FTC Brings First-Ever 'Connected' Toys Privacy And Data Security Case; US, Canada, And Hong Kong Privacy Regulators Coordinate Enforcement

On January 8, 2018, the Federal Trade Commission (FTC) brought its first-ever privacy and data security case involving Internet-connected toys. VTech Electronics Limited and its US subsidiary (VTech), maker of Internet-connected portable learning devices, settled claims that it collected personal information from children without providing sufficient notice to parents or obtaining verifiable parental consent, as required by the Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule. The FTC also alleged that VTech failed to use reasonable data security measures to protect the information that it collected, pursuant to COPPA and the deception prong of Section 5 of the FTC Act. VTech agreed to pay $650,000 in civil penalties, implement a comprehensive data security program, engage in independent third-party audits every other year for the next 20 years, and comply with recordkeeping and reporting requirements.

In a sign that international privacy regulators increasingly are cooperating in their investigations and enforcement initiatives, the FTC stated that it had collaborated with the Office of the Privacy Commissioner of Canada (OPC), which released its own Report of Findings. OPC also collaborated with the Privacy Commissioner for Personal Data for Hong Kong—where VTech is headquartered—which in late 2015 initiated its own compliance check on VTech's data security practices.

COPPA Claims

The FTC's COPPA Rule ("Rule") applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to websites and online services that have actual knowledge that they collect personal information from children under 13. "Personal information" is defined broadly under the Rule to include information that directly identifies an individual, such as name and email address, as well as other information relating to the child, such as usernames, audio files containing the child's voice, photo or video files containing the child's image, or persistent identifiers such as cookie IDs, device IDs, or IP addresses.

FTC's allegation that VTech's Kid Connect app was an online service directed to children

According to the FTC's complaint, VTech provided educational products to parents and children through portable, Internet-connected electronic devices (known as "electronic learning products" or "ELPs") and various...