The lawsuit, filed Monday in U.S. District Court for the Central District of California by the Justice Department at the FTC’s request, alleges breaches of the Children’s Online Privacy Protection Act (COPPA), the FTC Act and the Restore Online Shoppers’ Confidence Act. In a unanimous 3-0 decision, FTC commissioners referred the matter for litigation, continuing a wave of enforcement against apps that harvest children’s data without safeguards, enabling risks like targeted advertising, profiling and unauthorized sharing.
Sendit, operated by Los Angeles-based Iconic Hearts Holdings Inc. under CEO Hunter Rice, integrates with Instagram and Snapchat to let users send anonymous questions and responses. Aimed at preteens and teens with marketing nods to “Gen Alpha” users 12 and older — the app has racked up millions of downloads since 2020, hitting 10,000 to 20,000 daily installs by mid-2021. Its anonymous format, while fostering fun interactions, created a privacy minefield, as the FTC alleges the company prioritized data monetization over protections for vulnerable young users.
Unauthorized Data Harvesting: A Privacy Peril for Children
COPPA, enacted in 1998 to shield kids under 13 from online data exploitation, requires operators of child-directed services to notify parents and obtain verifiable consent before collecting personal information like names, locations, photos or device IDs. Sendit’s failures here exposed children to profound privacy threats: Collected data could fuel behavioral ads tailored to minors’ interests, build long-term profiles for cross-app tracking or be disclosed to third parties, amplifying dangers like identity theft or unwanted solicitations.
The complaint details how Sendit knowingly drew underage users, with over 116,000 self-reporting ages below 13 in 2022 alone, alongside parent complaints. Yet, the app’s age gate was superficial relying on unverified self-reports while it scooped up persistent identifiers and social media handles without parental gates. This not only violated COPPA’s core tenets but eroded the foundational trust parents place in digital play spaces, where data once gathered can linger indefinitely, shaping algorithmic feeds and commercial inferences for years.
From a broader data privacy lens, such lapses underscore systemic vulnerabilities in social apps: Children’s data, inherently sensitive due to their developing digital literacy, becomes a commodity in ad ecosystems. Without robust anonymization or deletion protocols, it risks perpetuating biases in AI-driven recommendations or enabling surveillance capitalism that preys on youthful impulsivity. The FTC argues each unauthorized collection counts as a separate violation, carrying penalties up to $53,088 per instance a stark deterrent reflecting the law’s recognition of cumulative harm.
Deceptive Practices: Fake Messages and Hidden Billing
Layering on COPPA concerns, the suit accuses Sendit of unfair and deceptive acts under the FTC Act. Between early 2021 and late 2024, the app sent about 279 million artificial anonymous messages provocative prompts like “I like you guess who it is” or “Does size matter?” to simulate real peer engagement and drive sales of the $8.99-to-$9.99 weekly “Diamond Membership.” These fakes, unlabeled as such, promised “hints” toward sender identities that were often invented or useless, with full reveals locked behind a $29.99 fee.
Privacy implications extend here too: By luring subscriptions through illusion, Sendit not only monetized deception but deepened data exposure, as paying users granted broader access to profiles and analytics. Billing disclosures, tucked in tiny gray text like “become diamond member for $9.99/week • see terms,” flouted the Restore Online Shoppers’ Confidence Act’s consent mandates, leading to surprise charges and refund floods practices that disproportionately burden families monitoring teen spending.
Samuel Levine, FTC Bureau of Consumer Protection Director, lambasted the tactics: “Sendit’s operator and CEO knew many users were under 13 yet ignored COPPA, while manipulating kids with fake messages that failed to deliver on promises.” This dual assault on privacy and honesty, regulators say, inflicted emotional distress alongside financial hits, with no offsetting user benefits.
Recent FTC Data Privacy Fines: A Pattern of Accountability
Sendit’s case fits a surge in FTC data privacy enforcement, particularly under COPPA, where fines have escalated to curb unchecked child data flows. Between 2018 and January 2025, 19 U.S. companies faced disclosed penalties totaling millions for COPPA violations, per FTC records and analyses.
In September 2025, Disney agreed to a $10 million settlement for enabling third-party trackers on its kids’ apps to collect geolocation and device data without parental consent a breach mirroring Sendit’s third-party data risks. Earlier that year, Epic Games’ Cognosphere unit paid $20 million and barred under-16 in-game buys sans consent, addressing persistent identifiers in Fortnite that evaded age checks.
Microsoft’s Xbox division settled for $20 million in June 2023 over child account data shared with advertisers without verification, highlighting cross-device tracking perils. Other actions include a $4 million fine against a kids’ app developer in 2023 for behavioral ads via undisclosed trackers. These precedents signal the FTC’s zero-tolerance for “dark patterns” that obscure data practices, with total COPPA penalties since 2000 exceeding $300 million and climbing amid AI’s rise.
The pattern reveals enforcement priorities: Verifiable parental involvement, transparent third-party disclosures and age-appropriate designs. As apps blur social and commercial lines, these fines deter profit-driven privacy erosion, protecting children’s data as a public good.
Sought Remedies and Lasting Impacts
The FTC demands a permanent injunction against violations, consumer refunds and maximum penalties per breach. Litigation will test the claims in court, potentially reshaping anonymous app standards.
For parents, this amplifies calls for vigilance: Scrutinize app privacy policies, enable purchase approvals and use built-in controls like Apple’s family sharing. With over 100 million Sendit downloads, the case’s ripple effects could influence platform-wide reforms, ensuring anonymity doesn’t cloak exploitation.
Levine’s words resonate: “These practices preyed on children’s curiosity and connection desires, violating law and trust alike.” As COPPA evolves — with proposed 2025 updates tightening parental tools and tracker bans Sendit exemplifies why robust privacy must anchor digital youth culture, not trail viral hype.
