A hacker broke into the servers of toymaker VTech last month, compromising the personal information of millions of children and adults. While the consequences of the hack are still unclear, police now have a suspect. Authorities have arrested a 21-year-old man in the UK on suspicion of crimes related to unauthorized access to a computer, reports the BBC. “We are still at the early stages of the investigation and there is still much work to be done,” said officials in a statement.
On this past Monday, a class action lawsuit was filed in Superior Court in Los Angeles against Mattel and ToyTalk in their active roles promulgating the safety and privacy aspects of Hello Barbie. kidSAFE is also named under their role of COPPA safe haven. The lawsuit alleges unfair competition, negligence, unjust enrichment, and invasion of privacy. The plaintiffs so far are two little girls (and their mothers) who state that Hello Barbie is an “inherently dangerous product” and the information she gathers is unlawful and and the collection is negligent.
Plaintiff C.H. received the doll as a gift on December 2, 2015 from her mother Ashley Archer-Hayes. Plaintiff A.P. is a friend of C.H. and played with the doll at C.H.’s birthday party as did other party-goers. C.H. and her mother, Charity Johnson were not registered with ToyTalk or Mattel while they played with the doll allegedly “triggering” voice recording and cloud storage and the A.I. routines based on the recorded voice.
Plaintiff’s lawyers propose the following questions of law for certification in California and nationally:
- Whether Defendants failed to satisfy the requirements of COPPA;
- Whether Defendants’ conduct is an unlawful business act or practice within the meaning of Cal. Bus. & Prof. Code § 17200, et seq.;
- Whether Defendants have collected, used, or maintained recordings of children under 13 whose parents have not consented;
- Whether Defendants failed to reasonably prevent or detect recordings of children under 13 whose parents have not consented;
- Whether recordings of children under 13 whose parents have not consented have bee shared or sold to third parties by Defendants;
- Whether Defendants failed to notify affected individuals that their children had been recorded without their consent;
- Whether Defendants notified purchasers that they may only use the doll outside the presence of other children under 13;
- Whether Defendants’ conduct violated the causes of action herein alleged;
- Whether, as a result of Defendants’ conduct in this case, Plaintiffs have suffered ascertainable loss; and
- Whether Plaintiffs are entitled to monetary damages and/or other remedies, and, if so, the nature of any such relief.
Copy of the lawsuit (warning, large file to do processing and OCR): HelloBarbieComplaint.pdf
I’m think COPPA won’t be the lynch pin here. I think the dodge is the Actual Knowledge standard. COPPA doesn’t kick in unless the online site or service is aware that someone under 13 is using the service. C.H. is under COPPA and verified parental consent was obtained from her mother. “Actual Knowledge” is a huge loophole though I haven’t seen it used when”incidental” PII is captured.
The COPPA angle seems to be against common sense. A 13 year old may upload a video to a COPPA compliant website of his 10 year old brother playing video games. The 13 year old isn’t a parent but I’m sure the 10 year old doesn’t have to have verified parental consent else the video service is in trouble. Another example is smart phone created for a child under 13 where the child’s parent provided verified consent. Lets say the child handed the phone to another preteen who then snaps a selfie of their self. Is it a violation that the phone manufacturer should have known that the phone would come into contact with other children? Did C.H.’s mom have enough information provided by Mattel that would make her responsible for understanding what the doll does and therefore how it might gather info from other girls that enter the house?
The other causes of action might have more merit and they definitely can survive if COPPA gets knocked out. They include:
Violation of the Unfair Competition Law
Unjust Enrichment (they made money on the doll where they shouldn’t have)
Invasion of Privacy
David vs. Goliath:
The attorneys for the proposed class are not ambulance chases (though this lawsuit came together in a few days). They are big time tort and class action practitioners. The primary law-firm is Kirtland & Packard with 4 attorneys appearing in the case. There are three more in California, two in Florida, and one in Wilmington N.C. That’s 10 attorneys total
But will Mattel be toppled? I’ve always been concerned with the fact that they didn’t do all of the heavy lifting themselves. They are exporting a lot of risk to a third party that they are ultimately responsible for. Did Mattel’s lawyers didn’t think of this? The main thing that has made me think that Mattel was COPPA compliant was because they have better lawyers than the F.T.C.
This would be a massive screw-up. Forget the money or removing the doll from the marketplace, good will is paramount for them.
