The Federal Trade Commission (FTC) signaled they are serious about enforcing current law with the announcement of the $650,000 fine and 20-year consent decree settling a complaint brought against toy maker, VTech, for violating the Children’s Online Privacy Protection Act (COPPA). VTech will pay the fine and is required to not violate COPPA. It also must implement a comprehensive data security program subject to independent audits for 20 years.
Both the FTC and state attorneys general have the authority to enforce COPPA. In just the past few years, the New York Attorney General has taken action. The VTech case also shows collaboration internationally, as permitted by provisions of the U.S. SAFE WEB Act, with the FTC working alongside the Office of the Privacy Commissioner of Canada, which released its own report.
Existing law is abundantly clear that if an online company would like to collect personal information from a child under the age of 13, said company must first provide notice to a parent and obtain verifiable parental consent. In 2017, the FTC released a six-step compliance plan for business that collect information from children under 13 online.