The Federal Trade Commission on Jan. 8 announced its first settlement of alleged violations of the Children’s Online Privacy Protection Act arising from internet-connected toys. The FTC complaint against VTech followed the exposure of a data breach affecting hundreds of thousands of parents’ and children’s data who used VTech’s connected toys. The government asserted that VTech violated COPPA by failing to provide sufficient notice to parents about the information it collects and by failing to establish and follow adequate data security practices. Requiring VTech to pay a $650,000 penalty and undergo independent, biennial assessments of the company’s comprehensive data security program for 20 years, the settlement serves as a reminder to pay close attention to COPPA compliance when launching child focused internet-connected products.
COPPA is designed to protect children’s personal information by imposing verifiable parental consent and data protection obligations on websites or online services directed to children under age 13 and operators of other websites or online services that have actual knowledge that they are collecting personal information about children. COPPA requires, among other things, that covered companies give clear notice to parents of the personal information they collect from children and how they will use that information, and obtain verifiable parental consent from parents before collecting personal information from users. COPPA also requires covered companies to maintain reasonable security practices for the data they collect, and to give parents the ability to access and delete their children’s information.
Since VTech collects and maintains children’s data, the company is an operator under COPPA. By collecting children’s dates of birth, the company also has actual knowledge that it is collecting personal information on children under age 13.
VTech develops, markets and sells internet-connected toys known as electronic learning products and games to use on such ELPs. VTech also operates an online platform, the Learning Lodge, which allows customers to download applications, games and e-books directed toward children. The FTC alleged VTech was required to comply with COPPA because its Kid Connect application and web-based Planet VTech platform were directed to children under 13. The FTC also alleged VTech gained actual knowledge that child users were under 13 when the users or their parents entered their ages in their user profiles. The complaint alleged both services employed inadequate security.
The VTech settlement serves as a reminder of the importance of paying close attention to COPPA compliance when launching internet-connected products that will be targeted to children. In charging VTech first, the FTC suggests that multiple COPPA violations and an inability to detect and remediate privacy holes may be more likely to attract agency attention.
To avoid VTech’s fate, developers of internet-connected toys and educational products should consult with an experienced COPPA attorney at the earliest stage of development to address the following COPPA compliance requirements: