In early January the Federal Trade Commission announced that it reached a settlement in a lawsuit against VTech Electronics, an Internet-connected toy maker, for violating the Children's Online Privacy Protection Act (COPPA) and the FTC Act. The settlement required VTech to pay a fine of $650,000. This case marks the FTC's first foray into the world of data security and Internet-connected apps for children.
A little background on the case: VTech operates Learning Lodge Navigator, an online platform that allows customers to download child-oriented apps and games onto VTech-connected devices. Two of the more popular VTech products were Kid Connect, which allows children to send texts, photos, and audio files to VTech contacts approved by their parents, and Planet VTech, a now-obsolete web-based gaming and chat platform.
The problem with VTech and its Kid Connect app? To begin, VTech violated COPPA, a law that requires companies collecting personal information from children under age 13 to follow certain measures to protect the children's data. These measures include:
· Disclosing to parents the data that a company collects and how the data is used;
· Posting privacy notices on webpages; and
· Obtaining verifiable, parental consent before collecting personal information from children.
VTech also ran afoul of COPPA because it failed to reasonably protect the data of children it collected through Kid Connect. This became evident in November 2015 after a hacker breached its computer network and accessed the personal information of consumers, including the data, photos, and text messages of children who used the Kid Connect app.
Along with the $650,000 fine, the FTC ordered VTech to take additional corrective measures. VTech is now “permanently” prohibited from violating COPPA in the future and from misrepresenting its data security and privacy practices. And VTech must implement a “comprehensive data security program” that will be subject to independent data privacy and security audits for the next 20 years. Acting FTC Chairman Maureen Ohlhausen summarized the lessons learned from VTech: “As connected toys become increasingly popular, it's more important than ever that companies let parents know how their kids' data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both these areas.”
VTech's problems are not limited to the U.S. The 2015 data breach of VTech compromised the personal information of 500,000 Canadian children and their parents. The Privacy Commissioner of Canada investigated the matter and required VTech to improve its security systems to better protect children's data and to reduce the risk of a future breach. Canada did not fine VTech. The Privacy Commission for Personal Data in Hong Kong, where VTech is headquartered, is also investigating VTech.