Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.

Instead of merely seeking injunctive relief when data security practices seem so inadequate as to be unfair or deceptive, the FTC can brandish its COPPA authority to issue fines of up to $40,000 per violation. Companies involved with IoT products that are “directed to children”—children under the age of 13 are an actual or intended audience—should heed the VTech settlement smoke signal.

Settlement

VTech’s obligations under the settlement include paying a significant sum and implementing a comprehensive data security program, which will be subject to 20 years of independent audits.

The FTC alleged that VTech failed to satisfy notice and consent requirements under COPPA with respect to personal information collected from scores of children in connection with VTech’s apps, online platforms, and electronic learning products, such as tablets designed for kids. The FTC cited failures to provide direct notice to parents regarding information collection practices and to provide privacy policy links in every relevant spot. The FTC further pointed to statements in VTech’s privacy policy that allegedly overstated encryption practices.

In light of a security breach of VTech’s network in 2015, the FTC also claimed that VTech “did not take reasonable steps to protect” the collected information. Though COPPA doesn’t clearly define the requisite reasonable procedures, the FTC’s enforcement actions and guidance centered on data security in the general consumer protection context are instructive. Of particular note, merely relying on service providers to maintain confidentiality and security, without getting appropriate and documented assurances, likely would be inadequate. Companies should also have a system and plan in place to prevent, detect, mitigate, and respond to unauthorized intrusions.

In the IoT setting, where contracts are becoming more distant and products often operate in the background, companies will need to take proactive, thoughtful, and creative steps to ensure that parents understand and consent to data collection. Any misleading, hidden, or otherwise noncompliant information collection practices, or any unnecessary or insecure data usage, storage, or transmission could stoke the FTC’s impending barrage.

The Heat is On

The FTC’s intentions are evident, as “it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.” Recognizing the increasing popularity of connected toys, eager to shape companies’ privacy and security practices during IoT industry development, and energized by its potent COPPA regulatory authority, the FTC will continue to strike while the issue is hot.