On March 7, 2025, the Office of the New York State Attorney General (NY AG) published an Assurance of Discontinuance (Assurance) settling claims against Saturn Technologies, Inc. (company), a developer of a social media app for high school students. The NY AG found that the company made unsubstantiated claims about the app’s privacy and safety features in violation of the Federal Trade Commission (FTC) Act, New York Executive Law (NY Executive Law), and New York General Business Law (NY Business Law). The settlement requires the company to pay up to $650,000 in penalties, implement certain privacy, safety, and marketing practices to protect students, and submit annual compliance certifications for five years.
Background
The company operates a mobile app that primarily targets high school students and provides social network functionalities around students’ class schedules. For example, a user can join their school’s in-app community to access friends’ class calendars, participate in group or private chats, and register for school events. A school community may also include various personal information of the school’s students, teachers, administrators, and other associated personnel. Until August 2023, the company claimed that the app offers a “safe and secure community” with “complete privacy” by requiring users to verify their enrollment at a specific school through school email credentials before accessing the in-app community.
Despite the company’s claim that the app screens out unverified users, the NY AG found that unverified users could access certain school communities with nearly identical rights as verified users, including the ability to view personal information and interacting with other users within the communities. The NY AG also argued that the company introduced novel methods to verify user enrollment without confirming their effectiveness based on “competent and reliable scientific evidence” or security against fraud through risk assessments, testing, or analyses. These practices allegedly resulted in deceptive, fraudulent, or illegal business practices in violation of the FTC Act, NY Executive Law, and NY Business Law. The Assurance also includes other alleged violations such as failures to (1) notify users how to rescind permission for the app’s access to contact books on their devices; (2) delete contact books retrieved from users’ devices after permission is rescinded or accounts are deleted by users; and (3) disclose compensation provided to certain students, as the app’s “ambassadors,” for promoting the app.
Relief
The Assurance includes the following requirements for the company to settle the NY AG’s claims:
- Penalties. The company must pay $650,000 in penalties, $450,000 suspended unless the financial information submitted to the NY AG contains material misstatements or the company materially breaches the Assurance within ten years.
- Evidence for Safety and Security Claims. The company must not make claims about the app’s safety and security (including claims that the app is safe, secure, or restricted or that the app verifies, authenticates, or validates users’ student status at a specific school) unless it has a reasonable basis for making those claims based on competent and reliable scientific evidence.
- Privacy Settings. The company must offer heightened in-app privacy settings for users under eighteen, including a non-skippable process to review their privacy settings every six months and an option to hide personal information from other users. The company must also allow users to delete copies of their contact books collected by the app.
- Prohibition of Access to Non-User Information. The company must prohibit users from accessing any attendance, schedule, or location information about non-users (such as students, teachers, and administrators not using the app) that other users input into the app. The company must also provide a simple, one-step opt-out process that allows school personnel to permanently prevent the app from displaying their identifying information.
- Mandatory Training Programs. The company must create and maintain reasonably designed marketing training programs to instruct employees and non-employee marketers on how to comply with applicable marketing requirements, including the FTC’s Endorsement Guides.
- Recordkeeping and Compliance Monitoring. The company must maintain records of its privacy, safety, and marketing practices and its compliance with the Assurance for six years and submit them to the NY AG upon request. The company must also annually certify its compliance with the Assurance for five years.
Key Takeaways
Regulators are increasingly focusing on the privacy and safety of minors, including high school students who fall outside of the protections of the Children’s Online Privacy Protection Act. Businesses offering services targeting minors should take special care to ensure that their services provide appropriate privacy and safety protections for minors and that their claims about privacy, safety, and security are substantiated by competent and reliable evidence. Businesses should emphasize robust verification processes for user enrollment, ensure transparency in handling personal information, and conduct regular audits and risk assessments to improve privacy and security measures. Businesses should also provide marketing training and follow best practices to comply with the FTC Endorsement Guides and the FTC’s Final Rule on fake reviews and testimonials when marketing apps or other products online. Educating users, especially minors, about privacy settings and safe online practices is crucial. Ongoing monitoring and updating of compliance programs are essential to adapt to new regulations and best practices.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments around laws and regulations involving minors and students’ online privacy and safety. Please contact us if you have any questions.
