VTech fined $650,000 for data privacy violations

The Hong Kong-based toy manufacturer VTech was fined $650,000 USD by a Northern District Court in Illinois on Tuesday, after exposing the personal data of over 5 million people, including adults and children in 2015. Additionally, the company will be responsible for creating and implementing a new data security program that must receive an independent assessment from a qualified third party once every other year.

The Northern District Court of Illinois found VTech in violation of Section 5 of the FTC Act “in making of a deceptive statement relating to their collection, storage, and transmittal of covered information.” This ruling was largely due to the poor cyber security practices in place, including but not limited to, an unsecure website, not encrypting data in-transit or at rest, and having misleading statements in their privacy policy.

Most alarming from this investigation was the VTech’s violation failure to obtain “verifiable parental consent prior to collecting, using, and/or disclosing personal information from children.”

As such, VTech was in direct violation of the Children’s Online Privacy Act (COPPA), which was created to require private entities to enforce more stringent requirements over the processing children’s data. A child in this case is any person under the age of 13.

COPPA was created to place more onus on the private entities to create a safe and trusted environment for children online. By definition, children have much less understanding of what their personal data is and what the implications are for disclosing it online.

Given the egregious nature and magnitude of this data breach the fines appear to be a simple slap on the wrist. However, this should come as a shot across the bow for any company doing business online. Creating a trusted online environment where consumers can feel safe is paramount, as the number of regulations continue to increase, and consumers become more aware of their rights online.

As the stakes continue to rise, the amount of violations and punishments will follow suit. Private companies who take a proactive approach to Trust and Safety will have a leg up on their competitors who wait for government mandated remediation to take action.