What happens next:
Mattel has 30 calendar days to respond to the lawsuit starting from December 7, 2015. They will likely motion for additional time which the Plaintiff’s lawyers will agree to out of courtesy. No danger for a market upset this Christmas. There’s also a chance that the case will be removed to Federal court which will make it easier for court watchers to keep an eye on it. If that happens then the laws of California will still prevail.
The long-term solution would be to have a notice explaining what can happen if the doll interacts with other children. Maybe it should say that the parent is responsible for how their children play with the dolls. But isn’t that common sense?
Blame Mattel or blame mom?
The lawsuit states that kidSAFE’s list (seals) do not included Hello Barbie but the doll seems to be listed here: http://www.kidsafeseal.com/certifiedproducts/toytalk_hellobarbie_device.html
Whisper started out as an anonymous, photo-based app where users could post text messages superimposed over images, typically secrets or confessions. Whisper has location functionality, but unlike Yik Yak, location is not necessarily a key feature. Earlier this year, Whisper rolled out a “Schools” feature that makes each user’s location more critical, especially for some young users.
Read more: @ ThirdParent A Look at the Whisper App’s Unsafe “Schools” Feature | ThirdParent
Parents may appreciate that — just like the Nabi DreamTab — the Elev-8 was built with COPPA rules in mind. Obeying the FTC’s Children’s Online Privacy Protection Act means that the Elev-8 does not collect data from children under age 13, and that none of their child’s data is shared with third parties.
CDD Executive Director Jeff Chester wrote in an email Thursday that child privacy advocates had scored a significant victory as the FTC had ordered Riyo to immediately destroy any data it gathers from a child or parent. The organization holds, however, that the mechanism for parental consent using facial recognition is ill-advised. “While facial recognition technology has many applications, its role protecting children’s privacy is unproven,” Chester added.
This letter is to inform you that the Federal Trade Commission (“FTC” or “Commission”) has reviewed Jest8 Limited’s (trading as Riyo) (“Riyo”) application for approval of a proposed verifiable parental consent (“VPC”) method under the Children’s Online Privacy Protection Rule (“COPPA” or “the Rule”). The Commission has determined that the proposed VPC mechanism is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” Accordingly, the FTC approves the proposed method.
Read PDF @ FTC
Source: Commission Letter Approving Application Filed by Jest8 Limited (Trading As Riyo) For Approval of A Proposed Verifiable Parental Consent Method Under the Children’s Online Privacy Protection Rule – 151119riyocoppaletter.pdf
The Federal Trade Commission has approved a new method for companies to get parents’ consent for their children to access online services covered by the Children’s Online Privacy Protection Act (COPPA) Rule. Based on an application submitted by Riyo, Inc., the Commission has approved the use of “face match to verified photo identification” (FMVPI) as a method to verify that the person providing consent for a child to use an online service is in fact the child’s parent. Under the COPPA Rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. The rule lays out a number of acceptable methods for gaining parental consent, but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval. FMVPI is a two-step process. In the first step, a parent provides an image of their photo identification, such as a passport or driver’s license. The authenticity and legitimacy of the document is then verified using various technologies that analyze the image to ensure that it is an authentic government-issued identification. In a second step, the parent is then prompted to provide a picture of themselves taken with a phone or web camera, which is analyzed to confirm that the photo is of a live person and not a photo of a still photo. The image is then compared to the identification photo using facial recognition technology to confirm whether the person submitting the photo is the one in the identification. The process includes certain privacy safeguards such as requiring encryption and prompt deletion of any personal information that is collected. The Commission vote to issue the letter and accept FMVPI as an acceptable verifiable parental consent method was 4-0. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.
Leading US kids virtual world Roblox is now boasting 100% kid-safe advertising, thanks to a new partnership with SuperAwesome out of the UK. The incorporation of SuperAwesome’s platform into the digital game-building site will open up Roblox and its 15 million user-generated games to COPPA-compliant advertising opportunities and brand integrations in both the US and the UK.
To comply with COPPA, Internet service providers must obtain verified parental consent from parents COPPA – facial recognition for verified parental consentbefore collecting personal information from those children of the parents who are under 13 years of age. The process for obtaining parental consent has always been an area where the FTC and companies have struggled a bit to arrive at a simple, seamless technique. Facial recognition software may ultimately provide the best solution to this quandary.