coppa news
  

Automatic

Settlement marks the agency’s first children’s privacy and security case involving connected toys

Note: A conference call for media with Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection, will occur as follows:
Date: January 8, 2018
Time: 1 p.m. ET
Call-in info: (800) 230-1093; Confirmation Number: 442576
Call-in lines, which are for media only, will open 15 minutes prior to the start of the call. FTC staff will be available to take questions from the media.

Electronic toy manufacturer VTech Electronics Limited and its U.S. subsidiary have agreed to settle charges by the Federal Trade Commission that the company violated a U.S. children’s privacy law by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. VTech will pay $650,000 as part of the settlement with the FTC.

In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleges that the Kid Connect app used with some of VTech’s electronic toys collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under the Children’s Online Privacy Protection Act (COPPA). In its first children’s privacy case involving Internet-connected toys, the FTC also alleges that VTech failed to use reasonable and appropriate data security measures to protect personal information it collected.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”

COPPA requires that companies collecting personal information from children under 13 online follow steps to ensure that children’s information is protected, including clearly disclosing to parents the information it collects, how the information will be used, and seeking verifiable parental consent. Companies also must take reasonable measures to protect the confidentiality, security and integrity of the personal information they collect about children.

According to the complaint against VTech, the company collected personal information from parents on its Learning Lodge Navigator online platform, where the Kid Connect app was available for download, and also through a now-defunct web-based gaming and chat platform called Planet VTech. Before using Kid Connect or Planet VTech, parents were required to register and provide personal information including their name, email address as well as their children’s name, date of birth and gender. VTech also collected personal information from children when they used the Kid Connect app.

As of November 2015, about 2.25 million parents had registered and created accounts with Learning Lodge for nearly 3 million children. This included about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the United States created Planet VTech accounts for 130,000 children by November 2015.

With respect to Kid Connect, VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children.

At the same time, the complaint alleges that the company did not take reasonable steps to protect the information it collected through Kid Connect, such as implementing adequate safeguards and security measures to protect transmitted and stored information and implementing an intrusion prevention or detection system to alert the company of an unauthorized intrusion of its network. In November 2015, VTech was informed by a journalist that a hacker accessed its computer network and personal information about consumers including children who used its Kid Connect app.

The FTC also alleges that VTech violated the FTC Act by falsely stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted. The company, however, did not encrypt any of this information.

In addition to the monetary settlement, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.

The FTC collaborated with the Office of the Privacy Commissioner of Canada, which is releasing its own Report of Findings. To facilitate cooperation with its Canadian partner, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 2-0. The complaint and stipulated final order was filed in the U.S. District Court for the Northern District of Illinois.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

The Federal Trade Commission is providing additional guidance on how the Children’s Online Privacy Protection Rule applies to the collection of audio voice recordings by organizations covered by the law, which requires certain operators of commercial websites or online services to obtain parental consent before collecting personal information from children under 13.

The FTC updated the COPPA Rule in 2013, adding several new types of data to the definition of personal information, including a photograph, video or audio file that contains a child’s image or voice, to data already covered, such as a name, address or Social Security number. This update has prompted some questions about the application of this requirement when a child’s voice is collected for the sole purpose of instructing a command or request.

In a new policy enforcement statement, the FTC noted that the COPPA rule requires websites and online services directed at children to obtain verifiable parental consent before collecting an audio recording. The Commission, however, recognizes the value of using voice as a replacement for written words in performing search and other functions on Internet-connected devices.

The FTC will not take an enforcement action against an operator for not obtaining parental consent before collecting the audio file with a child’s voice when it is collected solely as a  replacement of written words, such as to perform a search or to fulfill a verbal instruction or request – as long as it is held for a brief time and only for that purpose.

The Commission noted that there are important limitations to this policy. The policy does not apply when the operator requests information via voice that would otherwise be considered personal information, such as a name. In addition, an operator must still provide clear notice of its collection and use of audio files and its deletion policy in its privacy policy. Also, the operator may not make any other use of the audio file before it is destroyed and the policy does not affect the operator’s COPPA compliance requirements in any other respect.

