Toy Maker Settles Charges for Violating Child Privacy Law

An electronic toy-maker has agreed to pay $650,000 to settle charges from the Federal Trade Commission that it collected personal information on hundreds of thousands of children without their parents knowing. VTech Electronics, whose North American operations are based in Arlington Heights, says it did notify parents and the allegations are based on technical provisions of a children’s privacy law.

The company also allegedly failed to protect the data it collected, allowing a hacker to gain access in late 2015, according to the complaint.

The children’s privacy case was FTC’s first involving internet-connected toys, said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection. It shines a light on the growing market, which is expected to reach $15.5 billion by 2022, up from an estimated $4.9 billion in 2017, according to a report from England-based Juniper Research.

“(This) sends a message to parents,” Pahl said. “Parents should read a company’s privacy practices, make sure that companies get their permission to collect their children’s information and be aware of their other rights.”

Hong Kong-based VTech makes toys such as smart watches and handheld smart devices for kids.

The FTC alleges that the Kid Connect app used with some of VTech’s toys collected information on children without notifying parents or getting their consent. That practice is required for children under age 13 by the Children’s Online Privacy Protection Act.

VTech also collected information from parents via its online platform Learning Lodge Navigator, where the Kid Connect app was available for download. As of November 2015, parents had registered and created accounts with Learning Lodge for almost 3 million children, including about 638,000 Kid Connect accounts.

VTech spokeswoman Kaleigh Steinorth said the company did give notice and get parents’ consent and designed Kid Connect in a way that ensured parents knew how the system worked and what information would be collected.

The allegations were based on technical requirements of the Children’s Online Privacy Protection Act regarding how parents must be notified “and how companies must verify that the consenting person is the parent,” she said in an email. “We have taken steps to ensure compliance with these technical requirements,” Steinorth said.

The Consumers Union, a nonprofit organization that does product testing and research, has asked the FTC to look into privacy and security concerns related to smart and connected toys.

“Parents have a right to know and a right to choose how their children’s personal data is collected,” Katie McInnis, technology policy counsel for Consumers Union, said in a statement.

The FTC launched its investigation in late 2015 after the hacker gained access to VTech’s networks, exposing the information, photos and audio of Kid Connect users. The FTC also alleged that VTech falsely stated in its privacy policy that personal information would be encrypted when it was not.

As part of the settlement, VTech is required to put a data security system in place that will be subject to independent audits for 20 years.

“There’s not a consistent practice over time of companies making sure they are always staying one step ahead of the hackers,” Pahl said. This settlement will help “to make sure that kind of program they develop is in place and works.”