Peter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTLauren B. Aronson

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter.

The Allegations

VTech operated the Learning Lodge Navigator, which allowed consumers to download child-directed online content and applications developed for use with VTech’s ELPs, which were targeted to kids between 3 and 9 years old. Kid Connect permitted children with VTech ELPs to communicate directly with each other. In operating Learning Lodge and Kid Connect, VTech violated COPPA and FTC Act requirements, and failed to protect the personal information that it collected from children and adults.

Specifically, until November 2015, VTech collected personal information from adults about themselves and children during the account creation process, including children’s names, full birth dates, gender, and photos, but did not verify that the accounts were set up by a parent rather than a child and did not encrypt that information in transit. Children used the Kid Connect app to send text messages, audio messages, photos and stickers, some of which the defendants collected and stored for one year. Although the information was stored in an encrypted format, the hackers were able to access a database containing the decryption keys, and VTech stored the information in a way that transparently linked children’s information to that of their parents, so that the hackers could link a child’s photograph with a physical address and other information.

The FTC alleged that VTech’s notice, collection, transmission, and security practices violated COPPA Rules by, among other things, failing to post a privacy policy with “clear, understandable, and complete notice” of its information practices; failing to provide parents with direct notice of information practices; failing to verify parental consent prior to collecting, using, and disclosing personal information from children; and failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The FTC also alleged that VTech violated the FTC Act by failing to comply with its Privacy Policy representations regarding its collection, storage, and transmittal of covered information. Finally, the FTC alleged that VTech failed to encrypt the transmission and storage of children’s and parents’ personal data collected during registration for VTech’s Planet VTech online gaming service.

Why it Matters

The FTC’s settlement with VTech is an important reminder to operators of child-directed applications and websites to regularly review their data collection, security, and privacy practices for compliance with COPPA Rules and FTC privacy and security requirements. In addition, all entities active in the online, e-commerce, and mobile space – whether directed to children or to adults – should implement, maintain, and adequately document a reasonable, risk-based information security program that includes appropriate technical, physical, and administrative controls to prevent unauthorized access and to detect and respond to data incidents. With the growth in connected toys, and the increased federal, state, and international regulatory scrutiny of interactive and interconnected products and services, failure to assess and manage risk, including by implementing privacy by design and security by design principles, can be costly and can have national and international consequences.