December 14, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

FTC and VTech Settle Alleged COPPA Privacy and Security Violations

Kids love connected toys, and the market for them is expanding rapidly. But companies that deal with any online service directed to kids must ensure that consumer privacy is protected, the data they collect is properly secured, and parents are engaged where necessary. So, when news broke in 2015 that electronic toymaker VTech allegedly collected personal data on hundreds of thousands of children without permission and hackers were able to access files, it appears that the Federal Trade Commission (FTC) launched an investigation that has now ended with an important settlement, including an injunction and payment of a civil penalty of $650,000. 

Although the FTC has initiated multiple enforcement actions over the years for violations of the Children's Online Privacy Protection Act (COPPA), this is the first time a COPPA enforcement action has settled allegations of both security and privacy violations. The FTC alleged that VTech's Kid Connect app used with some of VTech's electronic toys collected the personal information of hundreds of thousands of children without providing the direct notice to parents required under COPPA, and without obtaining verifiable consent from parents. The FTC also alleged that VTech failed to use reasonable and appropriate data security measures to protect the personal information it collected, in violation of Section 5 of the FTC Act.

VTech's alleged COPPA violations include failures to: (1) provide a conspicuous link to its privacy policy at the home page and at all areas where information might be collected from children; (2) send direct notices to parents; and (3) obtain verifiable parental consent for children to engage in social sharing of personal data. VTech also failed to implement a comprehensive security program, complete penetration tests, and protect against known vulnerabilities. In short, it lacked a sound security risk management process, including employee training. Not only that, but VTech represented that it encrypted consumer registration information and children's personal information when it did not.

The Order reinforces a point clear from the COPPA Rule: COPPA requires reasonable security of children's data. In addition to paying a $650,000 civil penalty, VTech agreed to a set of compliance measures, including avoiding misrepresentations about security, and implementing comprehensive data security and assessment programs verified by a competent third party. The Order makes clear that a reasonable security program should also include designating a responsible employee or team of employees, training all employees, and imposing appropriate security requirements on third-party partners by contract. 

COPPA applies to all online services, including websites, apps and connected kids' products. It includes obligations not only to minimize data collection, post privacy notices, directly notify parents, and obtain parental consent where required, but also to implement reasonable safeguards to protect children's data. Reasonable safeguards do not mean infallible safeguards or a one-size-fits all standard, but a process to manage security risks. The Order establishes that an appropriate security program for children's data under COPPA must include the use of regular assessments, testing, and monitoring to ensure that security checks are functioning effectively, similar to the types of requirements that have appeared in consent agreements involving security of adults' data.

COPPA compliance can be challenging in a quickly changing digital landscape.  The settlement agreement serves as a reminder of the central importance of knowing the legal obligations under COPPA, understanding and managing your data flows, and implementing compliance procedures. It also reinforces a basic point about the importance of accurately describing your privacy and security practices: if you say what you'll do, you'd better do what you say.

© 2019 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association