The Federal Trade Commission has settled its first enforcement action involving the privacy and data security of connected toys. On Monday, VTech Electronics and its U.S. subsidiaries agreed to settle allegations that the company violated the Children’s Online Privacy Protection Act, as well as the FTC Act, and pay a $650,000 fine.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.

The settlement comes after a two-year investigation which found that VTech violated COPPA by collecting "personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected," according to a FTC statement. The FTC’s investigation followed a Dec. 2015 discovery that VTech suffered a data breach exposing the personal information of both children and adults, effectively highlighting the company’s poor cybersecurity practices.

In its investigation into the case, the FTC collaborated with the Office of the Privacy Commissioner of Canada, which published its own findings report.

In comments provided to The Privacy Advisor, Jacqueline Connor, FTC staff attorney and lead lawyer on the case, said, “As consumers around the world adopt new technologies, they increasingly share personal information with companies that operate globally. Therefore, it is crucial that the FTC cooperates with its foreign partners in enforcing privacy and security laws.”

Connor added, “In this instance, the FTC and the Office of the Privacy Commissioner of Canada shared information gathered in their own investigations to facilitate this matter. To assist its international partner, the FTC relied upon the U.S. SAFE WEB Act, which strengthens the FTC’s ability to cooperate with foreign counterparts. In addition to authorizing confidential information-sharing, the Act also enhances the FTC’s authority to provide investigative assistance to counterparts, and provides mechanisms to strengthen enforcement relationships. The FTC and the OPC are both members of the Global Privacy Enforcement Network.”

The OPC also provided comments to The Privacy Advisor, describing its collaborative investigation with the FTC and noting that its office also collaborated with the Privacy Commissioner for Personal Data in Hong Kong.

Brent Homan, the OPC's director general, PIPEDA investigations, explained, "We collaborated closely with the FTC throughout our investigation, exchanging information and analysis. Given that our two Offices were both looking at the adequacy of VTech’s data security, we were able to avoid duplication of efforts in certain areas. For example, we didn’t feel a compliance agreement was necessary in this case given the binding commitments made by VTech in its settlement with the FTC. Namely that VTech will be required to complete annual audits for the next 20 years, ensuring the ongoing adequacy of its data safeguards. We appreciated the FTC’s collaboration with our office. Working with our international counterparts is an increasingly important tool for effectively and efficiently protecting the privacy rights of Canadians. "

In a press call held Monday, FTC Bureau of Consumer Protection Acting Director Tom Pahl explained that allegations raised against VTech included the company’s failure to provide adequate privacy notices to parents that allowed for consent before collecting personal information from children, failure to establish and maintain reasonable security procedures to protect personal information once collected, and misrepresenting whether certain registration information submitted by consumers would be encrypted.

In addition to paying a $650,000 fine, the company will be obligated to comply with COPPA requirements, implement a comprehensive data security program and undergo a third party audit every two years.

Pahl said considerations such as the company’s “degree of culpability, the history of prior conduct, the company’s ability to pay, the effect of their ability to pay and continue business” were among considerations in deciding the monetary settlement. Pahl added that the settlement was thought to reflect the seriousness of the obligations.

In a statement for the company, Allan Wong, chairman and group CEO of VTech Holdings Limited said, "We are pleased to settle this two-year-old investigation by the FTC." Wong added, "Following the cyber attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers' data. We also took steps to address the technical notice and consent issues under COPPA."

As for the FTC's future enforcement efforts, Pahl said, “Certainly privacy and data security, particularly when it comes to products that deal with children’s information, remains a priority for us,” adding, “This is an area that deserves a lot of scrutiny and we will continue to look at it.” 

photo credit: eli.pousson via photopincc