FTC Enforcement of COPPA Shows that Current Law is Working

Share |

The Federal Trade Commission (FTC) signaled they are serious about enforcing current law with the announcement of the $650,000 fine and 20-year consent decree settling a complaint brought against toy maker, VTech, for violating the Children’s Online Privacy Protection Act (COPPA). VTech will pay the fine and is required to not violate COPPA.  It also must implement a comprehensive data security program subject to independent audits for 20 years.

The FTC found that VTech, through its internet-connected toys, collected personal information from children under 13 without providing appropriate notice nor obtaining proper consent from the child’s parent. VTech, according to the complaint, did not use reasonable security measures required by COPPA despite stating they do in the available privacy policy. The toy maker suffered a major security breach in 2015 where hackers accessed unencrypted parent and child personal information, including photos and chat logs.

Both the FTC and state attorneys general have the authority to enforce COPPA. In just the past few years, the New York Attorney General has taken action. The VTech case also shows collaboration internationally, as permitted by provisions of the U.S. SAFE WEB Act, with the FTC working alongside the Office of the Privacy Commissioner of Canada, which released its own report.

Existing law is abundantly clear that if an online company would like to collect personal information from a child under the age of 13, said company must first provide notice to a parent and obtain verifiable parental consent. In 2017, the FTC released a six-step compliance plan for business that collect information from children under 13 online. 

Sara Sara Kloek is SIIA's Director for Education Policy.