The Commission voted 2-0 to approve the new policy statement.

The FTC has actively enforced the COPPA Rule, bringing more than two dozen cases since it was first issued in 2000. Most recently, the FTC reached settlements with a mobile advertiser that deceptively tracked the locations of children without parental consent and against two app developers that allowed third-party advertisers to collect information about children without parental consent.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

By Lesley Fair

If you think Ed Tech is the gruff guy in the polo shirt who set up your network, you’re missing out on a revolution happening right now in America’s classrooms. With more than half of K-12 students able to access school-issued personal computing devices, Ed Tech – educational technology – is changing the way kids learn. The benefits are obvious, but it’s also raised questions about how the Children’s Online Privacy Protection Rule (COPPA) and the Family Educational Rights and Privacy Act (FERPA) apply.

Read more >

Company Will Pay $950,000 For Tracking Children Without Parental Consent

Singapore-based mobile advertising company InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges it deceptively tracked the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.

The FTC alleges that InMobi mispresented that its advertising software would only track consumers’ locations when they opted in and in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.

The FTC alleges that InMobi, whose advertising network has reached more than one billion devices worldwide through thousands of popular apps, offers multiple forms of location-based advertising to its customers, including the ability to serve ads to consumers based on their current locations, locations they visit at certain times, and on their location over time.

“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”

The complaint alleges that inMobi created a database built on information collected from consumers who allowed the company access to their geolocation information, combining that data with the wireless networks they were near to document the physical location of wireless networks themselves. InMobi then would use that database to infer the physical location of consumers based on the networks they were near, even when consumers had turned off location collection on their device.

The FTC alleges that InMobi also violated the Children’s Online Privacy Protection Act (COPPA) by collecting this information from apps that were clearly directed at children, in spite of promising that it did not do so. The complaint noted that InMobi’s software tracked location in thousands of child-directed apps with hundreds of millions of users without following the steps required by COPPA to get a parent or guardian’s consent to collect and use a child’s personal information.

Under the terms of its settlement with the FTC, InMobi is subject to a $4 million civil penalty, which is suspended to $950,000 based on the company’s financial condition. In addition, the company will be required to delete all information it collected from children, and will be prohibited from further violations of COPPA.

In addition, InMobi will be prohibited from collecting consumers’ location information without their affirmative express consent for it to be collected, and will be required to honor consumers’ location privacy settings. The company will also be required to delete the location information of consumers it collected without their consent and will be prohibited from further misrepresenting its privacy practices. The settlement also will require InMobi to institute a comprehensive privacy program that will be independently audited every two years for the next 20 years.

The Commission vote to authorize the staff to refer the complaint to the U.S. Department of Justice and to approve the proposed stipulated order was 3-0. The DOJ filed the complaint and proposed stipulated order on behalf of the Commission in U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

As a parent, you have control over the personal information companies collect online from your kids under 13. This includes your child’s name, address, phone number, email address, and information the companies can use to track your child’s online activities. The Children’s Online Privacy Protection Act (COPPA) gives you tools to do that. If a site or service is covered by COPPA, it has to get your permission before collecting personal information from your child and it has to honor your choices about how that information is used.

Companies’ Apps Shared Kids’ Information with Ad Networks; Will Pay $360K In Civil Penalties

Two app developers will pay a combined $360,000 in civil penalties as part of settlements with the Federal Trade Commission over charges they violated the Children’s Online Privacy Protection Act, or COPPA, Rule.

The terms of the settlements with LAI Systems, LLC, and Retro Dreamer, require the defendants to pay civil penalties and  comply with the requirements of COPPA in the future.

“It’s vital that companies understand the rules of the road when it comes to handling children’s personal information online,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “These cases make it clear that we’re closely watching this space to ensure children’s privacy online is being protected.”

These cases are the first in which the FTC alleged that companies allowed advertisers to use persistent identifiers to serve advertising to children. Persistent identifiers – pieces of data that are tied to a particular user or device – were among the categories added to the COPPA Rule’s definition of personal information when it was updated in 2013.

