Earlier this week, the FTC announced its first settlement involving internet-connected toys. The FTC alleged that the Kid Connect app used with some of VTech’s toys collected personal information from hundreds of thousands of children, and that the company failed to provide direct notice of its privacy practices to parents, or to obtain verifiable consent from them, as required by the Children’s Online Privacy Protection Act (or COPPA”). The FTC also alleged that VTech failed to use reasonable data security measures to protect the personal information it collected.

According to the FTC’s complaint, VTech collected personal information from parents on its Learning Lodge Navigator online Vconnect Deviceplatform, where the Kid Connect app was available for download, and through a (no longer available) web-based gaming and chat platform called Planet VTech. Before using Kid Connect or Planet VTech, parents were required to register and provide personal information about themselves and their children. VTech also collected personal information from children when they used the Kid Connect app.

As of November 2015, about 2.25 million parents had registered and created accounts with Learning Lodge for nearly 3 million children, including about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the US had created Planet VTech accounts for 130,000 children.

The FTC generally alleged that:

  • VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children.
  • VTech did not take reasonable steps to protect the information it collected through Kid Connect. (In November 2015, the company was informed by a journalist that a hacker accessed its computer network and personal information about Kid Connect app users.)
  • VTech violated the FTC Act by falsely stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted.

As part of the settlement, VTech agreed to pay $650,000. In addition, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.

In the FTC’s press release, acting FTC Chairman Maureen K. Ohlhausen noted that as connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.” This case demonstrates that the consequences of not taking those steps up-front can be significant.