The U.S. Department of Justice, on behalf of the Federal Trade Commission (FTC), has filed a lawsuit against Apitor Technology Co., culminating in a settlement over allegations the company improperly collected and shared children’s geolocation data with a third-party developer in China without obtaining verifiable parental consent[1][2]. This action, filed on September 3, 2025, represents a continued regulatory focus on children’s privacy, coming just one day after a separate $10 million settlement with Disney[2]. The case against Apitor underscores a persistent pattern of non-compliance with the Children’s Online Privacy Protection Act (COPPA Rule) within the connected toy industry, a sector that has been under scrutiny for over a decade.
This incident is not an isolated event but part of a historical continuum of privacy and security failures involving internet-connected toys. The regulatory response has evolved from initial warnings and first-of-their-kind fines to more assertive settlements and the emergence of stricter state-level legislation, particularly from California. For security professionals, these cases serve as critical object lessons in third-party risk management, data sovereignty issues, and the security lifecycle of Internet of Things (IoT) devices, especially those that handle sensitive biometric and location data.
Historical Precedents: The VTech Data Breach
The FTC’s action against Apitor finds a direct parallel in the 2018 settlement with electronic toy maker VTech[3]. This case was the FTC’s first involving connected toys and set a significant precedent. VTech’s Kid Connect app and related learning products collected personal information from children without providing direct notice to parents or obtaining verifiable parental consent, a clear COPPA violation[3]. Furthermore, the company engaged in deceptive practices by falsely claiming that most personal information was encrypted and failed to implement reasonable security measures. This security failure culminated in a 2015 data breach that exposed the data of 2.25 million parents who had registered accounts for nearly 3 million children[3]. The settlement required VTech to pay a $650,000 penalty, submit to independent data security audits for two decades, and was permanently prohibited from violating COPPA[3]. At the time, some analysts criticized the penalty as insufficient given the scale of the data exposure[4].
The Expanding Threat Landscape of Connected Toys
The issues with VTech and Apitor are part of a broader ecosystem of vulnerable connected devices aimed at children. The first wave of such toys, circa 2015, included products like Mattel’s Hello Barbie, which faced a class-action lawsuit for recording children’s voices without adequate consent and for insecure data practices[5]. Perhaps the most notorious example was Genesis Toys’ My Friend Cayla, which was the subject of an FTC complaint for COPPA violations[5]. The doll was technically vulnerable to Bluetooth hacking, allowing unauthorized individuals to speak through it. The risk was deemed so severe that German regulators later classified it as an “illegal espionage apparatus” and ordered its destruction[5]. A second wave involved household assistants like the Amazon Echo Dot Kids Edition, which faced a coalition complaint in 2019 alleging COPPA violations due to indefinite retention of children’s voice recordings and difficult data deletion processes[6].
Emerging Risks: Biometrics and Defunct Companies
A third wave of risks involves the collection of biometric data and the problem of data stewardship when companies fail. Anki’s Cozmo robot, for instance, collected and stored facial recognition data locally on the device[7]. This creates novel risks, particularly when such devices are resold on secondary markets like eBay without being properly wiped of this sensitive biometric information. The risk was compounded when Anki went out of business in 2019, leaving its products unsupported and raising complex questions about who is responsible for the data they contain[7]. Security researchers have recommended that retailers should require the scrubbing of data from IoT toys before resale and consider delisting products from defunct companies to mitigate these risks[7].
The Regulatory Response and the “California Effect”
The federal regulatory response has included warnings, such as a 2017 FBI public service announcement on the privacy concerns of internet-connected toys, and pressure from lawmakers like Senator Mark Warner[8]. However, in recent years, state law has begun to lead the way. California’s IoT Security Law (SB-327), effective January 1, 2020, mandated that connected devices have unique pre-programmed passwords or a feature that forces a new password upon first use[9]. More significantly, the California Consumer Privacy Act (CCPA), also effective in 2020, strengthened protections for children’s data beyond the federal COPPA standard. It requires affirmative opt-in consent for the data of children under 16, protects a higher age group, and mandates a more proactive approach to age verification by eliminating the “wilful disregard” standard found in COPPA[9]. Due to California’s substantial market size, compliance with its laws often becomes a de facto national standard for product development[9].
Relevance and Remediation for Security Teams
For security teams, the Apitor case and its historical context highlight several critical areas of concern. The alleged data flow to a Chinese third party introduces modern data sovereignty and national security dimensions to a classic privacy problem. The technical implementation of parental consent mechanisms must be robust and verifiable, not merely a checkbox. The lifecycle management of IoT devices, including secure decommissioning and data wiping procedures, is a necessary part of corporate policy, especially for devices that collect biometrics. Monitoring for compliance with evolving regulations, particularly state laws like CCPA that may exceed federal requirements, is essential for legal operation. Finally, thorough vetting of third-party developers and vendors in the supply chain is paramount to ensure they adhere to the same data handling and security standards expected internally.
The settlement with Apitor Technology is a reminder that the convergence of privacy failures and security vulnerabilities in consumer IoT devices, especially those targeting children, remains a persistent challenge. While regulatory frameworks are evolving and becoming more stringent, the onus remains on manufacturers to design products with security and privacy from the outset. For the security community, these cases provide valuable insights into real-world threats, regulatory expectations, and the ongoing need for vigilance in an increasingly connected world.
