Lawyers Run The World

“Connected” Toy Maker Settles Charges That it Violated COPPA and the FTC Act

On January 8, 2017 the FTC announced its first children’s privacy settlement involving Internet-connected toys.

According to the Commission, electronic toy manufacturer VTech Electronics Limited and its U.S. subsidiary have agreed to settle charges that the company violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected.

The complaint, filed by the Department of Justice on behalf of the FTC, alleged that the Kid Connect app used with some of VTech’s electronic toys collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices. The complaint also alleges that VTech failed to use reasonable and appropriate data security measures to protect personal information it collected.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”

COPPA requires that companies collecting personal information from children under 13 online follow steps to ensure that children’s information is protected, including clearly disclosing to parents the information it collects, how the information will be used, and seeking verifiable parental consent. Companies also must take reasonable measures to protect the confidentiality, security and integrity of the personal information they collect about children.

As set forth in the complaint, VTech purportedly collected personal information from parents on its Learning Lodge Navigator online platform, where the Kid Connect app was available for download, and also through a now-defunct web-based gaming and chat platform called Planet VTech. Before using Kid Connect or Planet VTech, according to the FTC, parents were required to register and provide personal information including their name, email address as well as their children’s name, date of birth and gender. The FTC states that VTech also collected personal information from children when they used the Kid Connect app.

As of November 2015, about 2.25 million parents had allegedly registered and created accounts with Learning Lodge for nearly 3 million children. This allegedly included about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the United States are purported to have created Planet VTech accounts for 130,000 children by November 2015.

According to the FTC, with respect to Kid Connect, VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children.

At the same time, the complaint alleges that the company did not take reasonable steps to protect the information it collected through Kid Connect, such as implementing adequate safeguards and security measures to protect transmitted and stored information and implementing an intrusion prevention or detection system to alert the company of an unauthorized intrusion of its network. In November 2015, VTech was informed by a journalist that a hacker accessed its computer network and personal information about consumers including children who used its Kid Connect app.

The FTC also alleges that VTech violated the FTC Act by falsely stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted. The company, allegedly, did not encrypt any of this information.

In addition to the monetary settlement, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.

VTech will pay $650,000 as part of the settlement with the FTC.

Interestingly, the FTC collaborated with the Office of the Privacy Commissioner of Canada, which is releasing its own Report of Findings. To facilitate cooperation with its Canadian partner, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

Contact the author to discuss the design and implementation of compliant privacy and data security protocols, or if you are the subject of a regulatory investigation. You can follow the author on LinkedIn.

 

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.

Tags
Show More

Richard B. Newman

Richard B. Newman is an Internet Lawyer at Hinch Newman LLP focusing on advertising law, Internet marketing compliance, regulatory defense and digital media matters. His practice involves conducting legal compliance reviews of advertising campaigns across all media channels, regularly representing clients in high-profile investigative proceedings and enforcement actions brought by the Federal Trade Commission and state attorneys general throughout the country, advertising and marketing litigation, advising on email and telemarketing best practice protocol implementation, counseling on eCommerce guidelines and promotional marketing programs, and negotiating and drafting legal agreements.

Related Articles

What's your opinion?

Close