The US Federal Trade Commission (FTC) revealed on Monday that connected toymaker VTech has agreed to pay a civil penalty of $650,000 to settle a privacy lawsuit.
The FTC claimed the Hong Kong-headquartered firm collected the personal information of hundreds of thousands of children without providing a direct notice to parents, obtaining their consent or properly securing said data.
Firms are required to notify and obtain consent from parents of children under 13 when collecting such data in America, according to the Children’s Online Privacy Protection Act.
VTech is said to have collected personal info from parents on its Learning Lodge Navigator online platform, which featured the Kid Connect app, and the now defunct Planet VTech gaming and chat platform.
Parents were required to give PII including their name and email address as well as their children’s name, date of birth and gender. Info was also collected from children when they played Kid Connect.
As of November 2015, around three million US children were registered with Learning Lodge and 630,000 with Kid Connect, while 130,000 kids had Planet VTech accounts set up, the FTC revealed.
VTech failed to adequately protect this highly sensitive PII: there was no IPS/IDS to notify of unauthorized intrusions and the firm apparently broke the law after lying in its privacy policy. It claimed most PII submitted would be encrypted, when in fact none of it was.
This security fail was to come back to bite VTech in November 2015 after an “unauthorized party” accessed customer data — apparently after exploiting a simple SQL injection flaw.
The firm angered customers months later when it changed its Terms & Conditions in an apparent attempt to shift liability for future incidents onto its customers.
The FTC statement concluded:
“In addition to the monetary settlement, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.”