LAI Systems

In its complaint against LAI Systems, LLC, the FTC alleged that the company created a number of apps directed to children, including My Cake Shop, My Pizza Shop, Hair Salon Makeover, Friday Night Makeover, Marley the Talking Dog and Animal Sounds. According to the FTC’s complaint, the defendant allowed third-party advertisers to collect personal information from children in the form of persistent identifiers. Defendant failed to inform the ad networks that the apps were directed to children and did not provide notice or get consent from children’s parents for collecting and using the information.

The settlement with LAI Systems prohibits the company from further violations of the COPPA Rule, and requires the company to pay a $60,000 civil penalty.

Retro Dreamer

In its complaint against Retro Dreamer, and its principals, Craig E. Sharpe and Gavin S. Bowman, the FTC alleged that the company created a number of apps targeted to children, including Ice Cream Jump, Happy Pudding Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket and Tappy Pop.

The defendants in this case, according to the complaint, allowed third-party advertisers to collect children’s personal information through the apps. One advertising network over the course of 2013 and 2014 specifically warned the defendants about the obligations of the revised COPPA Rule, and also told the defendants that certain of their apps appeared to be targeted to children under the age of 13.

The settlement with Retro  Dreamer, Sharpe and Bowman prohibits the defendants from further violations of the COPPA Rule, and requires the defendants to pay a $300,000 civil penalty.

The Commission votes to authorize the staff to refer the complaints to the Department of Justice, and to approve the proposed stipulated civil penalty orders, were 4-0. The DOJ filed the complaints and proposed stipulated orders on behalf of the Commission in U.S. District Court for the Central District of California on Dec. 17, 2015.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when signed by the District Court judge.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

The Federal Trade Commission has approved a new method for companies to get parents’ consent for their children to access online services covered by the Children’s Online Privacy Protection Act (COPPA) Rule. Based on an application submitted by Riyo, Inc., the Commission has approved the use of “face match to verified photo identification” (FMVPI) as a method to verify that the person providing consent for a child to use an online service is in fact the child’s parent. Under the COPPA Rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. The rule lays out a number of acceptable methods for gaining parental consent, but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval. FMVPI is a two-step process. In the first step, a parent provides an image of their photo identification, such as a passport or driver’s license. The authenticity and legitimacy of the document is then verified using various technologies that analyze the image to ensure that it is an authentic government-issued identification. In a second step, the parent is then prompted to provide a picture of themselves taken with a phone or web camera, which is analyzed to confirm that the photo is of a live person and not a photo of a still photo. The image is then compared to the identification photo using facial recognition technology to confirm whether the person submitting the photo is the one in the identification.  The process includes certain privacy safeguards such as requiring encryption and prompt deletion of any personal information that is collected. The Commission vote to issue the letter and accept FMVPI as an acceptable verifiable parental consent method was 4-0. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

The Federal Trade Commission is seeking public comment on a proposed verifiable parental consent method that Riyo has submitted for Commission approval under the agency’s Children’s Online Privacy Protection Rule.

Under the rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. The rule lays out a number of acceptable methods for gaining parental consent, but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.

In a Federal Register notice to be published shortly, the FTC is seeking public comment about the proposed Riyo verifiable parental consent method including whether the proposed method is already covered by existing methods under the rule and whether it meets the rule’s requirement that it be reasonably calculated to ensure that the person providing the consent is actually the child’s parent. The Commission also seeks comment on whether the program poses a risk to consumers’ information and whether that risk is outweighed by the benefits of the program. The comment period will last until Sept. 3, 2015.

NOTE: Publication of this Federal Register notice does not indicate Commission approval of the program. The Commission has 120 days to review proposed verifiable parental consent methods and must set forth its conclusions in writing.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them.  To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357).  The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.  The FTC’s website provides free information on a variety of consumer topics.  Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.


December 2018
M T W T F S S
« Oct    
 12
3456789
10111213141516
17181920212223
24252627282930
31  
business.ftc.gov | Your Link to the Law