The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.
Continue Reading UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices.
Continue Reading Cyber Concerns Lead to EU Recall of a Connected Kids Devices

Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental consent. The AG’s investigation into Unixiz’s privacy practices began after Unixiz disclosed a data breach in 2016. Users of the i-Dressup site created accounts with the site (and thus established usernames and passwords). In 2016 hackers accessed approximately 2.2 million users’ names and passwords.  In response to the breach, the New Jersey AG launched an investigation into the company. The investigation revealed that in addition to failing to safeguard its users’ information, Unixiz did not get parental consent before collecting children’s personal information, as required under COPPA. Included among its users were 2,519 New Jersey children. 
Continue Reading Unixiz Settles COPPA Allegations with NJ AG

The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place.
Continue Reading FTC Provides Insight into COPPA Deletion Requirements

The NJ attorney general recently announced that it settled with a Chinese entity over violations of COPPA. The company promotes itself as a “virtual beauty counter,” and makes a variety of apps that let consumers virtually try on makeup. These apps include facial recognition technology, as well as photo-editing tools that allow users to customize and touch up their photos (the apps include Beauty Plus, AirBrush, and Meitu). The apps, according to the AG, allowed children under 13 to submit personal information without first getting parental consent, in violation of the Children’s Online Privacy Protection Act.
Continue Reading NJ AG Settles with Chinese Firm Over COPPA Violations, FTC Sends Warning Letters

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.

The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Continue Reading Connected Toys, COPPA, and What’s Next

France’s data protection commissioner joins others in taking action against toymaker Genesis Toys related to its popular internet-connected toys My Friend Cayla and i-Que Robot. Last December, a number of consumer groups filed complaints with regulators in the U.S. and Europe raising privacy and security concerns about the toys. The groups asserted that the toys fail to meet U.S. and E.U. privacy and data protection standards because the toys record and collect the conversations of children without parental consent and without limitations on the collection, use, or disclosure of the information, and because the toys can be easily hacked by third parties.
Continue Reading France Joins Others, Enforces Against Connected Toys