they align with disclosures made during sign-up.
## Technical Requirements
1. **Data Segregation:** Technical controls must be in place to prevent personal data collection from users identified as under 13.
2. **Disclosing Sender Identity:** If the service promises to reveal message senders, the mechanism for achieving this must accurately reflect the sender's identity or the service must not promise to reveal identity without payment.
## Penalties & Enforcement
- Fines: Penalties under COPPA are significant and can reach thousands of dollars per violation (per affected child). Financial penalties also apply under ROSCA for failing to disclose terms or for cancellation limitations.
- Other Consequences:
* Required disgorgement of ill-gotten subscription revenues.
* Potential injunctions restricting future business practices.
* Reputational damage associated with child safety violations.
- Enforcement: Pursued via civil complaint filed by the Department of Justice on behalf of the FTC.
## Related Standards
- **COPPA (Children’s Online Privacy Protection Rule):** The primary federal regulation violated.
- **FTC Act (Section 5):** Used to prohibit unfair and deceptive acts or practices.
- **ROSCA (Restore Online Shoppers’ Confidence Act):** Used to prohibit deceptive billing practices associated with recurring charges.
## Resources
- Official Documentation: The specific Civil Complaint filed by the DOJ regarding the Sendit app (URL provided in article: `ftc.gov/system/files/ftc_gov/pdf/IconicHeartsComplaint.pdf`).
- Guidance Documents: FTC's official COPPA Guidance documents.
- Tools: Compliance monitoring tools for tracking user demographics relative to known privacy regulations.
## Practical Recommendations
1. **Immediate COPPA Gap Analysis:** If you operate a mobile application or website interacting with children, formally document your process for verifying age and obtaining parental consent, noting where the Sendit app appears to have failed.
2. **Review In-App Purchase Triggers:** Scrutinize any feature that uses psychological manipulation (e.g., curiosity gaps, unverified senders) to push users toward monetization, especially if minors are a target audience.
3. **Subscription Contract Review:** Engage legal counsel to confirm all auto-renewal disclosures meet the stringent requirements of ROSCA for any U.S.-facing service charging recurring fees.