On April 29, Michigan Attorney General (AG) Dana Nessel filed a lawsuit against Roku, Inc. (Roku), the smart TV and device provider and streaming service, alleging that Roku collects and monetizes personal data from children without proper parental consent in violation of the Children’s Online Privacy Protection Act (COPPA) and other laws, including the Video Privacy Protection Act (VPPA) and the Michigan Consumer Protection Act.

The Complaint

The Michigan AG detailed its accusations against Roku in the complaint. At a high level, the complaint alleges that:

  • Roku fails to protect minor users: The AG asserts that Roku is an “operator” of online services under COPPA, was aware that children use its products, and had specific content directed toward children. Roku allegedly failed to meet its obligations under COPPA by failing to screen for under-age users and obtain parental consent for child users.
  • Roku improperly collects, uses, and retains children’s personal data: The AG alleges that Roku uses, retains, and sells children’s personal data including voice, location, IP addresses, and browsing history in violation of COPPA.
  • Roku misrepresents its privacy practices: According to the allegations, Roku’s privacy policy failed to disclose its use of the data of minors, which constitutes “unfair, unconscionable, or deceptive” practices that violate consumer protection laws.

In addition to the various alleged statutory violations, the complaint included intrusion upon seclusion and unjust enrichment claims.

Why It Matters

The complaint brings two important issues to light:

  • Protecting children and teens online is a top regulatory priority. Children’s and teens’ online safety and privacy issues have bipartisan support at both state and federal levels.
  • The enforcement priority is evident not only through the dozens of bills that were introduced across multiple states in the form of social media legislation, age-appropriate design codes, and children’s data protection acts, but also in the Federal Trade Commission’s (FTC) continued emphasis on children’s rights as an enforcement priority, the finalization of the first set of updates to the COPPA Rule in more than a decade, and its recent workshop, “The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families.”
  • Additionally, the Michigan AG’s action continues to showcase the focus that state-AGs have maintained on prioritizing child online safety. For example, groups of state AGs advocated in favor of the COPPA Rule amendments and have urged Congress to pass the Kids Online Safety Act (KOSA). Just last month, a group of 28 state AGs sent a letter to Meta demanding that the company implement basic safeguards to prevent its AI assistant from exposing children to sexually explicit content.
  • Technology speaks louder than words. Regulators are increasingly taking a more technologically focused and forensically sophisticated approach to reviewing companies’ practices. Regulators will continue to employ technology, computer scientists, engineers, and the publicly available information about data brokerage and the online advertising ecosystem to follow code and data to understand their uses and ensure that those uses align both with applicable laws and covered companies’ consumer facing disclosures.

What Companies Can Do Now

There have always been commercial and compliance-driven incentives for companies to invest in technology to understand and manage their data in real-time, but there is now a pressing need for organizations to review and verify operational controls throughout their data ecosystems. Though not new advice, companies should:

Commit to Privacy-by-Design. The complaint singled out Roku for not offering users an option to separate profiles for child users that were made available by its major competitors. As technology and law continue to evolve at a dizzying pace, companies must strive to demonstrate a commitment to continually evolving privacy protective features — especially for minor audiences. Privacy assessments will help organizations identify opportunities for programmatic maturity and enhancement, but participating in industry groups committed to best practices, standards, and consistent privacy protective experiences for parents and minors across platforms, are other good bets.

Invest (or reinvest) in data mapping. Organizations must have a dynamic and technically reliable way of maintaining a current inventory of personal data and systems that maintain them. These “data maps” must identify data by source and the relevant data subjects especially where it is incumbent to know the data subject’s age and that appropriate consents are consistently managed. Organizations should be able to align personal data with their specific purposes to ensure legal and contractual compliance, make accurate disclosures and ensure that data is only being processed intentionally. This is critically important for sensitive data, including the personal data of children and teens, to ensure sensitive data is properly minimized, deleted, and anonymized, as applicable.

Invest in and test technology. It is evident from the complaint that the Michigan AG used technology to understand Roku’s data practices and gather evidence to stipulate its allegations and state AGs are increasingly recruiting technologists and data scientists to join their enforcement teams. Companies and their legal teams must communicate closely with data-adjacent business teams (e.g., product engineers, backend developers, marketing teams, data scientists, data analysts, etc.) to ensure their internal procedures and code are consistent with the company’s marketing claims, consumer disclosures and representations, commercial terms, and contractual language. Critically, legal and marketing claims and tools relied on by organizations to support product performance or compliance initiatives must be technically validated through the use of internal testing, assessments, and compliance audits. These routinely scheduled and cross-functionally staffed efforts are crucial to establish ongoing accountability and to reduce compliance risk through routine monitoring and programmatic adjustment of compliance controls and other safeguards.

Conduct regular risk assessments. Privacy risk assessments are systematic evaluations of the processing of personal information against internal and external standards and organizational principles. Most comprehensive U.S. state privacy laws and the EU General Data Protection Regulation require privacy risk assessments. Routine use of privacy risk assessments can help organizations achieve privacy-enhanced commercial objectives by enabling organizations to analyze their capabilities, risk profile, and limitations.

Troutman Pepper Locke State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation.
Chris Carlson
Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies.
Lauren Fincher
Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education.
Michael Yaghi
Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Samuel E. “Gene” Fishel
Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests.
Jay Myers
Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs.
Jessica Birdsong
 Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology.
Blake R. Christopher
Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
Nick Gouverneur
Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy.
Troy Homesley
Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Lane Page
Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.
Dascher Pasco
Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities.
Kyara Rivera Rivera
Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review.
Trey Smith
Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues.
Daniel Waltz
Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals.
Cole White
 Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general.
Stephanie Kozol
Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Gene Fishel Gene Fishel

Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office

Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years.

Read more about Gene Fishel
Show more Show less
Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.

Read more about Laura Hamady
Show more Show less
Photo of Esther Kye Esther Kye

Esther is an associate in the firm’s Privacy + Cyber practice. She received her J.D. from the University of California, Irvine School of Law where she served as a representative of the Asian Pacific American Women Lawyers Alliance, the Orange County Korean American…

Esther is an associate in the firm’s Privacy + Cyber practice. She received her J.D. from the University of California, Irvine School of Law where she served as a representative of the Asian Pacific American Women Lawyers Alliance, the Orange County Korean American Bar Association, and as pro bono chair of the Asian Pacific American Law Students Association.

Read more about Esther Kye
Show more Show less
Photo of Kyara Rivera Rivera Kyara Rivera Rivera

Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review.

Read more about Kyara Rivera Rivera
Related Posts
 Texas Legislature Passes Comprehensive AI Governance Act
June 4, 2025
 Connecticut AG Pursuing Companies for Allegedly Selling Unlawful Weight Loss Drugs
May 30, 2025
oil-energy
US Lifts Most Sanctions on Syria
May 29, 2025