Header graphic for print
Password Protected Data Privacy & Security News and Trends

Child’s Play: VTech Settles FTC Lawsuit Over Data Security in Connected Toys

Posted in Consumer Privacy/FTC, Data breach, FTC enforcement, Privacy

On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.

When Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, it directed the FTC to create a rule implementing the goal of protecting the privacy and safety of children.  The regulations are imposed on services made for children under 13, prohibiting covered entities from collecting personal information from children without properly disclosing how the information will be used to parents and getting verifiable consent.  A privacy policy must be clearly linked on the platform.  The information that covered entities do collect should also remain secured and protected.

In the complaint made public along with the settlement, the FTC alleged that VTech violated COPPA by collecting personal information on children without parental consent through the Kid Connect and other applications sold with its internet-connected toys, since there wasn’t a mechanism in place to verify that the parent registering for a Kid Connect account was actually a parent. The FTC also alleged that VTech failed to provide direct notice of its information collection practices to parents and failed to take reasonable steps to protect the information it had collected, which included full names, email addresses, mailing addresses, usernames, and passwords.  Finally, the FTC alleged that VTech violated the FTC Act by falsely stating that personal information submitted by users would be encrypted when in fact none of the information, except for photo and audio files, was encrypted.  In November 2015, VTech learned through a journalist that hackers had accessed its computer network and stolen personal information about parents and children. Decryption keys for the photo and audio files were included in the hacked database.

Hong Kong-based company VTech Electronics Limited and its US subsidiary agreed to pay $650,000 to resolve the charges brought by the FTC.  This settlement marks the FTC’s first privacy case involving internet-connected toys.

Since its passage, COPPA has been actively enforced by the FTC, with recent settlements including a mobile advertiser tracking children’s locations and app developers that allowed third-party advertisers to collect children’s information.