In its first enforcement action involving internet-connected toys, the FTC alleged that the maker and operator of electronic devices, web portals and apps violated the Children’s Online Privacy Protection Act (COPPA) and the FTC Act by failing to provide adequate notice of its privacy practices, failing to verify parental consent as required by the COPPA rules, failing to protect the confidentiality and security of children’s personal information and falsely stating that children’s personal information was encrypted.
VTech Electronics Limited sells a number of products for children including portable devices known as “electronic learning products.” VTech also operates The Learning Lodge website, which is similar to an app store where customers can download VTech apps, games, e-books and other online content developed by VTech, and VTech formerly operated a gaming website called Planet VTech.
Kid Connect, one of the apps offered by VTech, enabled children to communicate with other children (or adults with the adult version of the app) via text messages (individual or group), audio messages, photos, or stickers. For a child to use Kid Connect, parents had to register on The Learning Lodge website and set up an account for their child.
According to the FTC, VTech collected information during registration on The Learning Lodge and Planet VTech websites and through the Kid Connect app. By November 2015, over two million parents in the U.S. had registered and created accounts with The Learning Lodge website for almost three million children.
In its complaint, the FTC charged that:
- VTech did not have a mechanism in place to verify that the person registering an account on The Learning Lodge website was a parent and not a child.
- VTech falsely claimed that information submitted when registering on The Learning Lodge and Planet VTech websites would be encrypted. In fact, personal information, including name, email and home addresses, were stored in clear text.
- VTech failed to link to its Privacy Policy in each area of the Kid Connect app where personal information was collected from children, and on the landing screen of the parent app. The link to VTech’s Privacy Policy was on the bottom right corner of the Kid Connect registration page, in a small font that blended in with its blue background. The FTC charged that this link was not prominent and clearly labeled, as required by COPPA.
- VTech did not include in its Privacy Policy information required by COPPA such as VTech’s address and email address; a full description of the information VTech collected from children; and information about a parent’s right to review or delete a child’s personal information.
- VTech failed to provide reasonable and appropriate data security to protect parents’ and children’s personal information. In November 2015, VTech learned that a hacker had accessed its computer network and exfiltrated the personal information of consumers, including personal information about the children who used Kid Connect.
As acting FTC Chairman Maureen K. Ohlhausen noted in the FTC’s press release: “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.” The failure to protect COPPA-covered data appears to be one of the key drivers of this action. The FTC’s allegations regarding VTech’s failure to implement adequate security measures provide a good roadmap for the FTC’s expectations regarding the protection of COPPA-covered data. Specifically, the FTC alleged that VTech failed to:
- develop, implement, or maintain a comprehensive information security program;
- implement adequate safeguards and security measures to segment and protect VTech’s live website environment from VTech’s test environment (the source of the 2015 hack);
- implement an intrusion or prevention or detection system, or similar safeguards, to alert VTech about potentially unauthorized access to its computer network;
- implement a tool to monitor for unauthorized attempts to exfiltrate consumers’ personal information across VTech’s network boundaries;
- complete its vulnerability and penetration testing of environments that could be exploited to gain unauthorized access to consumers’ personal information for well-known and reasonably foreseeable vulnerabilities, such as SQL Injection; and
- implement reasonable guidance or training for employees regarding data security and the safeguarding of consumers’ personal information.
Another key component of creating a robust data protection program (and, in turn, avoiding the ire of the FTC) is implementing strong encryption standards that both protect data at rest and in transit and prevent connected toys or other devices from communicating with unauthorized servers or devices.
As part of the settlement, in addition to paying a fine of $650,000, VTech agreed to establish and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to VTech’s size and complexity, the nature and scope of VTech’s activities, and the sensitivity of the personal information. VTech must also obtain biennial assessments of its information security program from a qualified, independent third party for 20 years.
The FTC collaborated with the Office of the Privacy Commissioner of Canada, which is releasing its own Report of Findings . Following the FTC's updated guidance last year, we may see more enforcement for failures to protect the privacy or security of COPPA-covered data and potentially more cross-border enforcement actions.