The U.S. Department of Justice has sued toy maker Apitor Technology for allegedly allowing a Chinese third party to collect children’s geolocation data without their knowledge and parental consent.
A complaint filed by the Justice Department, following a notification from the Federal Trade Commission, alleges that Apitor violated the Children’s Online Privacy Protection Rule (COPPA) by failing to notify parents or obtain their consent before collecting their children’s location information.
Apitor, which sells robot toys for children aged 6-14, provides users with a free Android app that helps control the toy robots. To connect and use the toys, the users must enable location sharing.
However, the app also uses JPush, a third-party software development kit (SDK) that allows its developers to collect the kids’ precise location data for any purpose, including targeted advertising.
“Throughout this process, Apitor failed to notify parents that a third party was collecting geolocation information and obtain parents’ consent before collecting this data from children under the age of 13, as required by COPPA,” the FTC said on Wednesday.
Under a proposed settlement, Apitor will be required to ensure that any third-party software it uses also complies with COPPA and pay a $500,000 penalty. Although the penalty will be put on hold due to Apitor’s ongoing financial difficulties, the company will have to pay the full amount if it was dishonest about its finances.
Additional requirements include notifying parents before collecting data, obtaining their consent, deleting all collected personal information, and retaining data only as necessary.
“Apitor allowed a Chinese third party to collect sensitive data from children using its product, in violation of COPPA,” added Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection.
“COPPA is clear: Companies that provide online services to kids must notify parents if they are collecting personal information from their kids and get parents’ consent—even if the data is collected by a third party.”
On Tuesday, the FTC also announced that Disney will pay a $10 million civil penalty to settle claims that it enabled the collection of kids’ personal information without their consent or notifying their parents by mislabeling videos for children on YouTube.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
