Vtech settles FTC lawsuit over children's data privacy

Two years ago, kids electronics maker Vtech suffered a data breach that exposed the personal info of five million customers (over half of whom were not adults). Naturally, the DOJ on behalf of the FTC brought a lawsuit against the company for violating online privacy laws for children, becoming the first such case involving Internet-connected toys. Today, Vtech agreed to pay a $650,000 fine as part of a settlement with the FTC.

Back in 2015, a hacker had broken in to Vtech's systems and taken data from users who had registered accounts on the company's 'Learning Lodge' app store. The DOJ complaint filed on behalf of the FTC that Vtech failed to directly notify product owners (i.e. parents) that they were storing data from users (i.e. children), nor collect the former's consent to do so. Thus, the company violated the Children's Online Privacy Protection Act (COPPA). The FTC also accused Vtech of failing to protect the data it acquired.

The settled fine against Vtech is roughly similar to the $700,000 punishment New York and Vermont attorneys general served to the Hilton hotel chain, which experienced a data breach that exposed credit card numbers. Vtech's poor security didn't result in the disclosure of financial data, but it did release names, dates of birth and gender of children. Heck, its privacy policy stated that all the information submitted would be encrypted, which was a lie, according to the FTC's statement announcing the settlement. As part of the deal, Vtech must implement a 'comprehensive data security program' that will be audited annually for the next 20 years.