Minor Coordinates, Major Concerns: FTC Case Signals Collecting Location Data Isn’t Child’s Play

On September 2, 2025, the Federal Trade Commission filed a complaint and proposed order against toy manufacturer Apitor Technology Co., Ltd. (Apitor), alleging that the company violated the Children’s Online Privacy Protection Act (COPPA) Rule by allowing a third-party software development kit (SDK) to collect children’s precise geolocation data without parental consent.

This enforcement action is a reminder that COPPA requires verifiable parental consent when a company that directs its services to children collects, uses, or discloses children’s personal information—even if a third party is collecting the data on the company’s behalf. 

Complaint

Apitor develops and markets robot toys intended for children ages 6 to 14. These robot toys require children to download an app, Apitor Kit, that is used to control the movements of the robots, and online marketing for Apitor’s toy robots encourages customers to download the app. Apitor integrated an SDK into the Android version of the Apitor Kit app that collected the precise geolocation data of the device on which the app was installed. If location permissions are not granted for the Apitor Kit app, the app will not connect to purchased Apitor robot toys. As alleged in the complaint, once location permissions are granted in the Apitor Kit app, the app collects precise geolocation data and transmits this data to the SDK’s servers without disclosing such collection or seeking verifiable parental consent. Although Apitor has a privacy policy that proclaims compliance with COPPA, the complaint alleges the privacy policy does not disclose that the Apitor Kit app for Android devices allows a third party to collect children’s geolocation information. Likewise, when setting up the Apitor Kit app by operating as a guest or registering an account, users encountered no disclosure of geolocation data collection and no request for verifiable parental consent as to such data collection. The complaint thus alleges such collection to be “surreptitious” because it “deprives parents of the ability to make an informed decision about the collection of their children’s location information.” 

The single count alleges that Apitor violated the COPPA Rule by failing to (1) provide direct notice to parents about Apitor’s practices regarding the collection of children’s data, (2) provide adequate notice on its website regarding the types of children’s information Apitor “collects, or causes to be collected on its behalf,” and (3) obtain verifiable parental consent before the collection of any personal information from children.

Order

Under the proposed settlement, Apitor agreed to a $500,000 civil penalty (suspended due to the company’s inability to pay) and injunctive measures. In particular, Apitor is required to: 

• Post a clear and conspicuous link on its website describing the company’s collection practices regarding children’s personal information.
• Obtain verifiable parental consent before the collection of personal information directly or through third parties and delete children’s personal information at the request of a parent.
• Refrain from maintaining children’s personal information “for longer than reasonably necessary to fulfill the purpose for which the information was collected.”
• Delete all personal information associated with any individual who used the Android version of the Apitor Kit app, unless Apitor provided direct notice and obtained verifiable parental consent for the information collected.
• Maintain records related to consumer complaints and refund requests related to Apitor’s privacy practices, and any response to such complaints or requests.
• Provide a written statement to the FTC, sworn under penalty of perjury, that (1) describes all processes through which Apitor provided direct notice and sought to obtain verifiable parental consent, (2) provides statistics regarding the total number of users for whom direct notice was provided and the total number of users for whom verifiable parental consent was obtained or declined, (3) describes in detail any personal information retained, and (4) affirms that all personal information required to be deleted by the stipulation has been deleted.

Takeaways

This complaint should serve as a cautionary reminder that entities subject to COPPA should be cognizant of data collection and other processing by third-party vendors. To avoid following in Apitor’s footsteps, companies that direct their services to children may wish to audit their systems to ensure that third-party SDKs and other third-party integrated services are not collecting or processing children’s personal information in a manner inconsistent with COPPA.