Electronic toymaker VTech Technologies got a costly learning experience Monday — a $650,000 penalty for failing to get verifiable parental consent before collecting and using personal information from hundreds of thousands of U.S. children.
The Hong Kong-based company and its North America subsidiary in Arlington Heights, Illinois were also ordered to comply with a U.S. privacy law, strengthen its data security safeguards, and submit to outside security audits, the Federal Trade Commission said in the federal regulator’s first privacy and security case involving electronically connected toys.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” Acting FTC Chair Maureen Ohlhausen said in a statement issued with the settlement. “Unfortunately, VTech fell short in both of these areas.”
Corporate parent firm VTech Holdings issued a statement saying it was pleased with the settlement.
“Following the cyber attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data. We also took steps to address the technical notice and consent issues, ” said Allan Wong, the company’s chairman and group CEO.
The settlement capped a nearly two-year investigation that focused on privacy concerns about collection and safety of children’s personal data in the growing digital toy sector. Sales of smart toys are projected to reach $15.5 billion in revenues by 2022, Tom Pahl, acting director of the FTC’s consumer protection bureau, said during a conference call with news reporters.
The FTC has received complaints about similar problems with other companies but is barred from discussing ongoing investigations, he said.
The FTC started investigating VTech in late 2015 after the company disclosed details of a cyberattack that exposed the name, gender, birth date and other personal data for an estimated 6.4 million youngsters who used the subsidiary companies’ interactive easels, online games, electronic tablets, and other popular digital products marketed for children of ages 3 to 9.
Although the breach affected data of children in many countries, the U.S. accounted for the largest group of children affected by the breach.
VTech also said the breach exposed identifying data for an estimated 4.9 million adults, including many parents who registered their children for the company’s digital toys.
FTC investigators determined that the company violated the federal Children’s Online Privacy Protection Act by failing to provide direct notice to parents or obtain verifiable consent about the VTech’s data collection practices.
An FTC complaint filed in Illinois federal court said the company collected personal information from parents on its Learning Lodge Navigator online platform, where VTech’s Kid Connect app was available for downloads. The company collected similar information from its now-closed web-based gaming and chat platform known as Planet VTech, the complaint charged.
Kid Connect enables children to communicate with other youngsters who also have the app, or with adults who download the adult version of the app, the complaint charged. Parents who wanted Kid Connect access for their children had to submit their full name, physical address, email address, and password, along with their children’s names, birth dates, and gender.
As of Nov. 2015, approximately 485,000 U.S. consumers had created Kid Connect accounts for nearly 638,000 children, the complaint alleged. Approximately 134,000 U.S. parents similarly had created Planet VTech accounts for 130,000 children by Nov. 2015, the complaint charged.
Along with failing to get verifiable parental consent about VTech’s data collection and usage practices, the company falsely stated that most personal information collected through Learning Lodge and Planet VTech would be encrypted for security purposes, the FTC alleged. None of the information was encrypted, the court complaint alleged.
Additionally, VTech failed to protect the data with reasonable security safeguards, the FTC alleged.
“This case shines a light on the growing market for children’s electronic products and services,” said Pahl. “As parents buy these products and services this holiday season and beyond, they have the opportunity to compare not only the prices and services offered but also the companies’ stewardship of their kids’ data.”
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc