5th Edition: Trends in Marketing Communications Law
After a resoundingly quiet 2017, the Federal Trade Commission (FTC) started 2018 with a bang, announcing two back-to-back settlements with companies alleged to have violated the Children’s Online Privacy Protection Act (COPPA).
The FTC’s action against VTech Electronics Limited (VTech), the provider of digital learning games and the operator of the “Kid Connect” app for children, marks the FTC’s first-ever COPPA case involving connected toys. In 2015, VTech learned that a hacker had breached its network and accessed its customers’ personal information, including the personal information of many children. According to the FTC, the children’s personal information was linked to their parent’s registration data (such as home address), and none of this data was encrypted. The FTC alleged that VTech’s collection of personal information from children without appropriate parental notice and consent, and its failure to take reasonable steps to secure the data it collected, violated COPPA.
Shortly after the VTech settlement, the FTC announced its settlement with Prime Sites, Inc., operating as Explore Talent (Explore), an online talent search network for aspiring actors and models. According to the FTC, between 2014 and 2016, over 100,000 of its registered users were under 13 years of age. While Explore’s privacy policy stated that it did not knowingly collect personal information from children under 13, and that such children’s profiles must be created by a parent, the FTC claimed that this policy was not accurate. According to the FTC, Explore violated COPPA by failing to prominently display its privacy policy; describe its information collection and disclosure practices; and obtain verifiable parental consent prior to collecting, using or disclosing children’s personal information.
The FTC is not the only entity enforcing COPPA. Indeed, last summer, Viacom and Disney were both sued in class action lawsuits alleging that their child-directed mobile apps and games violated children’s privacy rights by tracking, collecting and exporting user data for behavioral advertising purposes without parental consent. Even the FBI published its own COPPA guidance in 2017, issuing a public service announcement cautioning that smart toys and other connected devices may present a cybersecurity risk insofar as they contain sensors, microphones, cameras, data storage components and other multimedia functions with speech recognition and GPS capability, all of which put the privacy and safety of children at risk as large amounts of personal information may be unwittingly disclosed in the absence of proper data security protections.
Key Takeaways
- To fully comply with COPPA, operators’ privacy policies should be prominently displayed, meaningfully disclose information collection and usage practices and adequately notify parents about information collected from children.
- Connected toys, apps and games must comply with COPPA and should incorporate data security technologies to protect children’s personal information from hackers and data breaches.
- Remember that the FTC is not the only entity enforcing COPPA, as state regulators, prosecutors and consumer class action plaintiffs are bringing their own COPPA enforcement actions.