VTech Pays $650,000 to Settle Child Privacy Claims

Get Legal Help Today

 Secured with SHA-256 Encryption

Jeffrey Johnson is a legal writer with a focus on personal injury. He has worked on personal injury and sovereign immunity litigation in addition to experience in family, estate, and criminal law. He earned a J.D. from the University of Baltimore and has worked in legal offices and non-profits in Maryland, Texas, and North Carolina. He has also earned an MFA in screenwriting from Chapman Univer...

Full Bio →

Written by

UPDATED: Jan 23, 2018

Advertiser Disclosure

It’s all about you. We want to help you make the right legal decisions.

We strive to help you make confident insurance and legal decisions. Finding trusted and reliable insurance quotes and legal advice should be easy. This doesn’t influence our content. Our opinions are our own.

Editorial Guidelines: We are a free online resource for anyone interested in learning more about legal topics and insurance. Our goal is to be an objective, third-party resource for everything legal and insurance related. We update our site regularly, and all content is reviewed by experts.

Kid on ComputerVTech Electronics, a maker of children’s toys, has agreed to pay $650,000 to settle charges that it collected data on children without their parents’ consent.

VTech, a Hong Kong company with a US subsidiary, was also charged with failing to keep that data safe from hackers.

The US Department of Justice filed suit against VTech on behalf of the Federal Trade Commission (FTC) on January 8.

The suit charged that VTech violated various federal laws including the Children’s Online Privacy Protection Act of 1998 (COPPA).

COPPA

As the complaint notes,

Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children’s personal information online by operators of Internet Web sites and online services.

VTech sells products including “electronic learning products,” or ELPs. They also provide online games and apps.

One of the apps is called Kid Connect, which is intended to be used by children on a VTech ELP. Children can use the app to communicate with other children who have the app — and with adults who download the adult version of the app.

As of November of 2015, about 638,000 children were using Kid Connect accounts.

Learning Lodge

In order to create a Kid Connect account, parents had to register for Learning Lodge. They had to submit the parents full name, physical address, email address, password, secret question and answer, and the name, gender, and birthdate of the child being registered.

COPPA rules define personal information to include names, a physical address, and email.

COPPA rules require that the operator of a child-oriented website must meet special requirements before colleting, using, or disclosing personal information about children.

The website operators must:

  • post a privacy policy that explains what information is collected from children and how it’s used
  • obtain verifiable parental consent before collecting and using information from children
  • establish reasonable procedures to protect the collected information

The complaint charged that VTech violated COPPA in various ways, including:

  • Failing to link to the privacy policy in each area of Kid Connect where children’s personal information was collected
  • Not fully describing the information that was being collected from children
  • Failing to provide information about parents’ rights to review or delete a child’s personal information

Lack of Encryption

None of the submitted data was encrypted, even though VTech’s Privacy Policy included the following statement:

In most cases, if you submit your PII [personally identifiable information] to VTech directly through the Web Services it will be transmitted encrypted to protect your privacy using HTTPS encryption technology. Any Registration Data submitted in conjunction with encrypted PII will also be transmitted encrypted.

The FTC charged that this statement was thus  false and misleading.

VTech had no system in place to verify that the person setting up an account was a parent rather than a child.

Hack Attack

The complaint also charged that VTech learned in November of 2015 that a hacker had gotten into the company’s computer network and obtained personal information about children who used Kid Connect.

The information was sufficient to find photos of children and their home addresses.

Enforcement

The New York Times reported that this was the first enforcement action by the FTC against a company that made internet-connected toys.

VTech said that it had updated its data security policy in the wake of the hack attack.

Get Legal Help Today

Find the right lawyer for your legal issue.

 Secured with SHA-256 Encryption