​​The Federal Trade Commission on Jan. 8 announced its first settlement of alleged violations of the Children’s Online Privacy Protection Act arising from internet-connected toys. The FTC complaint against VTech followed the exposure of a data breach affecting hundreds of thousands of parents’ and children’s data who used VTech’s connected toys. The government asserted that VTech violated COPPA by failing to provide sufficient notice to parents about the information it collects and by failing to establish and follow adequate data security practices. Requiring VTech to pay a $650,000 penalty and undergo independent, biennial assessments of the company’s comprehensive data security program for 20 years, the settlement serves as a reminder to pay close attention to COPPA compliance when launching child focused internet-connected products.

Children’s Online Privacy Protection Act

COPPA is designed to protect children’s personal information by imposing verifiable parental consent and data protection obligations on websites or online services directed to children under age 13 and operators of other websites or online services that have actual knowledge that they are collecting personal information about children. COPPA requires, among other things, that covered companies give clear notice to parents of the personal information they collect from children and how they will use that information, and obtain verifiable parental consent from parents before collecting personal information from users. COPPA also requires covered companies to maintain reasonable security practices for the data they collect, and to give parents the ability to access and delete their children’s information.

Since VTech collects and maintains children’s data, the company is an operator under COPPA. By collecting children’s dates of birth, the company also has actual knowledge that it is collecting personal information on children under age 13.

VTech develops, markets and sells internet-connected toys known as electronic learning products and games to use on such ELPs. VTech also operates an online platform, the Learning Lodge, which allows customers to download applications, games and e-books directed toward children. The FTC alleged VTech was required to comply with COPPA because its Kid Connect application and web-based Planet VTech platform were directed to children under 13. The FTC also alleged VTech gained actual knowledge that child users were under 13 when the users or their parents entered their ages in their user profiles. The complaint alleged both services employed inadequate security.

Kid Connect allows children to communicate with each other. For a period of time, in order to use Kid Connect, parents had to download Learning Lodge, which required submitting their full name, address, email, password, secret question and answer, as well as their children’s names, dates of birth and gender. According to the complaint, VTech failed to link to the privacy policy on each page where data was collected on Kid Connect and did not provide adequate notice to parents about the company’s information collection and use. The FTC also asserted that VTech did not employ reasonable data security measures to protect data in storage and transmission because it did not encrypt the data.

The FTC also found that data protection was lacking with respect to Planet VTech, a web-based platform that allows children to play games and chat with friends after their parent has created an account. Parents were required to submit an email, full name, password, secret question and answer, physical address as well as their child’s first name, login name, password, and date of birth. The complaint charged that VTech did not reasonably protect this data or follow the company’s privacy policy by failing to encrypt the data in transmission.

The VTech settlement serves as a reminder of the importance of paying close attention to COPPA compliance when launching internet-connected products that will be targeted to children. In charging VTech first, the FTC suggests that multiple COPPA violations and an inability to detect and remediate privacy holes may be more likely to attract agency attention.

To avoid VTech’s fate, developers of internet-connected toys and educational products should consult with an experienced COPPA attorney at the earliest stage of development to address the following COPPA compliance requirements:

  1. What type of information will the connected toy collect? COPPA’s definition of “personal information” is very broad, and includes email addresses, phone numbers and even voice recordings.
  2. How will the collected information be used? If the company intends to share the children’s information with third parties, including other users through a communication feature, the options for getting parental consent will be more limited.
  3. How will the company keep the children’s information secure? VTech’s alleged failure to encrypt both parents’ and children’s information was a focal point of the FTC’s complaint after VTech was breached.
  4. How will the company notify parents of these practices and get their consent? COPPA’s verifiable consent requirement can be a challenge, and companies should plan early on the process they will use.
  5. How will parents be given the ability to access their children’s information? COPPA requires that operators give parents access to the personal information that has been collected from their children. Many companies give parents their own dashboard to see this information, which requires advance planning.

​​​​​