VTech Pays $650,000 to Settle Child Privacy Claims

VTech Electronics, a maker of children’s toys, has agreed to pay $650,000 to settle charges that it collected data on children without their parents’ consent.

VTech, a Hong Kong company with a US subsidiary, was also charged with failing to keep that data safe from hackers.

The US Department of Justice filed suit against VTech on behalf of the Federal Trade Commission (FTC) on January 8.

The suit charged that VTech violated various federal laws including the Children’s Online Privacy Protection Act of 1998 (COPPA).

COPPA

As the complaint notes,

Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children’s personal information online by operators of Internet Web sites and online services.

VTech sells products including “electronic learning products,” or ELPs. They also provide online games and apps.

One of the apps is called Kid Connect, which is intended to be used by children on a VTech ELP. Children can use the app to communicate with other children who have the app — and with adults who download the adult version of the app.

As of November of 2015, about 638,000 children were using Kid Connect accounts.

Learning Lodge

In order to create a Kid Connect account, parents had to register for Learning Lodge. They had to submit the parents full name, physical address, email address, password, secret question and answer, and the name, gender, and birthdate of the child being registered.

COPPA rules define personal information to include names, a physical address, and email.

COPPA rules require that the operator of a child-oriented website must meet special requirements before colleting, using, or disclosing personal information about children.

The website operators must:

• post a privacy policy that explains what information is collected from children and how it’s used
• obtain verifiable parental consent before collecting and using information from children
• establish reasonable procedures to protect the collected information

The complaint charged that VTech violated COPPA in various ways, including:

• Failing to link to the privacy policy in each area of Kid Connect where children’s personal information was collected
• Not fully describing the information that was being collected from children
• Failing to provide information about parents’ rights to review or delete a child’s personal information

Lack of Encryption

None of the submitted data was encrypted, even though VTech’s Privacy Policy included the following statement:

In most cases, if you submit your PII [personally identifiable information] to VTech directly through the Web Services it will be transmitted encrypted to protect your privacy using HTTPS encryption technology. Any Registration Data submitted in conjunction with encrypted PII will also be transmitted encrypted.

The FTC charged that this statement was thus  false and misleading.

VTech had no system in place to verify that the person setting up an account was a parent rather than a child.

Hack Attack

The complaint also charged that VTech learned in November of 2015 that a hacker had gotten into the company’s computer network and obtained personal information about children who used Kid Connect.

The information was sufficient to find photos of children and their home addresses.

Enforcement

The New York Times reported that this was the first enforcement action by the FTC against a company that made internet-connected toys.

VTech said that it had updated its data security policy in the wake of the hack attack.