On April 29, 2025, Michigan Attorney General Dana Nessel filed a lawsuit against Roku, Inc., alleging that the company collects and monetizes personal data from children without proper consent. The lawsuit claims that Roku’s practices violate the Children’s Online Privacy Protection Act (COPPA) and other privacy laws.

Michigan Attorney General’s Allegations

In its complaint, filed in the United States District Court for the Eastern District of Michigan, the Michigan attorney general, joined by plaintiffs’ firm Korein Tillery, alleges that Roku violated COPPA (15 U.S.C. § 6502), the Video Privacy Protection Act (18 U.S.C. § 2710), the Michigan Preservation of Personal Privacy Act (M.C.L. § 445.1711), and the Michigan Consumer Protection Act (M.C.L. § 445.901 et seq.) by:

1. Collecting Data from Children: Roku collects personal information from children, including voice recordings, location data, and browsing histories, including via tracking pixels and cookies.
2. Failing to Implement Parental Controls: Roku does not offer options for parents to create children’s profiles, ensuring that both parents and children are subject to the same data collection practices.
3. Sharing Data with Third Parties: Roku shares collected data with third parties, including data brokers and advertising companies, without adequate parental consent.
4. Misrepresenting Privacy Practices: Roku misleads parents about its data collection practices and the privacy protections in place for children.

The complaint also asserts common law claims for intrusion upon seclusion and unjust enrichment, and requests that Roku stop its allegedly illegal data collection practices and comply with federal and state privacy laws. It also aims to recover damages and penalties for Roku’s misconduct.

Roku’s Response

In response to the lawsuit, Roku stated it will challenge the lawsuit. “Roku strongly disagrees with the allegations in today’s filing, which do not reflect how our services work or our efforts to protect viewer privacy,” the company wrote. “We plan to challenge these inaccurate claims and look forward to demonstrating our commitment to trust and compliance.”

“Roku respects and values the privacy of our users. We do not use or disclose children’s personal information for targeted advertising or any other purpose prohibited by law, nor do we partner with third-party web trackers or data brokers to sell children’s personal information,” the statement continued. “We take the responsibility of creating a safe and trusted online environment seriously. Our viewers rely on Roku for engaging content, and we take pride in connecting our viewers to the streaming content they love every day.”

Takeaways

The Michigan attorney general’s complaint against Roku is the latest in a spate of state attorney general privacy enforcement actions, and businesses should take note that the wave of state enforcement may just be beginning. Further, the recent interest in COPPA enforcement may also be driven by the Federal Trade Commission’s (FTC) recent amendments to the COPPA Rule, which will take effect on June 21, 2025. The FTC’s amendments to COPPA include opt-in parental consent for advertising, enhanced direct notice requirements, and new data security and retention requirements. Companies subject to COPPA must comply with these new requirements by April 22, 2026.