Full Report
The complaint alleges that the toy manufacturer Apitor published a privacy policy saying that it complied with the Children’s Online Privacy Protection Rule, but in reality violated the law by collecting the location data from children without parental consent.
Analysis Summary
# Regulation/Compliance: COPPA Enforcement Focus on Children's Data Collection
## Overview
This summary details a Federal Trade Commission (FTC) enforcement action against a robot toy manufacturer (Apitor) for alleged violations of the Children’s Online Privacy Protection Rule (COPPA) related to the unauthorized collection of children's geolocation data via a third-party software development kit (JPush). The action highlights the strict requirement for parental notice and consent when collecting personal information from children under 13.
## Key Details
- Issuing Authority: Federal Trade Commission (FTC), action filed by the Justice Department.
- Effective Date: COPPA is an existing rule, but the article notes COPPA was made "tougher in January" (prior to the Sep 3, 2025 article date) and the FTC is aggressively enforcing it.
- Jurisdiction: United States (applies to operators of websites or online services directed to children under 13).
- Status: Enforcement Action / Proposed Settlement (In Effect enforcement of existing rule).
## Requirements
### Mandatory Requirements
1. **Parental Consent for Children Under 13:** Obtain verifiable parental notice and consent before collecting, using, or disclosing personal information from children under the age of 13.
2. **Data Minimization/Disclosure:** Ensure that any third parties acting on the company's behalf (including embedded SDKs like JPush) comply with the same privacy mandates, especially regarding data collection and permissible use.
3. **Compliance with Published Policy:** Organizations must adhere to the privacy promises made in their public-facing policies (Apitor allegedly violated its own policy stating COPPA compliance).
4. **Data Erasure (Settlement Term):** The primary mandate in this specific settlement is the erasure of all previously collected data unless verifiable parental consent is subsequently obtained.
### Recommended Practices
1. **Clear Communication:** Explicitly inform parents and children about what data is being collected, how it is used, and which third parties have access, especially if location data is involved.
2. **Thorough Third-Party Vetting:** Rigorously audit all embedded software development kits (SDKs) and third-party integrations to ensure they do not covertly collect prohibited data types (like geolocation) without authorization.
3. **Contact Information:** Maintain accessible and functional contact information for consumer/parent inquiries.
## Affected Organizations
- Industries: Manufacturers of toys, apps, websites, or online services directed to children aged 6 to 14 (specifically those targeting under 13).
- Organization Size: Not explicitly stated as a factor for violation, but enforcement actions can target any size organization.
- Geographic Scope: Entities or operators serving the U.S. market, regardless of where the company (like Apitor, based in China) is physically located.
## Compliance Timeline
- **Prior to January (unknown year):** Original COPPA effective date.
- **January (prior to Sept 2025):** COPPA rules were "made tougher."
- **September 3, 2025:** FTC filed complaint and announced proposed settlement.
- **Ongoing/Immediate:** Requirement to cease illegal activity and initiate data erasure as per the settlement order.
- **If Financial Misrepresentation is Proved:** Final deadline to pay the suspended $500,000 penalty.
## Implementation Guidance
### Assessment Phase
- **Data Flow Mapping:** Audit the companion mobile application to identify all embedded SDKs (e.g., JPush) and trace precisely what data elements (especially location data) are being collected by both the primary operator and the third parties.
- **Policy Review:** Compare actual data collection practices against the published privacy policy to identify any material contradictions.
### Implementation Phase
- **SDK Remediation:** Immediately remove or replace any third-party components that collect personal information from children under 13 without explicit parental consent mechanisms in place.
- **Consent Mechanism Overhaul:** Implement robust, verifiable parental consent mechanisms compliant with COPPA standards before any further collection of PII from users under 13.
### Validation Phase
- **Internal Audits:** Conduct recurring technical audits to ensure no unauthorized data collection persists.
- **Legal Review:** Have external counsel review current data collection practices against the updated COPPA guidance to assure compliance.
## Technical Requirements
1. **Location Services Restriction:** Location sharing must be disabled or rendered non-functional for users identified as under 13 unless prior parental consent is obtained.
2. **Third-Party Data Isolation:** Ensure that third-party software embedded within child-directed apps cannot access PII or geolocation data unless explicitly permitted by the operator following valid consent.
## Penalties & Enforcement
- Fines: A proposed fine of **$500,000** was levied, although it was "suspended" because the company claimed inability to pay. The fine becomes payable if the company is found to have misrepresented its finances.
- Other Consequences: Mandate to **erase all data** collected from children unless verifiable parental consent is obtained.
- Enforcement: Enforcement is pursued via legal action filed through the **Justice Department** following an FTC referral, indicating cross-agency cooperation. The FTC signals aggressive enforcement, citing another large fine against Disney ($10 million) for similar violations.
## Related Standards
- **Children’s Online Privacy Protection Rule (COPPA Rule):** The specific federal law violated.
- **FTC Guidance:** Compliance is guided by current FTC guidance regarding acceptable parental consent mechanisms and the definition of "child-directed" services.
## Resources
- Official Documentation: [Link to Apitor Complaint Document] (Defanged link: www.documentcloud.org/documents/26081627-apitor-complaint)
- Guidance Documents: [Link to FTC Press Release] (Defanged link: www.ftc.gov/news-events/news/press-releases/2025/09/ftc-takes-action-against-robot-toy-maker-allowing-collection-childrens-data-without-parental-consent)
- Tools: N/A specific tools mentioned, but compliance requires technical data flow analysis tools.
## Practical Recommendations
1. **Assume Under 13:** If an offering serves any population where a significant portion might be under 13 (as evidenced by toys marketed 6-14), implement COPPA compliant mechanisms by default.
2. **Liability for Third Parties:** Understand that liability for data misuse or collection by embedded SDKs rests entirely with the primary service operator (Apitor).
3. **Prioritize Consent Over Functionality:** Do not make core functionality contingent on location tracking for children under 13 without first securing consent.