The FTC fined robot toy maker Apitor Technology $500,000 after discovering the company allowed a Chinese third-party developer to secretly harvest U.S. children’s location data without parental consent.
At a Glance
- Apitor Technology violated federal children’s privacy law COPPA by enabling unauthorized data collection
- The FTC settlement requires immediate deletion of all previously gathered children’s information
- Parents must be notified and provide consent for any future data collection
- The $500,000 penalty is currently suspended due to the company’s claimed financial hardship
FTC Enforcement Action
The Federal Trade Commission announced on September 4, 2025, that Apitor Technology, a toy manufacturer linked to China, had violated the Children’s Online Privacy Protection Act (COPPA). The company’s app, used to operate its educational robot toys, permitted a third-party Chinese developer to collect precise geolocation information from American children. This data harvesting occurred without parental disclosure or consent, a direct breach of COPPA requirements.
FTC Director Christopher Mufarrige underscored that parental consent is mandatory for all child data collection, including when outside developers are involved. The Commission’s enforcement requires Apitor to delete all previously gathered information, notify affected families, and ensure future compliance.
Watch now: FTC Announces Penalty Against Apitor Technology
FTC takes action against robot toy maker for allowing collection of children’s data without parental consent: https://t.co/H2HrWQZfQW /1
— FTC (@FTC) September 3, 2025
Supply Chain Gaps in Kids’ Tech
The Apitor case exposes broader weaknesses in how toy companies manage third-party integrations. The company’s reliance on external developers for app functionality created a pathway for unauthorized access to children’s personal data. Collected geolocation details could have pinpointed home addresses, school routes, and daily movement patterns, all without parental awareness.
Since its passage in 1998, COPPA has required businesses to provide clear notice and obtain verifiable parental consent before collecting data from children under 13. The law extends accountability to all parties handling such data, not only the primary service provider. By holding Apitor responsible for a partner’s violations, the FTC reinforced that manufacturers cannot avoid liability through outsourcing.
National Security Risks
Beyond privacy law, the case raises strategic security concerns. The collection of U.S. children’s location data by Chinese developers could inadvertently reveal sensitive information, including the routines of military families, access points to residential communities, or potential mapping of critical infrastructure. Without transparency on how the data was stored or shared, such practices create vulnerabilities extending well beyond consumer privacy.
The FTC’s action sends a strong deterrent signal that foreign firms cannot evade U.S. regulations by embedding themselves in domestic supply chains. Parents, regulators, and policymakers are now calling for tighter scrutiny of international partnerships in consumer technology, especially when children’s safety is at stake.
