For the second time, an Illinois federal judge powered down a proposed class action against VTech Electronics following a 2015 data breach of its internet-connected digital learning toys. The data breach also triggered separate allegations by the Federal Trade Commission (FTC) that VTech violated federal children’s privacy laws.

Both developments illustrate the increasing exposure that the Internet of Things brings when consumer product manufacturers collect and store consumers’ personal data with connected devices. They also demonstrate how the need to address these issues upfront is imperative.

VTech Toy Data Breach Class Claims Dismissed Again

In In re VTech Data Breach Litigation, Case No. 1:15-cv-10889 (N.D. Ill. 2018), Plaintiffs sought to represent a class of consumers who purchased VTech’s digital learning devices. Their claims arose after a hacker lifted personally identifiable information affecting 4.8 million adult accounts and 6.3 million child profiles linked to the devices. Plaintiffs alleged that VTech broke promises to consumers because of its inadequate data-protection measures and subsequent suspension of online services accompanying the devices.

The court disagreed. It had dismissed the suit once before on multiple grounds, including lack of standing to show future harm and failure to state a claim. In granting VTech’s motion to dismiss for the second time, the court rejected Plaintiffs’ arguments that VTech spurned any implied promises it made to consumers at the time of purchase.

The court reasoned that the alleged promises must be controlled by the express terms and conditions consumers agreed to when first using VTech’s online services post-sale. However, Plaintiffs failed to allege that VTech breached the express online service terms or the incorporated Privacy Policy that governed the device’s internet features.

Plaintiffs also asserted that VTech’s online service suspension rendered the toy devices essentially useless in breach of the implied warranty of merchantability. VTech countered that Plaintiffs could not show that anything was actually wrong with the toys themselves or that users could never access the online services. The court agreed with VTech, finding these pleading defects fatal to Plaintiffs’ claim.

Finally, the court dismissed without prejudice Plaintiffs’ remaining allegations for unfair and deceptive business practices for failing to meet the heightened pleading requirement for fraud-based claims and dismissed the unjust enrichment claims on choice-of-law grounds.

FTC Brings First Enforcement Action Under COPPA Involving Children’s IoT Devices

While the proposed class action sat in Illinois district court, the FTC filed a complaint against VTech in the FTC’s first children’s privacy case involving IoT toy products under the Children’s Online Privacy Protection Act (COPPA).

Under COPPA, companies that collect personal information online from children under 13 must take reasonable steps to protect children’s data, including providing direct notice to parents that the device collects such information and obtaining their consent. The FTC claimed VTech failed to take these steps.

The FTC also alleged that VTech’s Privacy Policy falsely stated that consumers’ personal information would be encrypted when in fact it was not.

VTech settled with the FTC for $650,000 and agreed to implement a comprehensive data security program to ensure future compliance with COPPA and to protect consumers’ personal information.

Implementing Effective Cybersecurity Measures

VTech’s case—albeit a favorable result compared with its potential exposure—highlights the importance of implementing sound data privacy and security measures in consumer IoT devices as courts, federal regulators, and industry leaders grapple with the interplay between cybersecurity and product liability.

For example, the Consumer Product Safety Commission (CPSC) will hold a public hearing on May 16, 2018, to discuss potential safety issues and hazards associated with IoT consumer products.

As they continue to churn out internet-connected consumer products, IoT companies face increasing litigation risk from data breaches, privacy-related claims, and regulatory enforcement actions. Bringing in specialists to address these issues before they arise will reduce the inherent risks associated with IoT consumer products.