The FTC recently announced a settlement with toy manufacturer VTech Electronics related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the FTC’s complaint, certain VTech electronic toys included an app that collected personal information from hundreds of thousands of children without providing notice to parents or obtaining verifiable parental consent for such data collection. The FTC further argued that while VTech linked to its privacy policy on the initial app registration page, VTech allegedly violated COPPA by failing to separately post the privacy policy in each area of the app where children’s information was collected. The privacy policy itself was also allegedly deficient for failing to include VTech’s postal and email addresses, a full and accurate description of VTech’s information collection practices, or information about a parent’s right to review or delete a child’s personal information. Finally, the complaint asserts that VTech failed to adequately protect children’s information by not maintaining a comprehensive information security program, having intrusion detection safeguards, conducting vulnerability testing, or reasonably training employees on data security.

Under the terms of the settlement, VTech must pay a $650,000 fine and must implement a comprehensive data security program. The program itself will be subject to independent audits for 20 years.

TIP: This is the FTC’s first settlement involving children’s internet-connected toys. Not only is this a reminder for operators of child-directed websites and apps to review their COPPA compliance programs, but, more generally, the FTC’s foray into “smart” consumer products suggests that manufacturers of such connected devices to implement, or re-assess, comprehensive data security programs.