In 2015, electronic toy company VTech learned that a hacker had accessed its computer network and the customer information within it, including personal information about children who were using the company’s Kid Connect mobile app.
On Jan. 8, in the Federal Trade Commission’s first children’s privacy case involving connected toys, VTech Electronics Limited and its U.S. subsidiary agreed to settle charges filed by the FTC after the incident. VTech will pay $650,000 as part of the settlement, according to an FTC press release.
The FTC said that VTech had violated the Children’s Online Privacy Protection Act (COPPA) – a U.S. children’s privacy law the governs the collection of personal information from minors – by not only collecting such information without parental consent, but also by failing to properly protect that data from threat actors.
COPPA requires that any company collecting personal information online from minors under the age of 13 must clearly disclose to parents the information it collects and how that information will be used. Furthermore, reasonable measures must be taken to secure sensitive data provided by children.
VTech reportedly collected personal information from parents during registration on its Learning Lodge platform and its web-based gaming and chat platform, Planet VTech. So far, so good.
But the company also collected personal information from the nearly 800,000 children using those platforms by November 2015, when the hack occurred, and did not notify parents of how information would be collected and used.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” acting FTC Chairman Maureen K. Ohlhausen said in a statement. “Unfortunately, VTech fell short in both of these areas.”