On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent.
The FTC also alleged that the company failed to take reasonable steps to secure the data it collected in violation of both COPPA and the FTC Act, and that these poor data security practices contributed to a November 2015 data breach. In its complaint, the FTC stated that the company failed to maintain a comprehensive information security program, implement intrusion detection and prevention programs, monitor for exfiltration, complete vulnerability testing or ensure reasonable employee training. The FTC also stated that the company did not encrypt any registration information transmitted through Learning Lodge, despite the company’s representations that most personally identifiable information was transmitted in encrypted form.
The FTC collaborated in its investigation with the Office of the Privacy Commissioner of Canada.