FTC Punishes Children's App Company for Not Playing by the Rules
FTC Punishes Children's App Company for Not Playing by the Rules

In early January the Federal Trade Commission announced that it reached a settlement in a lawsuit against VTech Electronics, an Internet-connected toy maker, for violating the Children's Online Privacy Protection Act (COPPA) and the FTC Act. The settlement required VTech to pay a fine of $650,000. This case marks the FTC's first foray into the world of data security and Internet-connected apps for children.

A little background on the case: VTech operates Learning Lodge Navigator, an online platform that allows customers to download child-oriented apps and games onto VTech-connected devices. Two of the more popular VTech products were Kid Connect, which allows children to send texts, photos, and audio files to VTech contacts approved by their parents, and Planet VTech, a now-obsolete web-based gaming and chat platform. 

The public was interested – by November 2015, 2.2 million parents created Learning Lodge accounts for around 3 million children. This number included around 638,000 Kid Connect accounts for children. If a child wanted to use Kid Connect, a parent had to register on Learning Lodge and provide information such as the child's name, date of birth, and gender. VTech's privacy policy stated that when parents input personal information for the Kid Connect registration, the data “in most cases” would be encrypted to protect users' privacy.

The problem with VTech and its Kid Connect app? To begin, VTech violated COPPA, a law that requires companies collecting personal information from children under age 13 to follow certain measures to protect the children's data. These measures include:

·       Disclosing to parents the data that a company collects and how the data is used;

·       Posting privacy notices on webpages; and

·       Obtaining verifiable, parental consent before collecting personal information from children.

COPPA also requires companies to maintain reasonable procedures to “protect the confidentiality, security, and integrity of personal information collected from children.” VTech violated COPPA, however, because it failed to (1) provide direct notice to parents of its information collection and use practices, and (2) link its privacy policy in each area where personal data was collected from children.

VTech also ran afoul of COPPA because it failed to reasonably protect the data of children it collected through Kid Connect. This became evident in November 2015 after a hacker breached its computer network and accessed the personal information of consumers, including the data, photos, and text messages of children who used the Kid Connect app.

The FTC's lawsuit also asserted that VTech violated the FTC Act by engaging in “deceptive acts or practices” by falsely stating in its privacy policy that most personal information submitted by users through Learning Lodge would be encrypted. VTech, however, did not encrypt any of this data.

Along with the $650,000 fine, the FTC ordered VTech to take additional corrective measures. VTech is now “permanently” prohibited from violating COPPA in the future and from misrepresenting its data security and privacy practices. And VTech must implement a “comprehensive data security program” that will be subject to independent data privacy and security audits for the next 20 years. Acting FTC Chairman Maureen Ohlhausen summarized the lessons learned from VTech: “As connected toys become increasingly popular, it's more important than ever that companies let parents know how their kids' data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both these areas.”

VTech's problems are not limited to the U.S. The 2015 data breach of VTech compromised the personal information of 500,000 Canadian children and their parents. The Privacy Commissioner of Canada investigated the matter and required VTech to improve its security systems to better protect children's data and to reduce the risk of a future breach. Canada did not fine VTech. The Privacy Commission for Personal Data in Hong Kong, where VTech is headquartered, is also investigating VTech.