Full Report
The Federal Trade Commission (FTC) is suing Sendit's operating company and its CEO for unlawful collection of data from underage users, as well as deceptive subscription practices. [...]
Analysis Summary
# Regulation/Compliance: Children’s Online Privacy Protection Act (COPPA) Violations & Deceptive Practices Lawsuit
## Overview
This summary details the legal action taken by the Federal Trade Commission (FTC) against the developer of the "Sendit" social media companion app (Iconic Hearts Holdings Inc. and its CEO) for alleged severe violations concerning the unlawful collection of personal data from children under 13, alongside deceptive subscription and marketing practices. The core violations cited are breaches of COPPA, the FTC Act, and the Restore Online Shoppers’ Confidence Act (ROSCA).
## Key Details
- Issuing Authority: Federal Trade Commission (FTC), referred to the Department of Justice (DoJ) for filing.
- Effective Date: COPPA (original effective date varies, but violations cited occurred around 2022). The lawsuit filing date is noted as September 30, 2025.
- Jurisdiction: United States (focusing on users under 13 in the US).
- Status: Legal Complaint Filed (Allegations).
## Requirements
This section focuses on the *alleged failures* to meet existing regulatory requirements, serving as a mandate checklist.
### Mandatory Requirements (COPPA, FTC Act, ROSCA)
1. **COPPA Compliance:** Must not collect personal information (including phone numbers, birthdates, photos, and social media usernames) from users verified to be under the age of 13 without providing notice to parents AND obtaining verifiable parental consent.
2. **Truth in Advertising (FTC Act):** Must not deceive users. Specifically, must not generate or present fake anonymous messages (especially those deemed provocative or sexual) while misrepresenting their origin as genuine user input from friends.
3. **Subscription Clarity (ROSCA/FTC Act):** Must clearly and conspicuously disclose all material terms and conditions related to recurring billing (e.g., automatic charging).
4. **Subscription Honesty:** Must not falsely promise benefits (like revealing sender identities for a fee) that are not delivered.
### Recommended Practices
1. Implement robust age verification mechanisms designed to filter users under 13 prior to data collection.
2. Maintain transparent and easily accessible privacy policies detailing data handling practices for minors.
3. Ensure all subscription cancellation and billing changes are straightforward and clearly communicated to prevent inadvertent recurring charges.
## Affected Organizations
- Industries: Social Media Applications, Mobile Application Developers, Any service targeting or accessible to children under 13 (especially those collecting personal data).
- Organization Size: Applicable regardless of size, though the FTC often targets high-growth consumer-facing apps.
- Geographic Scope: Entities operating within or targeting the United States market.
## Compliance Timeline
- **Prior to 2022:** Legal obligation to be COPPA compliant if collecting data from users under 13.
- **2022 Onwards:** Alleged collection of data from 116,000 US users under 13 without consent.
- **September 30, 2025 (Filing Date):** FTC referred the complaint to the DoJ, initiating formal legal proceedings.
- **Future Date:** Court decision on the validity of the allegations and potential settlement/judgment dates.
## Implementation Guidance
### Assessment Phase
- Conduct a thorough audit of user demographics to accurately estimate the percentage of users under 13 accessing data collection features.
- Review all mechanisms used for collecting user inputs, especially those involving messages, photos, and social media handles.
### Implementation Phase
- Immediately cease collection of personal data from any user lacking documented verifiable parental consent if the user is under 13.
- Redesign subscription models to ensure clear upfront disclosure of recurring weekly or monthly fees, as opposed to one-time payments.
### Validation Phase
- Seek external legal counsel specializing in child privacy to validate the updated age-gating and consent flows against current COPPA standards.
- Audit transactional processes to confirm billing disclosures meet ROSCA requirements (conspicuous and affirmative consent for auto-renewals).
## Technical Requirements
1. **Age Gates:** Implementation of effective, non-circumventable measures to determine user age before sensitive data collection.
2. **Data Minimization:** Strict policies to avoid collecting data points such as phone numbers, exact birthdates, and social media identifiers from minors without consent.
3. **Billing Transparency:** Technical implementation ensuring that recurring charges, price points, and billing frequency are presented on separate, unambiguous prompts immediately preceding purchase confirmation.
## Penalties & Enforcement
- Fines: While specific settlement figures are not detailed, violations of COPPA can result in significant civil penalties per violation (per child whose data was illegally collected). Violations of the FTC Act and ROSCA also carry substantial monetary fines.
- Other Consequences: CEO liability, mandated operational changes, reputational damage, and potential stipulated judgments requiring future compliance monitoring.
- Enforcement: The matter has been referred by the FTC to the U.S. Department of Justice (DoJ) for litigation and judicial enforcement.
## Related Standards
- **Children’s Online Privacy Protection Act (COPPA):** The primary federal regulation allegedly violated regarding children’s data collection.
- **FTC Act (Sections 5):** Prohibits unfair and deceptive acts or practices, encompassing the false promises regarding sender IDs and fake messages.
- **Restore Online Shoppers’ Confidence Act (ROSCA):** Specifically addresses deceptive practices related to automatic renewal subscriptions.
- **NIST SP 800-53/ISO 27001:** While the lawsuit targets legal compliance, general security standards would inform the necessity of robust data governance underpinning COPPA compliance.
## Resources
- Official Documentation: FTC Press Release regarding the lawsuit (Referenced in the article).
- Guidance Documents: Official FTC Guidance on COPPA Compliance.
- Tools: Age verification service provider documentation.
## Practical Recommendations
1. **Immediate Review:** Conduct an immediate internal review of all existing user data associated with users flagged as minors, prioritizing data deletion where verifiable parental consent is absent.
2. **Subscription Audit:** Review and simplify all subscription flows to eliminate any ambiguity regarding recurring charges and service limitations.
3. **Anticipate Litigation:** Prepare legal and technical teams for potential discovery and defense concerning data collection logs and marketing communications dating back to 2022.