On September 3, 2025, the Federal Trade Commission (FTC) of the United States announced in a press release that they have taken action against the Chinese robot toy manufacturer, Apitor Technology. The reason for this action is that their application (App) allowed third parties in China to collect precise location data of children under the age of 13 without parental consent, thereby violating the Children’s Online Privacy Protection Act (COPPA).
Apitor Technology is a Chinese company based in Shenzhen, Guangdong Province, specializing in the development and sales of STEM (Science, Technology, Engineering, Mathematics) educational robot kits designed for children and teenagers to learn programming and robotics.
The complaint was filed by the Department of Justice on behalf of the FTC, alleging that Apitor illegally collected “personal information,” contravening the COPPA’s requirements of “prior parental notification” and “obtaining verifiable parental consent,” even if it was done by a third party.
Christopher Mufarrige, the Director of Consumer Protection Bureau of the FTC, stated in the press release that “Apitor allowed Chinese third parties to collect sensitive data of children using their product, which violates the Children’s Online Privacy Protection Act. COPPA clearly stipulates that companies providing online services for children must notify parents and obtain parental consent when collecting children’s personal information – even if these data are collected by third parties.”
The FTC pointed out that Apitor’s Android App requested location permission and embedded the JPush SDK, a software development kit from the Chinese company JPush, resulting in the automatic collection and transmission of children’s precise location to servers in China without informing parents or children, and without obtaining verifiable parental consent, thus violating the provisions of the protection act.
While Apitor is a toy manufacturer targeting STEM programming toys for children aged 6-14, the third-party JPush SDK software embedded in their App is responsible for actually collecting and transmitting the children’s location data. Regardless of the SDK’s actions, the legal responsibility lies with Apitor as they provide the product and service.
The allegations against Apitor are currently being processed, and they have been asked to ensure compliance with the Children’s Online Privacy Protection Act. The proposed settlement terms include:
1) A fine of $500,000, which is currently in a “stay of execution” due to Apitor’s financial difficulties; if any financial deception is discovered later, the full fine will need to be paid;
2) Deletion of children’s data collected without consent (unless parents are subsequently notified and consent obtained);
3) Mandatory notification to parents and obtaining verifiable consent before collecting information in the future;
4) Limiting the data retention period to a reasonable and necessary duration;
5) Ensuring all third-party partners (such as SDKs) also comply with COPPA regulations.
COPPA, the Children’s Online Privacy Protection Act, was passed by the U.S. Congress in 1998 and became effective in 2000. Its aim is to protect the online privacy and safety of children under 13.
Since the implementation of COPPA, notable cases in recent years include several well-known companies being penalized by the FTC for violating COPPA, such as:
– In 2019, YouTube was fined $170 million for tracking and collecting viewing data of children under 13 through cookies without informing California or obtaining consent for ad targeting. This led to significant reforms in the labeling and advertising modes for “child content” on YouTube.
– In 2019, TikTok (formerly Musical.ly) was fined $5.7 million for collecting children’s names, emails, addresses without parental consent and allowing children’s profiles to be publicly searchable.
– In 2020, Disney/Viacom/Hasbro were fined approximately $10 million for using third-party ad SDKs in multiple children’s apps to collect data without parental knowledge.
– In 2022, Epic Games (Fortnite) allowed children to chat using voice/text in the game, collected personal data without parental consent, and misled players into making purchases. Epic Games was fined $275 million and an additional $245 million for settlement, making it one of the highest COPPA cases globally affecting the privacy design of children in the gaming industry.
– In 2023, Amazon (Alexa) was fined $25 million for collecting and retaining children’s voice recordings, location information without deleting as requested by parents. Smart assistants became a new focal point of COPPA disputes.
These cases serve as reminders that even when data collection is done through “third-party code,” companies are still obligated to comply with COPPA regulations and uphold their responsibilities towards children’s privacy.
By ensuring that companies adhere to such laws and regulations, the protection of children’s digital privacy and safety can be better safeguarded in today’s ever-evolving technological landscape.