Florida AG: Roku Knowingly Misused Child Data in Violation of State Privacy Law
Video-streaming box maker Roku “collected, sold and enabled reidentification of sensitive personal data” without receiving authorization or providing meaningful notice, the Florida attorney general’s office said Tuesday. AG James Uthmeier filed a complaint under Florida’s comprehensive privacy law and the Florida Deceptive and Unfair Trade Practices Act in the state’s 20th Judicial Circuit Court.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The sensitive data included kids’ viewing habits, voice recordings and other information, the AG’s office said. Roku violated the two statutes by failing to obtain parental consent and by misrepresenting the effectiveness of privacy and opt-out controls, argued the state. Roku declined to comment.
“Roku acknowledges processing, disclosing, and selling to third parties a wide variety of personal and sensitive data about its users,” said Florida's complaint. “Yet Roku does not acknowledge that it continues processing, disclosing, and selling this personal data even when it has every reason to know the data was collected from children. Worse still, Roku shares with and sells this data to intrusive data brokers, including Kochava, a company that has constructed profiles of tens of millions of children and physically tracks and discloses individuals’ precise geolocation data collected from their personal devices.”
“Roku knows that some of its users are children but has consciously decided not to implement industry-standard user profiles to identify which of its users are children,” added the state in what might be its first enforcement action under the Florida Digital Bill of Rights. “Roku buries its head in the sand so that it can continue processing and selling children’s valuable personal and sensitive data.” For example, the company ignores signs like a user installing kids’ apps and screensavers or viewing content from Roku’s kids and family section, the state said.
Roku claims it lacks actual knowledge that it processes or sells kids’ personal data, the AG said. “But Florida law does not enable Roku to escape liability by feigning ignorance about its underage users.” The state’s comprehensive privacy law “includes in its definition of ‘known child’ the willful disregard of a child’s age … and Roku willfully disregards the age of its users when it ‘should reasonably have been aroused to question whether a consumer was a child and thereafter failed to perform reasonable age verification.’”
Additionally, the company “forms partnerships and sharing agreements with third-party data brokers in an effort to avoid complying with Florida law,” the state said. “Roku also shares purportedly ‘deidentified’ data about its users with third parties knowing they will link [it] with information (such as the user’s precise geolocation information) and thereby reconstruct users’ identities.”
Not every privacy expert counts the Florida Digital Bill of Rights as a true comprehensive privacy law due to high applicability thresholds that seemed to limit its scope to Big Tech companies. The law applies to for-profit entities doing business in the state and collecting personal data, which have more than $1 billion in annual global revenue and meet one of three critieria: (1) Derive 50% of revenue from ad sales; (2) operate a consumer smart speaker with a virtual assistant; or (3) operate an app store with at least 250,000 apps.
In the complaint, Florida said that Roku qualifies as a controller under the privacy law because it “generates in excess of $1 billion in global gross annual revenue” and derives at least 50% of that revenue from selling ads online, “including through the provision of targeted advertising and the sale of ads in Florida.” Plus, the company “operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation through” a remote control.
Michigan previously sued Roku over similar allegations involving child users last April in the U.S. District Court for Eastern Michigan (see 2504290068). Last month in that case, Roku argued that Michigan -- which lacks a comprehensive privacy law -- overreached its authority (see 2509100022).
Florida’s action Tuesday “is consistent with the growing trend of state regulators focusing on the processing of teen and children’s data,” Troutman attorney David Stauss said in an email to Privacy Daily. “We identified this years ago as a bipartisan issue. It is no surprise to see Florida joining other states in this type of enforcement. I expect this trend to continue.”
Kelley Drye privacy attorney Alysa Hutnik said in a LinkedIn post that the Florida action is the latest example showing that, on the subject of kids privacy, "the trend line is going in one direction." Hutnik predicted "more enforcement, more absolute restrictions, more emphasis on data minimization design and default settings for data collection and sharing, and a lot more lawsuits."