FTC Settles COPPA Suit with Toy Maker | Practical Law

FTC Settles COPPA Suit with Toy Maker | Practical Law

Electronic toy makers VTech Electronics Ltd. and its US-based subsidiary have agreed to implement reasonable safeguards to protect children's personal data and obtain regular independent audits to settle an FTC investigation. The FTC's complaint alleged that the company violated the Children's Online Privacy Protection Act (COPPA) by failing to provide direct parental notice, obtain verifiable parental consent, and reasonably secure personal information collected from children.

FTC Settles COPPA Suit with Toy Maker

Practical Law Legal Update w-012-5664 (Approx. 4 pages)

FTC Settles COPPA Suit with Toy Maker

by Practical Law Data Privacy Advisor
Published on 09 Jan 2018USA (National/Federal)
Electronic toy makers VTech Electronics Ltd. and its US-based subsidiary have agreed to implement reasonable safeguards to protect children's personal data and obtain regular independent audits to settle an FTC investigation. The FTC's complaint alleged that the company violated the Children's Online Privacy Protection Act (COPPA) by failing to provide direct parental notice, obtain verifiable parental consent, and reasonably secure personal information collected from children.
On January 8, 2018, the FTC announced that it reached a settlement with toy manufacturer VTech Electronics Ltd. and its US-based subsidiary (collectively, VTech) based on allegations that VTech violated the Children's Online Privacy Protection Act (COPPA).
COPPA requires an operator of an online service that collects, uses, or discloses personal information of children under 13 to:
  • Clearly disclose directly to parents the information it collects and how it uses and discloses the information.
  • Obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
  • Implement reasonable protections to safeguard children's personal information.
VTech develops, markets, and sells electronic learning products for children three to nine years old. VTech also offers child-directed apps, games, e-books, and other online content to download through an online platform.
According to the FTC's complaint, from July 2013 through November 2015, VTech offered an app called Kid Connect that allowed children to communicate with other children through text and audio messages. VTech required parents to register by providing personal information and creating a Kid Connect account.
In November 2015, a hacker accessed a database with information in a readable format that VTech collected from parents during the registration process. The hacker also accessed a database with decryption keys for VTech's encrypted files, including users' passwords and children's photos and audio files. By that time, approximately 485,000 US-based consumers had registered Kid Connect accounts for more than 630,000 children.
The FTC allegations included:
  • VTech did not prominently place or clearly label links to its privacy policy or include them in each area of the Kid Connect app that collected children's information.
  • The privacy policy failed to include certain information required by COPPA, such as information about the parents' right to review or delete a child's personal information.
  • VTech did not implement any method to verify that parents, not children, registered accounts.
  • VTech failed to provide reasonable and appropriate data security to protect the collected personal information.
  • VTech falsely stated in its privacy policy that it encrypted data transmitted during registration in violation of Section 5 of the FTC Act.
The FTC filed an unopposed motion for entry of a stipulated order with the US District Court for the Northern District of Illinois. Under the terms of the stipulated order, which is pending court approval, VTech must pay $650,000 to the FTC and may no longer violate COPPA or misrepresent its data security practices.
The order also requires VTech to:
  • Implement a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards.
  • Submit a compliance report one year after entry of the order that details, among other things:
    • each version of any privacy notice posted on any of VTech's websites or online services directed to children;
    • any methods used to obtain verifiable parental consent before collecting, using, or disclosing children's personal information; and
    • the procedures used to protect the confidentiality, security, and integrity of personal information collected.
  • Within 180 days of final entry of the order, and every two years after that for the next 20 years, obtain independent, third-party audits certifying that its information security program and implemented safeguards meet or exceed the final order's requirements.
Organizations subject to COPPA should examine their practice of collecting personal information from children and obtaining verifiable parental consent to ensure that they comply with the law and the FTC's guidance, including Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.