Children's Online Privacy: Privacy: Data security: Competition: Internet:
Safe WEB Act.
FTC, Bureau of Consumer Protection, Jan. 8, 2018.
Electronic toy manufacturer VTech Electronics Limited and its
U.S. subsidiary have agreed to settle charges by the Federal Trade Commission that the
company violated a U.S. children’s privacy law by collecting personal
information from children without providing direct notice and obtaining their
parent’s consent, and failing to take reasonable steps to secure the data it
collected. VTech will pay $650,000 as part of the settlement with the FTC.
In a complaint filed by the Department of
Justice on behalf of the FTC, the Commission alleges that the Kid
Connect app used with some of VTech’s electronic toys collected the personal
information of hundreds of thousands of children, and that the company failed
to provide direct notice to parents or obtain verifiable consent from parents
concerning its information collection practices, as required under the
Children’s Online Privacy Protection Act (COPPA). In its first children’s
privacy case involving Internet-connected toys, the FTC also alleges that VTech
failed to use reasonable and appropriate data security measures to protect
personal information it collected.
COPPA requires that companies collecting personal information from
children under 13 online follow steps to ensure that children’s information is
protected, including clearly disclosing to parents the information it collects,
how the information will be used, and seeking verifiable parental consent.
Companies also must take reasonable measures to protect the confidentiality,
security and integrity of the personal information they collect about children.
According to the complaint against VTech, the company collected personal
information from parents on its Learning Lodge Navigator online platform, where
the Kid Connect app was available for download, and also through a now-defunct
web-based gaming and chat platform called Planet VTech. Before using Kid
Connect or Planet VTech, parents were required to register and provide personal
information including their name, email address as well as their children’s
name, date of birth and gender. VTech also collected personal information from
children when they used the Kid Connect app.
With respect to Kid Connect, VTech failed to provide direct notice of
its information collection and use practices to parents and did not link to its
privacy policy in each area where personal information was collected from
children.
At the same time, the complaint alleges that the company did not take
reasonable steps to protect the information it collected through Kid Connect,
such as implementing adequate safeguards and security measures to protect
transmitted and stored information and implementing an intrusion prevention or
detection system to alert the company of an unauthorized intrusion of its
network. In November 2015, VTech was informed by a journalist that a hacker
accessed its computer network and personal information about consumers
including children who used its Kid Connect app.
The FTC also alleges that VTech violated the FTC Act by falsely stating
in its privacy policy that most personal information submitted by users through
the Learning Lodge and Planet VTech would be encrypted. The company, however,
did not encrypt any of this information.
In addition to the monetary settlement, VTech is permanently prohibited
from violating COPPA in the future and from misrepresenting its security and
privacy practices as part of the proposed settlement. It also is required to
implement a comprehensive data security program, which will be subject to
independent audits for 20 years.
The FTC collaborated with the Office of the Privacy Commissioner of
Canada, which is releasing its own Report of Findings. To facilitate
cooperation with its Canadian partner, the FTC relied on key provisions of the
U.S. SAFE WEB Act, which allows the FTC to share information with foreign
counterparts to combat deceptive and unfair practices that cross national
borders.
The Commission vote authorizing the staff to file the complaint and
stipulated final order was 2-0. The complaint and stipulated final order was
filed in the U.S. District Court for the Northern District of Illinois.
NOTE: The Commission files a complaint when it has “reason to believe”
that the law has been or is being violated and it appears to the Commission
that a proceeding is in the public interest. Stipulated final orders have the
force of law when approved and signed by the District Court judge.
Related Case
For Consumers
- Blog: If your kids have electronic devices, read this
- Protecting Your Child’s Privacy Online
- FTC.gov/OnGuardOnline
For Businesses
- Blog: VTech settlement cautions companies to keep COPPA-covered data secure
- Children’s Privacy
- Data Security
No comments:
Post a Comment