IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement
In “IoT Device Companies: Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices. That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.
Violation: The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices. COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information. VTech failed to provide a complete description of collection practices and intended uses.
Violation: In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information.
Lesson: IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent. There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies. Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.
Violation: VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA. The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing. Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network. In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist. VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries. Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.
Lesson: Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies. The FTC noted that there were available intrusion measures which VTech could have implemented. In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.
The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children. Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.” In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future. Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.