Michigan AG Sues Roku Under Multiple Privacy Regulatory Schemes

PDF

On April 29, 2025, the Michigan Attorney General filed a lawsuit in the Eastern District of Michigan against Roku on multiple grounds, alleging violations of: (a) the Children’s Online Privacy Protection Act (COPPA), and (b) the Michigan Consumer Protection Act. The complaint alleges that Roku collected and allowed third parties to collect the personal information of children without the required notice or obtaining parental consent.

Specifically, the complaint alleges that Roku systematically collects, processes, and discloses the personal information of children, including their locations, voice recordings, IP addresses, and persistent identifiers that track children’s browsing histories on Roku and across the internet – each of which is a category of personal information protected under COPPA. The Attorney General further alleges that Roku enables third-party channels to collect children’s personal information to attract content providers to its platform and increase advertising revenue. Roku also allegedly enhances its collection and monetization of children’s personal information through partnerships with third-party web trackers (e.g., tracking pixels and cookies associated with various social media platforms) and data brokers, some of which have been sued by the Federal Trade Commission for tracking individuals’ locations – thus enabling those entities to link the collected or disclosed information to the platform user’s identity.  The complaint seeks to enjoin the alleged collection and disclosure practices, to require compliance with federal and state law, and to recover damages, restitution and civil penalties for years of alleged misconduct.

Why is this important for all companies? 

• It is a reminder that even in states that have not passed a comprehensive state privacy law, companies may still be subject to AG enforcement under the state’s consumer protection laws (specifically, state unfair and deceptive practices statutes, which mirror Section 5 of the FTC Act). If a state AG can claim that a company’s practices are not aligned with the representations made in the company’s public privacy notice, this may provide a basis for AG enforcement action.
• Further, in this case, the AG alleged that Roku’s “Your Privacy Choices” screen gave ALL users the ability to enable a “Do not share or sell my personal information” – even though this setting is only required by California’s CCPA, and not any Michigan laws. Although there would be no claim (under current Michigan law) for failure to offer this option to Michigan residents at all, if it were universally offered but the company failed to implement the setting as described, this would give rise to a claim under Michigan’s unfair and deceptive practices law. 
• Therefore these allegations not only underscore the importance of being both accurate and complete in one’s privacy policy, but also to be specific when offering opt out options available to residents of one state in compliance with state privacy law that those options are ONLY available to those state residents – unless a company is prepared to honor those requests universally, and face universal consequences for failure to do so.

To view the AG’s complaint, click here.