Image: YouTube/VTech

In recent years, a number of toy makers have come under fire for developing children’s smart devices that turn out to be privacy nightmares, and a company called VTech Electronics has just settled the Federal Trade Commission’s first case involving an internet-connected toy. VTech will pay the FTC $650,000 over charges it violated the Children’s Online Privacy Protection Act (COPPA) and “failing to take reasonable steps to secure the data it collected,” according to an FTC statement released Monday.


At the end of 2015, details about a massive security breach at VTech emerged, revealing that hackers broke into the company’s servers, gaining access to the customer accounts of almost five million parents and over six million children worldwide. The personal information included names, emails, passwords, download histories, and home addresses of parents, and the first names, genders, and birthdays of kids. The hackers were also able to download about 190 GBs of photos from VTech’s Kid Connect app—the images were reportedly head shots that the company lets users take and send through the chat app.

The FTC complaint addressed this major security violation, which wasn’t on VTech’s radar until a journalist emailed them about the issue. The complaint notes that VTech didn’t have sufficient privacy and security measures in place to protect the data it collected through the app. It also claims that the company didn’t have a proper “prevention or detection system” set up to notify the company when there was a security breach. What’s more, the complaint alleges that VTech misled its users in its privacy policy, stating that its gaming and chat platforms Learning Lodge and Planet VTech encrypted their personal information. The FTC claims it wasn’t actually encrypted. Currently, both web-based platforms are unavailable.


“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen, according to the statement. “Unfortunately, VTech fell short in both of these areas.”

In addition to paying the FTC, VTech must put into effect a “comprehensive data security program” that will undergo independent audits for 20 years. It is also permanently banned from violating the children’s privacy law and from falsifying its privacy and security practices. We have reached out to VTech for comment and will update this story if we receive a response.