On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.
In the complaint made public along with the settlement, the FTC alleged that VTech violated COPPA by collecting personal information on children without parental consent through the Kid Connect and other applications sold with its internet-connected toys, since there wasn’t a mechanism in place to verify that the parent registering for a Kid Connect account was actually a parent. The FTC also alleged that VTech failed to provide direct notice of its information collection practices to parents and failed to take reasonable steps to protect the information it had collected, which included full names, email addresses, mailing addresses, usernames, and passwords. Finally, the FTC alleged that VTech violated the FTC Act by falsely stating that personal information submitted by users would be encrypted when in fact none of the information, except for photo and audio files, was encrypted. In November 2015, VTech learned through a journalist that hackers had accessed its computer network and stolen personal information about parents and children. Decryption keys for the photo and audio files were included in the hacked database.
Hong Kong-based company VTech Electronics Limited and its US subsidiary agreed to pay $650,000 to resolve the charges brought by the FTC. This settlement marks the FTC’s first privacy case involving internet-connected toys.
Since its passage, COPPA has been actively enforced by the FTC, with recent settlements including a mobile advertiser tracking children’s locations and app developers that allowed third-party advertisers to collect children’s information.