Investigation of VTech marks 'commission’s' first-ever foray into world of connected toys

Rising Tide

The internet of things – the holy grail of tech enthusiasts and bane of dystopian prophets – has established yet another beachhead in its presumably inevitable march toward whatever future awaits us: toys.

Take, for example, Hong Kong-based VTech’s line of attractive, kid-oriented electronic devices. The company manufactures watches, tablets and even stuffed animals that leverage an online platform (dubbed the “Learning Lodge”), similar to the Apple App Store, from which books, apps and other kid-friendly content can be downloaded through the toys.

As a communications overlay for its myriad devices, the company created “Kid Connect” – a messaging platform for children that allows kids to chat with peers on a personalized contact list. Kid Connect apps share text, audio messages and personal photos, and even create chat rooms built around the user’s contact list.


The Kid Connect user’s contact list and other settings are controlled by their parents through a separate app available from the Apple and Android App stores. In order to monitor usage, parents would register with Learning Lodge, providing their names and addresses (physical and email) along with the names of their children, their dates of birth and gender.

The case came to the attention of the Federal Trade Commission (FTC or Commission) after a hacker stole personal information about the kids and parents who used the company’s products. This is the FTC’s first connected toys case.

The FTC aimed a barrage of Children’s Online Privacy Protection Act (COPPA) violations at VTech in a complaint filed Jan. 8, 2018, in the Northern District of Illinois, Eastern Division.

The Commission alleged that privacy policy links for both the kids’ and parents’ apps were not prominently displayed or clearly labeled and that the policy failed to provide required information about VTech itself: the company’s addresses, for starters, and an account of exactly what information the company would be collecting from children – and how it would be used.

The Commission also alleged serious security breaches under COPPA, including a complete lack of a security plan and a failure to train its own employees to help them safeguard the sensitive information.


There were real-world consequences for these failures, according to the FTC.

A hacker breached the VTech network in the fall of 2015, making off with the names and personal account information of parents of Kid Connect users, which were not encrypted even though the privacy policy stated they would be. Moreover, although the company had encrypted the children’s photos and audio files, the encryption keys for those files were allegedly left in plain sight in a separate database that the hacker also violated. The hacker, the FTC maintained, simply exploited commonly known network vulnerabilities – weaknesses that should have been addressed by VTech. The allegations also claimed that VTech did not have a COPPA-compliant mechanism in place to verify that the people who were registering an account were parents and not children. VTech, the FTC says, was unaware of the breach until a journalist informed it after the fact.

The Takeaway

The FTC charged VTech with unfair or deceptive practices and false and misleading statements under COPPA, seeking a permanent injunction against future violations and civil penalties.

VTech settled on the same day. The company will pay a $650,000 civil penalty, is prohibited from future COPPA missteps and is required to build a “comprehensive data security” plan that will be audited every other year for the next 20 years.

For a detailed analysis of the implications of this case, see our blog post here.