In its first action involving internet-connected toys, the Federal Trade Commission said Monday (Jan. 8) that electronic toy company VTech Electronics had agreed to pay $625,000 to settle charges it violated privacy law (the Children’s Online Privacy Protection Act [COPPA]) by "collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected."
The FTC alleged that VTech's Kid Connect app "collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under COPPA."
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said acting FTC chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”
In addition to paying the money, VTech has agreed not to misrepresent its security or privacy practices, and to implement a comprehensive data security program that will be audited for the next 20 years.
The vote for the settlement was 2-0. There are currently only two FTC commissioners, Republican acting chairman Ohlhausen and Democrat Terrell McSweeny.
The FTC is getting more authority over broadband privacy now that the FCC has voted to reclassify internet access as an information service. When access was classified as a Title II service, the FTC was precluded from regulating it due to a common carrier exemption.
As to protecting kids’ information, the company had been under the gun for some time. In 2015, VTech suffered a hack and said almost 3 million children's profiles and over 2 million parents accounts were affected in the U.S. alone. The company also conceded its database "was not as secure as it should have been."
That prompted legislators to press the company for answers on how it protected, or more to the point didn't protect, the kids data its toys collected.
VTech said that on Nov. 14, 2015, an "unauthorized party" accessed customer data housed on its Learning Lodge app store database, which "allows our customers to download apps, learning games, e-books and other educational content to their VTech products."