On Friday, the FTC issued warning letters to the Chinese electronics company Gator Group as well as the recently shuttered Swedish firm Tinitell, informing them that they’re in violation of the Children’s Online Privacy Protection Act. It turns out the companies’ smartwatches for children have been collecting kids’ data without first obtaining parental consent — or even telling parents that they’re collecting data at all.

Though one of the draws of giving your kid a smartwatch is being able to track their location to make sure they’re safe, that safety is negated if other people can access that same data. That’s a huge issue, one that specifically Gator hasn’t addressed. As the developer Roy Solberg wrote last fall after discovering massive security flaws in Gator’s smartwatch for children, the company’s security protocols are so thin that “anyone on the Internet can live track your kid.” His post continued:

As a developer I just cannot understand how a product like this can end up on the market. Any developer involved in the project on any level would know that this is a really bad product. It's not like anyone mistakenly has screwed up. No one has cared to add any layer of security.

The FTC’s letter to Gator notes that the Children’s Online Privacy Protection Act “requires that companies that collect personal information from children take reasonable measures to secure that information.”

This isn’t the only time that companies’ data practices have been found in violation of the Children’s Online Privacy Protection Act. In January, the FTC fined toy manufacturer VTech for collecting children’s data without parental consent as well as not having adequate protections for that data. Just last week, the Children’s Advertising Review Unit, an advertising industry internal watchdog, referred the kid-focused streaming app Musical.ly to the FTC for refusing to stop collecting the data of users under the age of 13.

Update: This article has been updated to amend one misstatement of the agency that issued the warning letters. It was the FTC, not the FCC.