5th Edition: Trends in Marketing Communications Law
After a resoundingly quiet 2017, the Federal Trade Commission (FTC) started 2018 with a bang, announcing two back-to-back settlements with companies alleged to have violated the Children’s Online Privacy Protection Act (COPPA).
The FTC’s action against VTech Electronics Limited (VTech), the provider of digital learning games and the operator of the “Kid Connect” app for children, marks the FTC’s first-ever COPPA case involving connected toys. In 2015, VTech learned that a hacker had breached its network and accessed its customers’ personal information, including the personal information of many children. According to the FTC, the children’s personal information was linked to their parent’s registration data (such as home address), and none of this data was encrypted. The FTC alleged that VTech’s collection of personal information from children without appropriate parental notice and consent, and its failure to take reasonable steps to secure the data it collected, violated COPPA.
The FTC is not the only entity enforcing COPPA. Indeed, last summer, Viacom and Disney were both sued in class action lawsuits alleging that their child-directed mobile apps and games violated children’s privacy rights by tracking, collecting and exporting user data for behavioral advertising purposes without parental consent. Even the FBI published its own COPPA guidance in 2017, issuing a public service announcement cautioning that smart toys and other connected devices may present a cybersecurity risk insofar as they contain sensors, microphones, cameras, data storage components and other multimedia functions with speech recognition and GPS capability, all of which put the privacy and safety of children at risk as large amounts of personal information may be unwittingly disclosed in the absence of proper data security protections.
- To fully comply with COPPA, operators’ privacy policies should be prominently displayed, meaningfully disclose information collection and usage practices and adequately notify parents about information collected from children.
- Connected toys, apps and games must comply with COPPA and should incorporate data security technologies to protect children’s personal information from hackers and data breaches.
- Remember that the FTC is not the only entity enforcing COPPA, as state regulators, prosecutors and consumer class action plaintiffs are bringing their own COPPA enforcement actions.