The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.
The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Another concern of the FTC was the security of children’s information. Kid Connect was hacked in November 2015, and according to the FTC the hack occurred because the hacker “exploited commonly known and reasonably foreseeable vulnerabilities.” VTech, it argued, thus failed to comply with the COPPA requirement to protect information. Also on the security front were concerns around another web-based platform, called Planet VTech, for children five and older. This interactive area let kids play games and chat with other users. None of the registration information, according to the FTC, was encrypted. This was in contradiction to privacy policy representations that information would be encrypted, and thus constituted a violation of the FTC Act.
What’s next for VTech? The FTC stated in its press release that it had shared information and coordinated enforcement with the Office of the Privacy Commissioner of Canada under the U.S. SAFE WEB Act. The OPC has stated that it also worked with the Privacy Commissioner for Personal Data for Hong Kong, where VTech is headquartered, which commenced its own compliance check in December 2015. What’s next for everyone else? This case follows a June 2017 update from the FTC in its guidance to businesses about how to comply with COPPA. That guidance specifically mentioned internet-connected toys. This suggests that more FTC scrutiny in this area is likely. Similar actions are coming outside of the US as well, as we reported recently regarding the Genesis Toys’ My Friend Cayla doll case.
Putting it Into Practice: As the internet breaks out of its traditional boundaries of our computer and phones, companies making connected devices geared towards children should keep issues in mind. Are mechanisms in place to get verifiable parental consent where needed? Is information appropriately secured? These and other questions should be examined according to the FTC and regulators around the globe.