Last week, the Federal Trade Commission announced a settlement with toy manufacturer VTech Electronics, its first action involving internet-connected toys. In its complaint, the FTC alleged that VTech’s information collection and security practices related to certain child-directed services violated the Children’s Online Privacy Protection Act (COPPA) and that a misrepresentation in its privacy policy separately violated the FTC Act’s prohibition on deceptive practices.  The action follows a 2015 hack of VTech that exposed data regarding 6.4 million child users of its services.

VTech sells (among other things) “electronic learning products” targeted to children ages 3-9.  Primarily at issue in the FTC’s complaint was an app called Kid Connect that could be used by children through some of these toys. To use Kid Connect, a parent first had to register an account through VTech’s Learning Lodge website and then set-up Kid Connect accounts for themselves and their child(ren). By November 2015, there were over 638,000 Kid Connect child accounts.

Once registered, children could use Kid Connect to communicate with contacts who had been authorized by the child’s parent by using a direct-messaging feature or posting to a message board.  Per the FTC, VTech collected COPPA-regulated personal information from Kid Connect users, “including the content of text messages or messages to shared electronic bulletin boards, user names for a child that could be used to contact the child, and photographs and audio files containing a child’s image or voice.”

According to the complaint, VTech violated COPPA by:

– Failing to employ any mechanism to verify that the person creating a Kid Connect account for a child was actually an adult or to otherwise secure verifiable parental consent before collecting personal information from children;

– Failing to provide direct notice of its privacy practices to parents, to link to its privacy policy in each area of its online services where children’s personal information was being collected, and to include in the privacy policy certain COPPA-mandated information, including a full description of the personal information collected from children; and

– Engaging “in a number of practices that, taken together, failed to provide reasonable and appropriate data security to protect the personal information collected from consumers.”

In addition, the FTC claimed that VTech had deceived consumers, in violation of §5 of the FTC Act, by including in its privacy policy a statement indicating that personal information would be encrypted during transmission – when data provided through Learning Lodge was, in fact, not.

To settle the complaint, VTech agreed to pay $650,000 in civil penalties and to implement a comprehensive data security program, which will be subject to biennial audit over the next 20 years.

The VTech settlement is a clear reminder that COPPA enforcement remains an area of interest for the FTC and we anticipate seeing more COPPA cases (and more internet-connected toy cases in particular) in the near term. Beyond that general reminder, though, we find the security focus of this case noteworthy. Often, COPPA discussions center on how to go about acquiring parental consent or how to structure a service in order to avoid the need to do so. While failure to get proper consent was obviously part of the issue for VTech here, this case is a reminder that failure to abide COPPA’s notice and security requirements can also be costly.