Parents got another reminder this week that internet-connected toys are collecting a lot of personal information about their kids—often without adequate safeguards.

VTech, a maker of electronic toys, settled a federal complaint on Monday that it collected information from children without parental consent and didn’t adequately secure that information on its servers. VTech’s database was hacked in 2015, exposing the personal information of nearly 12 million children and parents.

The Hong Kong-based company will pay a $650,000 fine and implement new data security measures to settle the complaint from the Federal Trade Commission. VTech is also subject to independent audits of its security practices for the next 20 years.  

More on Privacy

The deal marks the first time the agency has taken enforcement action against an internet-connected toy company.

“This highlights again the need for companies to protect the information they collect, especially when it comes to children,” Tom Pahl, director of the FTC’s bureau of consumer protection, said in a conference call with reporters.

Despite the government’s action, however, security experts say it’s mainly up to the parents to make sure that their children’s personal information doesn’t fall into the wrong hands. (See below for things you can do.)

“We’re still in the wild, Wild West,” says John Dickson, a principal at Denim Group, a cybersecurity company in San Antonio, when it comes to connected products.

VTech, which makes tablets, smartwatches, and other connected toys for kids, settled the complaint without admitting or denying any wrongdoing. Allan Wong, chairman and group CEO, said the company has updated its data security policy and “adopted rigorous measures to strengthen the protection of our customers’ data.” 

Privacy Advocates Praise Settlement

Connected toys have long been a concern for security professionals, who argue that, while they offer tech features such as a WiFi or Bluetooth connection, they often lack built-in security measures common to other connected home products. That makes them easy targets for hackers looking to steal information from the toy itself or from other “smart” items connected to a home network.

Privacy advocates say the settlement is a step in the right direction, and one that has been needed for some time.

“With connected products flooding the marketplace, it’s vital that companies pay attention to privacy and security,” says Katie McInnis, technology policy counsel for Consumers Union, the policy and mobilization division of Consumer Reports. “This is especially true when products collect sensitive information from children.”  

“We applaud the FTC for taking this action,” she says. “We hope this is a sign that the FTC is going to be more vigilant in holding companies accountable for breaking privacy laws. Parents have a right to know and a right to choose how their children’s personal data is being collected.”

Over the past year, Consumers Union has asked the FTC to investigate privacy and security concerns with toys such as My Friend Cayla and i-Que Intelligent Robot, which it says were collecting and using children’s data in violation of the Children’s Online Privacy Protection Act, and smartwatches made by Caref and SeTracker, which it charges are easily hackable and could be used to track and listen in on the children wearing them.

What Parents Can Do

As the number and popularity of connected toys continue to grow, security experts say parents need to be vigilant about protecting their child’s personal information.

This can be tough, given that most connected-toy companies don’t spell out their security practices on their boxes. And there’s no way to know whether a toy company that holds your child’s information has been, or will be, hacked.

Still, there are some things parents can do. 

  • When a toy maker asks for personal information, you don’t have to hand it over. And there’s nothing wrong with using a fake name, birthdate, and address in your child’s profile. Don’t include pictures of your child, either. 
  • Know that you often get what you pay for. While there’s no guarantee that a pricey toy will come with top security, don’t expect that a $20 talking bear will.
  • Do a Google search to see whether anyone has raised privacy and security concerns about a toy before you buy it.
  • Take a look at where the collected data is being stored. If it’s on the toy itself, it’s less of a concern than if it’s, say, on a Bluetooth-connected app or uploaded to the cloud (think third-party server). That last scenario is what led to the problem with the VTech products.
  • Talk to your kids about how to set strong passwords and avoid phishing scams.

“As parents buy these products, they need the opportunity to compare not just prices but also a company’s stewardship of data,” the FTC’s Pahl says.

He adds that parents should make it a point to read privacy policies and decide for themselves what information is appropriate to hand over.