A Hong Kong-based electronic toy manufacturer and its U.S. subsidiary agreed to pay the Federal Trade Commission (FTC) $650,000 to settle allegations that they violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing appropriate notice and consent, and by failing to take reasonable steps to secure the data that they collected. Notably, this is the FTC’s first COPPA case involving connected toys, but it may not be its last, as connected toys continue to play a more prominent role in children’s lives.

Background

The companies, VTech Electronics Limited, a Hong Kong corporation, and Illinois-based VTech Electronics North America, LLC (VTech), develop products and services for children, including electronic learning products (ELPs) and online games available through their ELPs or the Internet. The companies also develop and operate the Learning Lodge Navigator online service, which functions similarly to an app store and allows customers to download the companies’ child-directed apps, games, e-books and other online content. By November 2015, the FTC asserted that approximately 2.25 million parents in the United States had registered and created accounts with Learning Lodge for nearly 3 million children.

The Learning Lodge Navigator platform allowed access to VTech’s Kid Connect app, as well as the now-defunct Planet VTech platform, which permitted children to play online games and chat with their friends and other registered users. By November 2015, the FTC asserted that approximately 638,000 Kid Connect accounts had been created for children. Planet VTech, which was targeted to those age “5+,” had approximately 134,000 parents registered in the United States who had created Planet VTech accounts for 130,000 children.

Notably, VTech stated in its Learning Lodge Navigator, Kid Connect and Planet VTech privacy policies that personal information, including registration data, would be transmitted using encryption technology to protect its privacy.

According to the FTC, for a child to use Kid Connect, parents had to register for Learning Lodge by submitting their name, physical address and email address, along with their children’s names, dates of birth and gender. The FTC claimed that none of this information was encrypted in transmission. After registration, parents could set up a Kid Connect account by submitting an e-mail address and other personal information, but VTech allegedly did not have a mechanism in place to verify that the person registering the account was a parent and not a child.

In November 2015, a journalist informed VTech that a hacker had accessed its computer network and breached the personal information of consumers, including children who had Kid Connect accounts. According to the FTC, the children’s data was linked to their parent’s data (such as home address), and further, their personal information was not encrypted.

The FTC’s Allegations

The FTC alleged that VTech violated COPPA by failing to:

  • provide direct notice to parents of its information collection and use practices;
  • include a prominent and clearly labeled link to its privacy policy in each area of Kid Connect where personal information was collected from children and on the landing screen of the app;
  • obtain verifiable consent from the parent before collecting or using any personal information collected from children; and
  • establish and maintain reasonable procedures to protect the confidentiality and security of the personal information collected from children.

In addition, the FTC asserted that VTech violated Section 5 of the FTC Act by misrepresenting in its privacy policy that most personal information submitted by users would be encrypted, when that was not the case. The FTC further alleged that the failure to take a number of standard data security practices, when taken together, rose to the level of failing to implement reasonable security. Those failures included not maintaining an information security program, not using an intrusion detection system, not doing penetration testing and not training employees regarding data security.

The Settlement

In addition to paying a civil penalty of $650,000, as part of the settlement, VTech agreed to be permanently restrained from violating COPPA in the future and from misrepresenting its security and privacy practices. The settlement also requires VTech to implement a comprehensive information security program, which will be subject to independent audits for 20 years. As part of its security program, VTech must:

  • designate an employee or employees to coordinate and be responsible for the information security program;
  • identify internal and external risks to the security and confidentiality that could result in unauthorized disclosure; and
  • design and implement reasonable safeguards to control these risks, and conduct regular testing and monitoring of the effectiveness of these safeguards.

BOTTOM LINE

As the first COPPA case involving connected toys, the FTC’s settlement with VTech should be a reminder to all companies that they must fully comply with COPPA and must take reasonable steps to protect sensitive data, particularly any data collected from children. In addition, companies should review their privacy policies to ensure that they are not making any misrepresentations in their policies, particularly with respect to the security and confidentiality of the personal information collected from users.