The U.S. Department of Justice (DOJ), acting on a referral from the Federal Trade Commission (FTC), has filed a complaint against Apitor Technology, the maker of children’s robotics kits, alleging that its Android app collected and shared minors’ precise geolocation data without adequate parental notice or consent. Regulators say a third‑party software development kit (SDK) from Jiguang’s JPush (Aurora Mobile, China) was used to harvest location data beginning in 2022, including for targeted advertising purposes.
DOJ and FTC Enforcement: Alleged COPPA Violations in Apitor’s Android App
The case centers on the Children’s Online Privacy Protection Act (COPPA), which requires online services directed to children under 13 to provide clear parental notice and obtain verifiable parental consent (VPC) before collecting personal information. Apitor markets toys for children ages 6–14 and distributes a companion app that requests location permissions on Android—often needed to enable Bluetooth functionality for device discovery.
How the JPush SDK Harvested Precise Location Data
According to the complaint, once location permissions were granted, the Apitor app began collecting precise coordinate data in the background and transmitting it to JPush servers. Regulators allege that parents and users were not told that a third party would receive location data, and that Apitor did not obtain VPC for this use of children’s information. This illustrates a common mobile supply‑chain risk: embedded SDKs may operate outside the app’s primary logic, maintain their own data flows, and leverage expanded permissions for analytics or advertising.
Settlement Terms: $500,000 Penalty and COPPA Compliance Obligations
Under a proposed settlement, Apitor would pay $500,000 and adopt a comprehensive COPPA compliance program. Required measures include aligning third‑party SDKs with COPPA, providing transparent parental disclosures, implementing verifiable parental consent, deleting previously collected personal information, and enforcing data minimization and retention limits.
Enforcement Backdrop: Children’s Privacy and Precise Location Under Scrutiny
The action fits a broader enforcement trend against misuse of children’s data and sensitive geolocation information. In recent years, the FTC has secured major COPPA settlements: $275 million from Epic Games (2022), $25 million from Amazon in the Alexa case (2023), and $6 million from Edmodo (2023). In parallel, the agency is pushing to restrict commercial exploitation of precise location, exemplified by its ongoing case against data broker Kochava initiated in 2022.
Security Risks of Third‑Party SDKs in Kids’ Apps and Connected Toys
Embedded SDKs are a frequent source of data leakage in mobile apps and the IoT toy ecosystem. SDKs may request broad permissions, run background processes, and transmit telemetry to their own infrastructure—sometimes for purposes misaligned with the host app’s stated functionality. In products used by children, the stakes are higher: precise geolocation, device identifiers, and behavioral profiles are treated as personal data and require heightened safeguards under COPPA and related privacy frameworks.
Practical Steps for Developers to Reduce COPPA and Supply‑Chain Risk
- Map data flows end‑to‑end: identify what is collected, by whom, where it is sent, and the legal basis for processing.
- Minimize collection: disable precise location unless strictly necessary; prefer coarse location and on‑demand access rather than background tracking.
- Evaluate SDKs for compliance (e.g., DPIA, privacy‑by‑design), use allowlists, and impose contractual bans on secondary data use.
- Implement robust VPC mechanisms (e.g., micro‑charge verification, document checks, or verified parent accounts).
- Provide transparent parental notices and clear in‑app prompts when requesting sensitive permissions.
- Set retention limits, define deletion procedures, and conduct periodic audits and network tests for background transmissions.
- Continuously monitor SDK updates; reassess permissions and outbound traffic after every version change.
The Apitor case underscores a central lesson: publishers are accountable for data practices of their third‑party components. Organizations building children’s apps and IoT toys should operationalize privacy‑by‑design, rigorously govern SDK supply chains, and obtain verifiable parental consent before any collection of children’s personal data. Beyond reducing legal exposure, disciplined privacy engineering builds user trust—an essential currency in the digital products market for kids.
