Jan 92018

Internet of Toys Enforcement: VTech Agrees to COPPA Settlement

Colleen Theresa Brown, Alan Charles Raul, Edward R. McNicholas and Grady Nye
, , , , , ,

On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys.  The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. 

Specifically, the FTC alleged that the company failed to provide a link to its privacy policy in each area where personal information was collected from children, including the landing screen of the Kid Connect parent app.  Instead, the company linked to its privacy policy in small blue font at the bottom of the registration page in a manner that the FTC alleged was not “prominent and clearly labeled,” as required by the COPPA Rule.

The FTC also alleged that the company failed to take reasonable steps to secure the data it collected in violation of both COPPA and the FTC Act, and that these poor data security practices contributed to a November 2015 data breach.  In its complaint, the FTC stated that the company failed to maintain a comprehensive information security program, implement intrusion detection and prevention programs, monitor for exfiltration, complete vulnerability testing or ensure reasonable employee training.  The FTC also stated that the company did not encrypt any registration information transmitted through Learning Lodge, despite the company’s representations that most personally identifiable information was transmitted in encrypted form.

The FTC collaborated in its investigation with the Office of the Privacy Commissioner of Canada.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Grady Nye

gnye@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.