IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

Published on JD Supra on January 19, 2018

In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.

The Department of Justice, on behalf of the FTC, filed a complaint against VTech alleging that the Kid Connect application embedded in a variety of online platforms and portable devices distributed by VTech collected personal information from hundreds of thousands of children, without providing the requisite direct notice of VTech’s information practices to parents; and without obtaining verifiable consent to the collection of the information from parents, both as required by COPPA.  In addition, the FTC stated that VTech’s data security measures to protect the information it had collected were neither reasonable, nor appropriate to satisfy the requirements of COPPA.  The complaint further alleged deceptive practices by VTech in connection with statements in its privacy policy relating to whether VTech encrypted collected data.


COPPA requires that any company which collects personal information online from children under the age of 13 must: 1) have a privacy policy which clearly and completely discloses to parents what information is collected, how the collected information will be used and what the parent’s rights are with respect to modifying or deleting the information; 2) obtain verifiable consent from the parent to the collection and intended use; and 3) take reasonable measures to protect the security and confidentiality of the obtained information.  VTech required parents to provide personal information, including the parent’s name and email address, as well as the child’s name, gender and date of birth when signing up for platforms or devices leveraging the Kid Connect application.  However, The FTC found various violations of COPPA in VTech’s practices.  Alleged violations of COPPA are detailed below, along with key takeaways for IoT companies.

Violation: Although VTech had a privacy policy in place, it was posted only on certain registration pages, which violated COPPA’s requirement to provide a direct notice of its policies to parents.  The FTC asserted that VTech failed to provide the required direct and clear link to its information practices, because the link to the VTech privacy policy was not posted in each place where children’s information was collected and on the landing screen of the application.

Lesson:  Post frequent and prominent links to the company’s privacy policy in each and every location where the information is collected, as well as on the home/landing page for each service.  Note that information may be collected during initial sign up or subscription, at log in and/or account set up screens and during play or use on platforms devices.

Violation:  The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices.  COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information.   VTech failed to provide a complete description of collection practices and intended uses.

Lesson:  Ensure that privacy policies provide a complete and accurate description of how data is collected and used.  In the VTech case, multiple platforms and devices connecting to the application collected different data elements and provided different functionality.  For example, some devices permitted chatting with authorized contacts and briefly stored recordings of such chats and messages, whereas other platforms simply stored names, addresses and gender.  It is critical that the privacy policy completely explains each and every use.

Violation:  In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information.

Lesson:  IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent.  There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies.  Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.

Violation:  VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA.  The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing.  Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network.  In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist.  VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries.  Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.

Lesson:  Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies.   The FTC noted that there were available intrusion measures which VTech could have implemented.  In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.


In addition to the alleged violations of COPPA, the FTC accused VTech of engaging in deceptive practices in violation of the FTC Act, by implying in its privacy policy that the personal information submitted by the parents would be encrypted.  VTech’s privacy policy stated that, “in most cases” the data provided would be encrypted.  In practice, however, VTech did not encrypt the collected information.


The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children.  Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.”  In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future.  Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.

Skip to content