IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

by Patrick Law Group, LLC
Contact

In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.

The Department of Justice, on behalf of the FTC, filed a complaint against VTech alleging that the Kid Connect application embedded in a variety of online platforms and portable devices distributed by VTech collected personal information from hundreds of thousands of children, without providing the requisite direct notice of VTech’s information practices to parents; and without obtaining verifiable consent to the collection of the information from parents, both as required by COPPA.  In addition, the FTC stated that VTech’s data security measures to protect the information it had collected were neither reasonable, nor appropriate to satisfy the requirements of COPPA.  The complaint further alleged deceptive practices by VTech in connection with statements in its privacy policy relating to whether VTech encrypted collected data.

COPPA

COPPA requires that any company which collects personal information online from children under the age of 13 must: 1) have a privacy policy which clearly and completely discloses to parents what information is collected, how the collected information will be used and what the parent’s rights are with respect to modifying or deleting the information; 2) obtain verifiable consent from the parent to the collection and intended use; and 3) take reasonable measures to protect the security and confidentiality of the obtained information.  VTech required parents to provide personal information, including the parent’s name and email address, as well as the child’s name, gender and date of birth when signing up for platforms or devices leveraging the Kid Connect application.  However, The FTC found various violations of COPPA in VTech’s practices.  Alleged violations of COPPA are detailed below, along with key takeaways for IoT companies.

Violation: Although VTech had a privacy policy in place, it was posted only on certain registration pages, which violated COPPA’s requirement to provide a direct notice of its policies to parents.  The FTC asserted that VTech failed to provide the required direct and clear link to its information practices, because the link to the VTech privacy policy was not posted in each place where children’s information was collected and on the landing screen of the application.

Lesson:  Post frequent and prominent links to the company’s privacy policy in each and every location where the information is collected, as well as on the home/landing page for each service.  Note that information may be collected during initial sign up or subscription, at log in and/or account set up screens and during play or use on platforms devices. 

Violation:  The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices.  COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information.   VTech failed to provide a complete description of collection practices and intended uses. 

Lesson:  Ensure that privacy policies provide a complete and accurate description of how data is collected and used.  In the VTech case, multiple platforms and devices connecting to the application collected different data elements and provided different functionality.  For example, some devices permitted chatting with authorized contacts and briefly stored recordings of such chats and messages, whereas other platforms simply stored names, addresses and gender.  It is critical that the privacy policy completely explains each and every use.

Violation:  In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information. 

Lesson:  IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent.  There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies.  Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.

Violation:  VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA.  The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing.  Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network.  In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist.  VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries.  Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.

Lesson:  Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies.   The FTC noted that there were available intrusion measures which VTech could have implemented.  In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.

FTC Act

In addition to the alleged violations of COPPA, the FTC accused VTech of engaging in deceptive practices in violation of the FTC Act, by implying in its privacy policy that the personal information submitted by the parents would be encrypted.  VTech’s privacy policy stated that, “in most cases” the data provided would be encrypted.  In practice, however, VTech did not encrypt the collected information. 

Conclusion

The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children.  Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.”  In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future.  Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patrick Law Group, LLC | Attorney Advertising

Written by:

Patrick Law Group, LLC
Contact
more
less

Patrick Law Group, LLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.