Internet of Toys Enforcement: VTech Agrees to COPPA Settlement

On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys.  The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. 

Specifically, the FTC alleged that the company failed to provide a link to its privacy policy in each area where personal information was collected from children, including the landing screen of the Kid Connect parent app.  Instead, the company linked to its privacy policy in small blue font at the bottom of the registration page in a manner that the FTC alleged was not “prominent and clearly labeled,” as required by the COPPA Rule.

The FTC also alleged that the company failed to take reasonable steps to secure the data it collected in violation of both COPPA and the FTC Act, and that these poor data security practices contributed to a November 2015 data breach.  In its complaint, the FTC stated that the company failed to maintain a comprehensive information security program, implement intrusion detection and prevention programs, monitor for exfiltration, complete vulnerability testing or ensure reasonable employee training.  The FTC also stated that the company did not encrypt any registration information transmitted through Learning Lodge, despite the company’s representations that most personally identifiable information was transmitted in encrypted form.

The FTC collaborated in its investigation with the Office of the Privacy Commissioner of Canada.