The U.S. Department of Justice has taken legal action against Apitor Technology, a company that sells robot toys, over allegations of violating the Children’s Online Privacy Protection Rule (COPPA). The lawsuit, initiated after a notification from the Federal Trade Commission, claims that Apitor’s Android app, which is used to control its toys, has been collecting the precise geolocation data of children without first notifying their parents or obtaining their verifiable consent. The complaint highlights a significant breach of trust and privacy, stating that the company failed to disclose this data collection practice to users. This legal challenge underscores the serious consequences for companies that do not adhere to regulations designed to protect children’s online privacy.
Central to the complaint is Apitor’s use of JPush, a third-party software development kit (SDK) from the Chinese company Jiguang (also known as Aurora Mobile). According to the Justice Department’s filing, this SDK has been used to collect precise location data from thousands of children since at least 2022. The data was allegedly collected for various purposes, including targeted advertising, and transmitted to JPush’s internet servers. The complaint explicitly states that even after a user enables location permissions for the Apitor app, the company never informs them that a third party is collecting this sensitive information, nor does it seek the necessary parental consent as required by law.
In an effort to resolve the case, a proposed settlement has been put forward. Under the terms of this agreement, Apitor would be required to ensure that any third-party software it uses in the future is fully compliant with COPPA. Additionally, the company is to pay a civil penalty of $500,000. However, due to Apitor’s declared financial difficulties, the penalty will be put on hold. The settlement includes a provision that should Apitor be found to have been dishonest about its finances, it will be obligated to pay the full amount.
Beyond the financial penalty, the settlement outlines a series of mandatory actions for Apitor to take to rectify its non-compliance. These requirements include a commitment to notify parents before any data collection begins and to obtain their consent. Furthermore, Apitor must delete all previously collected personal information and is only permitted to retain data for as long as it is necessary. These measures are intended to restore the privacy of affected children and prevent similar violations from occurring in the future.
The lawsuit and proposed settlement serve as a stark reminder of the importance of COPPA and its enforcement. Christopher Mufarrige, Director of the FTC‘s Bureau of Consumer Protection, emphasized that the rule is clear: companies that provide online services to children must not only notify parents about data collection but also obtain their consent, even if the data is collected by a third party. This case, along with the FTC’s recent action against Disney for similar violations on YouTube, highlights a growing focus on holding companies accountable for protecting the privacy of minors in the digital age.
Reference:
