FTC Cracks Down on Internet-Connected Toys

In its first action involving internet-connected toys, the Federal Trade Commission said Monday (Jan. 8) that electronic toy company VTEch Electonics had agreed to pay $625,000 to settle charges it violated privacy law (the Children’s Online Privacy Protection Act [COPPA]) by "collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected."

The FTC alleged that VTech's Kid Connect app "collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under COPPA."

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said acting FTC chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”

The FTC also alleged that VTech claimed it its privacy policy that most personal info submitted via the Learning Lodge and Plante VTech would be encrypted, while none of it was.

Tom Pahl, director of the FTC's consumer protection bureau, said the toys included singing animals, interactive easels, tablets, and other products, and that the settlement showed the FTC's commitment to protecting kids personal information in an increasingly connected world.

In addition to paying the money, VTech has agreed not to misrepresent its security or privacy practices, and to implement a comprehensive data security program that will be audited for the next 20 years.

The vote for the settlement was 2-0. There are currently only two FTC commissioners, Republican acting chairman Ohlhausen and Democrat Terrell McSweeny.

The FTC is getting more authority over broadband privacy now that the FCC has voted to reclassify internet access as an information service. When access was classified as a Title II service, the FTC was precluded from regulating it due to a common carrier exemption.

As to protecting kids information, the company had been under the gun for sometime. In 2015, VTech suffered a hack and said almost 3 million children's profiles and over 2 million parents accounts were affected in the U.S. alone. The company also conceded its database "was not as secure as it should have been."

That prompted legislators to press the company for answers on how it protected, or more to the point didn't protect, the kids data its toys collected.

VTech said that on Nov. 14, 2015, an "unauthorized party" accessed customer data housed on its Learning Lodge app store database, which "allows our customers to download apps, learning games, e-books and other educational content to their VTech products."

Pahl said the FTC's investigation was launched in the wake of that breach.

He would not comment on whether the FTC was investigating other potential issues with connected toys, as various groups have asked, but said children's privacy remains a priority and that it would investigate concerns generated by complaints and petitions as well as news stories.

Consumer groups last month asked the FTC and retailers to crack down on Interconnected toys and smartwatches to protect kids' privacy.

It has been a year since the groups, which include Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Consumer Action, Consumer Federation of America, filed a complaint with the FTC about two toys, Cayla and i-Que Intelligent Robot, because they collect and analyze what children say and respond to it.

A reporter raised the Cayla complaint, but Pahl was not commenting beyond affirming the FTC's concerns about both kids privacy and the growing internet of things.

“The VTech matter--and the more than two years it took to get justice for these families--highlights why we need broader, forward-looking rules to protect our families' information and why we encourage companies to work with us on reasonable policies," said Jim Steyer, CEO of Common Sense, which provides ratings and reviews and other aids for parents trying to help their kids navigate the world of digital media. "It is in the best interest of the industry for their customers to trust them and that trust can be built by having clear rules that protect children and teens. We strongly encourage industry leaders to work with advocates like Common Sense on fair policies that will help prevent these situations from happening in the first place.”

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.