VTech data breach
The 2015 VTech breach affected services used by parents and children. Exposed material included account information and data associated with child-facing services, including photos, audio, and chat content.
The US Federal Trade Commission later alleged failures to obtain required parental consent and to take reasonable steps to secure collected data. VTech agreed to a USD 650,000 civil penalty and future compliance obligations in 2018.
The case in Case for privacy and security illustrates that children’s connected products create a long time horizon. Children cannot meaningfully assess future exposure, so minimization, parental consent, and actual deletion must be designed into the service.
Sources
Connections