Toymaker VTech Settles Charges of Violating Child Privacy Law

The popular electronic toymaker VTech Electronics agreed to pay $650,000 to settle charges that it had collected digital data on children without parents’ permission and failed to keep that information secure from hackers, the Federal Trade Commission said Monday.

It was the first enforcement action against a company that makes internet-connected toys by the FTC, which has received several complaints about privacy violations and online advertising aimed at children. Some child advocates have complained that the agency has been slow to respond to the complaints, which cover a variety of products including toys and apps for smartphones and tablets.

The FTC said that the action against VTech, a Hong Kong-based maker of online apps and toys, showed the agency’s dedication to child safety and privacy issues — particularly given the fast-growth of the connected toy market.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Maureen K. Ohlhausen, the commission’s acting chairwoman. “Unfortunately, VTech fell short in both of these areas.”

The agency said in its complaint that VTech had collected data about more than 638,000 children — including text messages, photos, and audio messages — without notifying users or asking parents for permission to collect that information. The company was accused of violating the 1998 Children’s Online Privacy Protection Act, which requires parents to give permission for a company to collect internet data on children under the age of 13.

The FTC also accused the company of having inadequately secured its network in 2015, when VTech’s servers were hacked. Personal information of children — including email addresses, names and gender — were stolen during the breach. The company did not, for example, encrypt information transmitted through some of its online services, the FTC said in its complaint.

The company, which sells numerous electronic devices geared toward children, said it has updated its privacy policies to comply with privacy and security laws.

“Following the cyber attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data,” said Allan Wong, the chairman of VTech Holdings Ltd. Wong said the company had also taken steps to address issues associated with the Children’s Online Privacy Protection Act.

Numerous technology companies, including Facebook and Google, have been pushing to reach younger audiences with their products. Facebook recently announced a messenger service for children as young as 6 and Google introduced YouTube Kids in 2015. The services have set off debate about what digital tools are appropriate for children and what companies were doing to prevent abuse.

Marc Rotenberg, president of the Electronic Privacy Information Center, said that the FTC has moved slowly in investigating VTech, a company whose conduct was brought to the agency’s attention in 2015.

“This is good news that the FTC finally took action but we feel like they are moving too slow and clearly following and not leading,” Rotenberg said.