Children’s toys are not just plain plastic happy meal give aways or board games that sit in the closet. Today they are interconnected and increasingly blend physical play with digital connectivity, safeguarding young users’ privacy has become a critical battleground. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998 and enforced by the Federal Trade Commission (FTC), stands as a cornerstone of this protection. COPPA requires operators of websites and online services directed at children under 13 or those with actual knowledge that they’re dealing with kids in that age group to provide clear notice to parents about data collection practices and obtain verifiable parental consent before gathering, using, or disclosing personal information from these minors. Violations can lead to hefty civil penalties and injunctions, underscoring the law’s bite when companies prioritize features over safeguards.
The Allegations: Hidden Data Harvesting in Playtime
At the heart of the case were Apitor’s robot toys, which required users to download a mobile app to program and interact with the devices. For Android users, the app demanded location-sharing permissions to establish a connection, a seemingly innocuous step for seamless play. However, embedded within the app was a third-party software development kit (SDK) called JPush, developed by a Chinese entity. This SDK automatically began collecting precise geolocation data from the devices—pinpointing users’ exact locations—and transmitting it to JPush’s servers for unspecified uses, including potential advertising.
The FTC and DOJ alleged that Apitor knew or should have known this data included information from children under 13, given the toys’ target demographic. Despite privacy policies claiming COPPA compliance, Apitor failed to:
- Provide direct notice to parents about the collection of geolocation data by itself or the third party.
- Obtain verifiable parental consent prior to any such collection.
- Implement safeguards to prevent or limit the third-party access to children’s personal information.
This breach not only exposed children’s whereabouts but also routed the data to servers in China, raising additional concerns about cross-border data flows and potential misuse. The complaint highlighted a single count under COPPA: Apitor’s app acted as an “online service” directed at children, triggering the law’s protections, yet the company integrated unchecked third-party tools that bypassed them entirely.
The implications for children’s privacy are profound. Geolocation data is among the most sensitive under COPPA, as it can reveal home addresses, school routines, and daily movements—information ripe for exploitation in targeted ads, profiling, or worse. For parents, the violation meant their children’s playtime was unwittingly logging a digital trail without their knowledge, eroding trust in “kid-friendly” tech.
The Resolution: A Suspended Penalty and Binding Commitments
The saga concluded swiftly with a stipulated court order entered by the federal court on October 1, 2025, resolving the allegations without a full trial. Jointly proposed by the DOJ, FTC, and Apitor, the order imposes enforceable terms to prevent future lapses while addressing past harms.
Key provisions include:
- Injunction Against Future Violations: Apitor is permanently barred from collecting, using, or disclosing children’s personal information without first notifying parents directly and securing verifiable consent. The company must now vet all third-party software like SDKs for COPPA compliance before integration, ensuring no more “hidden” data grabs.
- Data Deletion Mandate: Apitor must delete all personal information collected from children in violation of COPPA, unless it retroactively notifies parents and obtains consent to retain it. This purge aims to erase the unauthorized digital footprints left by the app.
- Monetary Penalty: A $500,000 civil penalty was assessed, but it’s fully suspended due to Apitor’s demonstrated inability to pay. However, the full amount becomes due if Apitor is later found to have misrepresented its financials—a stern reminder of the consequences for non-compliance.
The FTC’s three commissioners unanimously approved referring the matter to the DOJ, with the order now carrying the full force of law. DOJ officials, including Assistant Attorney General Brett A. Shumate of the Civil Division, emphasized the case as a deterrent: “This resolution ensures Apitor takes children’s privacy seriously moving forward.”
Apitor Technologies’ Privacy Enforcement Court Order: A Wake-Up Call on Children’s Privacy in the Age of Smart Toys
Apitor’s case serves as a stark reminder that innovation in children’s products must not come at the expense of privacy. As smart toys proliferate equipped with apps, cameras, and connectivity—the onus is on manufacturers to embed COPPA compliance from the design stage, scrutinizing every third-party tool for risks. For parents, it underscores the need to review app permissions, privacy policies, and even toy packaging for data practices before handing over devices to kids. We are seeing this trend in children’s toys, educational institutions, healthcare apps. and just about any business that is collecting personal consumer data/
Broader Lessons for Tech-Enabled Toys and Parental Vigilance
While the suspended penalty may seem lenient, the injunction’s teeth lie in its ongoing oversight: any misstep could trigger the full fine and further enforcement. In a global market, this U.S. action also signals to international firms that COPPA’s reach extends beyond borders, protecting American children from unchecked data appetites abroad. As the DOJ and FTC continue their collaborative push, expect more scrutiny on the toy aisle’s digital underbelly ensuring play remains just that, without the strings of surveillance attached.
