The Federal Trade Commission (FTC) has sued Sendit’s parent company, saying it signed up children under 13, collected their personal data, and misled them with fake messages and recurring bills.
The lawsuit, filed against the app’s owner Iconic Hearts Holdings Inc and CEO Hunter Rice, alleges the company let users under the age of 13 sign up for Sendit and collected personal information about these users without parental consent—violating the Children’s Online Privacy Protection Rule (COPPA).
Sendit is an add-on for Snapchat and Instagram, rather than a standalone app. Its primary feature is to allow users to post prompts or questions (called a Sendit) on their social media stories and receive anonymous replies from other users.
In 2022, the app registered 116,000 people who self-declared that they were under 13 years old, according to the suit. Even after parents complained, the company continued to collect children’s phone numbers, birthdates, photos, and usernames for Snapchat, Instagram, TikTok and other accounts.
The FTC also alleges that Sendit misled users about its paid “Diamond Membership.” The feature promised to allow users to see who had sent certain messages. In practice, it didn’t reveal the senders, according to the suit. Worse still, the company and its CEO faked some of these messages, the FTC alleges. According to the complaint:
“Defendants trick users into believing that they have received provocative and sometimes sexual or romantic messages from their social media contacts, when in reality it is often Defendants themselves who have sent those messages.”
Iconic Hearts also failed to disclose recurring charges clearly, according to the FTC—charging up to $9.99 every week after making it look like users were paying a single fee to disclose a user’s identity.
Normally, cases like this end in a settlement. This time, the FTC referred the case to the Department of Justice (DoJ). It does this when it believes that the defendants are violating or about to violate the law, and that referring the case would be in the public interest. So now, the Central District of California will decide the case.
Iconic Hearts also publishes the apps Noteit, Starmatch, and Locksmith. Launched in 2018, Sendit has been downloaded more than five million times on Google Play, and the company claims a total user base of around 25 million. The company has claimed Sendit is “the top Gen Alpha social networking app.”
This isn’t the only case where anonymous messaging apps have run afoul of COPPA violations. In July 2024, the FTC settled with NGL Labs and its founders for $5 million. That app was accused of marketing to kids and teens, sending fake messages to drive up usage, tricking users into paid upgrades, and sneaking in recurring charges.
“Company executives told employees to reach out to high school kids directly,” said the FTC at the time. NGL Labs also falsely claimed that AI content moderation filtered harmful messages like cyber bullying, the Commission added. The settlement banned NGL from marketing its app to anyone under 18.
What could this mean for Iconic Hearts? The current maximum penalty enforceable by courts for failing to comply with COPPA is $53,088 per violation, according to the FTC.
DoJ COPPA-related suits on the FTC’s behalf are not unheard of. Epic Games got a record $275 million penalty for COPPA violations in December 2022 after the DOJ sued it on behalf of the FTC (alongside another $245 million penalty for using ‘dark patterns’ to mislead users).
Epic Games was aware that many children were playing its Fortnite game, yet it collected personal data from children without first obtaining parents’ verifiable consent, the suit said. The company also made it difficult for parents to delete their children’s personal information, and sometimes didn’t do as asked.
The takeaway from this story? Try to keep kids under 13 off social media apps as long as possible, and when the time does come, stay involved. Talk to them about online safety, monitor their usage, and keep the conversation open.
We don’t just report on threats – we help protect your social media
Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.
