Investigation of VTech marks 'commission’s' first-ever foray into world of connected toys
The internet of things – the holy grail of tech enthusiasts and bane of dystopian prophets – has established yet another beachhead in its presumably inevitable march toward whatever future awaits us: toys.
Take, for example, Hong Kong-based VTech’s line of attractive, kid-oriented electronic devices. The company manufactures watches, tablets and even stuffed animals that leverage an online platform (dubbed the “Learning Lodge”), similar to the Apple App Store, from which books, apps and other kid-friendly content can be downloaded through the toys.
As a communications overlay for its myriad devices, the company created “Kid Connect” – a messaging platform for children that allows kids to chat with peers on a personalized contact list. Kid Connect apps share text, audio messages and personal photos, and even create chat rooms built around the user’s contact list.
The Kid Connect user’s contact list and other settings are controlled by their parents through a separate app available from the Apple and Android App stores. In order to monitor usage, parents would register with Learning Lodge, providing their names and addresses (physical and email) along with the names of their children, their dates of birth and gender.
The case came to the attention of the Federal Trade Commission (FTC or Commission) after a hacker stole personal information about the kids and parents who used the company’s products. This is the FTC’s first connected toys case.
The FTC aimed a barrage of Children’s Online Privacy Protection Act (COPPA) violations at VTech in a complaint filed Jan. 8, 2018, in the Northern District of Illinois, Eastern Division.
The Commission also alleged serious security breaches under COPPA, including a complete lack of a security plan and a failure to train its own employees to help them safeguard the sensitive information.
There were real-world consequences for these failures, according to the FTC.
The FTC charged VTech with unfair or deceptive practices and false and misleading statements under COPPA, seeking a permanent injunction against future violations and civil penalties.
VTech settled on the same day. The company will pay a $650,000 civil penalty, is prohibited from future COPPA missteps and is required to build a “comprehensive data security” plan that will be audited every other year for the next 20 years.
For a detailed analysis of the implications of this case, see our blog post here.