IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

Jan 19, 2018

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.

The Department of Justice, on behalf of the FTC, filed a complaint against VTech alleging that the Kid Connect application embedded in a variety of online platforms and portable devices distributed by VTech collected personal information from hundreds of thousands of children, without providing the requisite direct notice of VTech’s information practices to parents; and without obtaining verifiable consent to the collection of the information from parents, both as required by COPPA.  In addition, the FTC stated that VTech’s data security measures to protect the information it had collected were neither reasonable, nor appropriate to satisfy the requirements of COPPA.  The complaint further alleged deceptive practices by VTech in connection with statements in its privacy policy relating to whether VTech encrypted collected data.

COPPA

COPPA requires that any company which collects personal information online from children under the age of 13 must: 1) have a privacy policy which clearly and completely discloses to parents what information is collected, how the collected information will be used and what the parent’s rights are with respect to modifying or deleting the information; 2) obtain verifiable consent from the parent to the collection and intended use; and 3) take reasonable measures to protect the security and confidentiality of the obtained information.  VTech required parents to provide personal information, including the parent’s name and email address, as well as the child’s name, gender and date of birth when signing up for platforms or devices leveraging the Kid Connect application.  However, The FTC found various violations of COPPA in VTech’s practices.  Alleged violations of COPPA are detailed below, along with key takeaways for IoT companies.

Violation: Although VTech had a privacy policy in place, it was posted only on certain registration pages, which violated COPPA’s requirement to provide a direct notice of its policies to parents.  The FTC asserted that VTech failed to provide the required direct and clear link to its information practices, because the link to the VTech privacy policy was not posted in each place where children’s information was collected and on the landing screen of the application.

Lesson:  Post frequent and prominent links to the company’s privacy policy in each and every location where the information is collected, as well as on the home/landing page for each service.  Note that information may be collected during initial sign up or subscription, at log in and/or account set up screens and during play or use on platforms devices.

Violation:  The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices.  COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information.   VTech failed to provide a complete description of collection practices and intended uses.

Lesson:  Ensure that privacy policies provide a complete and accurate description of how data is collected and used.  In the VTech case, multiple platforms and devices connecting to the application collected different data elements and provided different functionality.  For example, some devices permitted chatting with authorized contacts and briefly stored recordings of such chats and messages, whereas other platforms simply stored names, addresses and gender.  It is critical that the privacy policy completely explains each and every use.

Violation:  In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information.

Lesson:  IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent.  There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies.  Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.

Violation:  VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA.  The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing.  Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network.  In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist.  VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries.  Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.

Lesson:  Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies.   The FTC noted that there were available intrusion measures which VTech could have implemented.  In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.

FTC Act

In addition to the alleged violations of COPPA, the FTC accused VTech of engaging in deceptive practices in violation of the FTC Act, by implying in its privacy policy that the personal information submitted by the parents would be encrypted.  VTech’s privacy policy stated that, “in most cases” the data provided would be encrypted.  In practice, however, VTech did not encrypt the collected information.

Conclusion

The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children.  Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.”  In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future.  Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.

OTHER THOUGHT LEADERSHIP POSTS:

GDPR Compliance and Blockchain: The French Data Protection Authority Offers Initial Guidance

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The French Data Protection Authority (“CNIL”) recently became the first data protection authority to provide guidance as to how the European Union’s General Data Protection Regulation (“GDPR”)...

D-Link Continues Challenges to FTC’s Data Security Authority

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below On September 21, 2018, the FTC and D-Link Systems Inc. each filed a motion for summary judgement in one of the most closely watched recent enforcement actions in privacy and data security law (FTC...

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...