FTC’s First COPPA Settlement Involving Internet Connected Toys

On January 8, 2018 the Federal Trade Commission (“FTC”) announced a settlement with the toy manufacturer VTech Electronics concerning alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) arising from VTech’s collection of personal information from children through internet connected toys.  Under the terms of the settlement VTech is required to pay a fine in the amount of $650,000 and implement a comprehensive data security program which will be subject to audit for 20 years.

COPPA was enacted to protect children’s personal information collected by operators of web sites and on-line services which are directed to children under the age of 13 or who have actual knowledge that they are collecting personal information about children.  It requires such operators to take a number of steps to protect the personal information of children they collect.  These include (i) providing clear notice to parents of the personal information collected; (ii) obtaining verifiable parental consent before any personal information is collected; (iii) providing parents access to and the ability to delete their children’s personal information; and (iv) maintaining reasonable security measure to protect the information collected.

The FTC alleged that VTech violated COPPA because certain of VTech’s electronic toys included an app that collected personal information from hundreds of thousands of children, but did not provide notice to parents or obtain verifiable parental consent before such information was collected.  Other alleged violations of COPPA by VTech included the following:

  • VTech failed to post its privacy policy in each area of its app where information was collected.
  • VTech’s privacy policy was deficient because it did not include (i) VTech’s e-mail and postal addresses, (ii) an accurate description of VTech’s information collection practices, or (iii) information on a parent’s right to view and delete information collected about their children.
  • VTech did not maintain reasonable security measures to protect the information it collected because it failed to, among other things, encrypt the data and implement an intrusion prevention and detection system.

Under the terms of its settlement VTech is required to pay a $650,000 fine and is permanently enjoined from violating COPPA in future.  It is also required to implement a comprehensive data security program which will be subject to independent audit for 20 years.

The VTech settlement is a clear reminder that COPPA applies to all on-line services directed to children including websites, apps, games and internet connect toys that collect children’s personal information and the importance of complying with all of COPPA’s notice, data collection and protection requirements.

Comments are closed.