In its first children’s privacy case involving internet-connected toys, the FTC has received $650,000 from and settled allegations with VTech Electronics, a manufacturer and seller of electronic learning products (ELPs). The FTC alleged that VTech failed to provide proper notice of its information practices to parents, did not link to its Privacy Policy as required by COPPA, and did not implement reasonable data security for children’s personal information. This settlement serves as a forceful reminder that the FTC is serious about enforcing all of the requirements of the COPPA Rule, including those beyond the parental consent requirements.
Complaint
VTech operates Learning Lodge, an online platform of child-directed apps and games, the Kid Connect app, through which children can send text messages, audio files, and photos to parent-approved contacts, and Planet VTech, a web-based gaming and chat platform. The FTC alleged that as of November 2015, in order to use the above listed apps and games, parents first had to register by submitting personal information including name, address, email, password, child’s name, child’s birthday, child’s gender, profile photos, and more. Over 2 million parents registered and created accounts for almost 3 million children.
In November 2015, a hacker accessed VTech’s computer network by accessing a test environment and traversing to the live system and exfiltrated personal information of consumers, including children, in clear, readable text. Though passwords and children’s photos and audio files were stored in an encrypted format, the hacker gained access to a database including decryption keys. Because children’s accounts were linked to their parent’s accounts, hackers also had the ability to combine information, such as linking a child’s profile photo to their parent’s home address.
COPPA Violations
First, VTech allegedly failed to provide information required by COPPA in its privacy policy, including VTech’s address and email address, a “full description of” the information collected from children, and information about parental access and deletion rights. Second, the FTC charged that VTech did not link to its Privacy Policy in “each area” of Kid Connect where personal information was collected from children, including the home page and the text message and audio interfaces. The FTC said that VTech’s link to its Privacy Policy on the Kid Connect registration pages, which was in small blue font in the bottom right hand corner of the screen, was not prominent and clearly labelled.
The FTC also considered VTech’s data security practices insufficient. The complaint alleges that VTech failed to (1) maintain a comprehensive information security program; (2) segment and protect its live website environment from its test environment; (3) implement tools to detect intrusions or unauthorized attempts to exfiltrate personal information; (4) complete vulnerability and penetration testing; and (5) provide data security guidance or training to employees.
Section 5 Violations
Finally, the complaint indicates that contrary to express statements in its Privacy Policy, VTech did not encrypt any information submitted through its Learning Lodge or Planet VTech online services. Thus, such statement was allegedly false and misleading in violation of Section 5(a) of the FTC Act.
Takeaways from this Settlement
- Provide conspicuous links to your privacy policy everywhere that your service collects information from children. A small link at the bottom of a web page likely will not meet COPPA’s requirement to post a prominent and clearly labeled link to your notice of information practices.
- Violations add up. A large number of seemingly small violations, when viewed together, may be enough for a very large penalty under COPPA.
- The FTC continues to be serious about security, particularly in the wake of its 2017 “Start with Security” blog series, available here.
- The Commission seemed particularly concerned that VTech’s violations only came to light after a breach, and that the company learned about the breach from a reporter, rather than through its own monitoring. Thus, it is critical for companies to implement and maintain internal security programs and monitoring and detection systems.
ZwillGen attorneys Stacey Brandenburg and Kandi Parsons will discuss the VTech case and other notable FTC cases and guidance from the past year in a webinar on Wednesday, January 17th from 1:00 – 2:00 PM EST. More information is available here. Click here to register.