Connected toys company VTech will pay $650,000 to settle charges that it violated children's privacy laws, the Federal Trade Commission said Monday.
The FTC's enforcement action, which largely stemmed from a November 2015 security breach, marks the first time the agency has brought a privacy and data security case involving connected toys.
"The FTC is re-affirming its longstanding commitment to protecting consumers' privacy and the security of their information," Tom Pahl, acting director of the FTC Bureau of Consumer Protection, said in a call with reporters. He added that the case "illustrates many of the FTC's priorities," including the protection of sensitive information and prevention of false or misleading claims.
The Hong Kong-based VTech allegedly collected data about children through the defunct platform Planet VTech and also through apps like Kid Connect. By November of 2015, Kid Connect had information including email addresses and other data for around 648,000 children, while Planet VTech held data for around 130,000 children, according to a complaint filed by the Department of Justice.
VTech said in its privacy policy that most personal information was transmitted in encryption form, according to the complaint. Instead, the government alleged, VTech failed to use encryption before transmitting a host of data -- including children's names, addresses, email addresses, passwords and birthdates and in some cases, photographs.
In November of 2015, hackers obtained the data of about 4.8 million parents and 200,000 children, including children's first names, genders, birthdays and photographs. While some of that data was stored in encrypted form, the hackers allegedly were able to access a database that held decryption keys, the complaint alleges.
VTech was accused of violating the Children's Online Privacy Protection Act, which requires companies to obtain parents' consent before collecting personal data about their children under the age of 13. That law also requires companies to post privacy policies that offer complete descriptions about the data that's collected give information about reviewing or deleting that data. The children's privacy law also requires companies to use reasonable data security practices to protect personal data.
In addition to the fine, VTech agreed to develop a data security program. The company did not admit to wrongdoing.