In its first case involving connected toys, the Federal Trade Commission (FTC) announced a settlement with VTech Electronics over allegations that the company violated the Children’s Online Privacy Protection Act (COPPA).
The statute mandates that when companies collect online personal information from children under age 13, they must clearly disclose to parents the types of information collected and how the data will be used, as well as obtain verifiable parental consent for the collection and use of such information. Companies are also required to take “reasonable measures” to protect the confidentiality, security and integrity of the personal information that has been collected about children.
VTech’s Kid Connect app (which allows children to send text messages, audio files and photos to parent-approved contacts, and to post messages on an electronic bulletin board) failed to comply with COPPA on multiple counts, the FTC alleged. Before using Kid Connect or Planet VTech, a gaming and chat platform that is no longer in existence, parents were required to register and provide personal information including their name, address and email address, as well as their child’s name, date of birth and gender.
But according to the complaint filed in Illinois federal court by the Department of Justice on behalf of the FTC, the company collected this personal information about hundreds of thousands of children and did not provide direct notice to parents or obtain their verifiable consent with regard to its data collection practices.
Hong Kong-based VTech (and its U.S. subsidiary) also failed to use reasonable and appropriate data security measures to protect the personal information that was collected, said the FTC. It failed to implement an intrusion detection system or establish adequate safeguards and security measures to protect transmitted and stored information. In addition, the company violated the FTC Act by falsely stating that the data submitted by users would be encrypted when it was not.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” Acting FTC Chair Maureen K. Ohlhausen said in a statement about the case. “Unfortunately, VTech fell short in both of these areas.”
To settle the charges, the company will pay a $650,000 fine, implement a comprehensive data security program subject to independent audits for 20 years, and accept a permanent prohibition on violations of COPPA.
To read the complaint and stipulated order in U.S. v. VTech Electronics Ltd., click here.
Why it matters: The FTC’s first action dealing with connected toys arose when VTech’s COPPA and FTC Act violations were revealed after a hacker stole personal information about the kids and parents who registered with the company. In a call with reporters about the lawsuit, FTC Bureau of Consumer Protection Acting Director Tom Pahl said the case “illustrates many of the FTC’s priorities,” including the protection of sensitive information and enforcement of COPPA. “The FTC is reaffirming its long-standing commitment to protecting consumers’ privacy and the security of their information,” he said.