VTech sells (among other things) “electronic learning products” targeted to children ages 3-9. Primarily at issue in the FTC’s complaint was an app called Kid Connect that could be used by children through some of these toys. To use Kid Connect, a parent first had to register an account through VTech’s Learning Lodge website and then set-up Kid Connect accounts for themselves and their child(ren). By November 2015, there were over 638,000 Kid Connect child accounts.
Once registered, children could use Kid Connect to communicate with contacts who had been authorized by the child’s parent by using a direct-messaging feature or posting to a message board. Per the FTC, VTech collected COPPA-regulated personal information from Kid Connect users, “including the content of text messages or messages to shared electronic bulletin boards, user names for a child that could be used to contact the child, and photographs and audio files containing a child’s image or voice.”
According to the complaint, VTech violated COPPA by:
– Failing to employ any mechanism to verify that the person creating a Kid Connect account for a child was actually an adult or to otherwise secure verifiable parental consent before collecting personal information from children;
– Engaging “in a number of practices that, taken together, failed to provide reasonable and appropriate data security to protect the personal information collected from consumers.”
To settle the complaint, VTech agreed to pay $650,000 in civil penalties and to implement a comprehensive data security program, which will be subject to biennial audit over the next 20 years.
The VTech settlement is a clear reminder that COPPA enforcement remains an area of interest for the FTC and we anticipate seeing more COPPA cases (and more internet-connected toy cases in particular) in the near term. Beyond that general reminder, though, we find the security focus of this case noteworthy. Often, COPPA discussions center on how to go about acquiring parental consent or how to structure a service in order to avoid the need to do so. While failure to get proper consent was obviously part of the issue for VTech here, this case is a reminder that failure to abide COPPA’s notice and security requirements can also be costly.