FTC sues robot toy maker Apitor over children's privacy violations

The Federal Trade Commission filed a lawsuit against Chinese robot toy manufacturer Apitor Technology Co., Ltd. on September 2, 2025, alleging the company enabled unauthorized collection of children's geolocation data through its mobile app without obtaining proper parental consent. The Department of Justice complaint, filed in the Northern District of California, seeks permanent injunctions and civil penalties for violations of the Children's Online Privacy Protection Rule.

"Apitor failed to notify parents and obtain their consent before collecting, or causing a third party to collect, geolocation data from children as required by COPPA," the complaint states. The lawsuit centers on Apitor's integration of a third-party software development kit called JPush into its companion mobile app, which allegedly allowed the Chinese analytics provider to collect precise location information from users under 13 years old.

Robot toys require location permissions

Apitor sells programmable robot toys targeted to children ages 6-14 through online retailers including Amazon. The company markets these products as educational tools designed to teach coding skills through a companion mobile app called Apitor Kit. Children must download and operate this app to program and control their robot toys, making it essential for the product's functionality.

The complaint details how users with Android devices encounter mandatory location sharing requirements when attempting to connect their toys. "Enable location information permission for users to connect to the robot using Bluetooth to control the robot, or not to connect to the robot if permission is denied," the app message reads. Users who decline these permissions cannot connect to their purchased robot toys.

This requirement creates what the FTC describes as a coercive environment where children must sacrifice privacy protections to use products they have already purchased. The Apitor App has been downloaded thousands of times from the Google Play store, potentially affecting thousands of child users across the United States.

Third-party data collection through JPush

The central allegation involves Apitor's integration of JPush, a software development kit provided by Jiguang (Aurora Mobile Ltd.), a Chinese mobile developer and analytics provider. SDKs are common tools that app developers use to add functionality such as push notifications or usage analytics without developing these features internally.

JPush's privacy policy explicitly states that its SDKs collect and use location information when app users enable location permissions. The policy grants Jiguang broad latitude to use collected data for various purposes, including advertising and sharing with additional third parties.

"After Android users download the Apitor app, it begins collecting and sharing users' precise location data with JPush's servers, unbeknownst to child users and their parents," the complaint alleges. This data transmission occurs automatically in the background once location permissions are granted, without any additional disclosure or consent mechanisms.

The lawsuit emphasizes that parents and children receive no notification about this third-party data collection. Apitor's privacy policy mentions collecting various types of information from children but fails to disclose that the app allows third parties to collect geolocation data.

Privacy policy contradictions

Apitor's privacy policy contains a section entitled "Children's Privacy" declaring, "We care about children's privacy. We are committed to complying with the Children's Online Privacy Protection Act (COPPA)." The policy states that some personal information is stored locally on devices and "there is no uploading of such information to the web or Apitor servers."

However, the FTC alleges this representation is misleading given the JPush integration. While Apitor may not directly upload location data to its own servers, the company enabled a third party to collect this information through its app without proper disclosure or parental consent.

The privacy policy also claims Apitor will notify parents and obtain verifiable consent before "enabling certain data collecting features for their child." The complaint argues this commitment was not fulfilled regarding geolocation collection through JPush.

Users registering for Apitor App accounts or using the app as guests receive no prompts for verifiable parental consent regarding geolocation data collection. This represents a significant gap between stated privacy practices and actual implementation.

COPPA compliance requirements

The Children's Online Privacy Protection Act requires operators of websites or online services directed to children to meet specific requirements before collecting personal information from users under 13. These include providing clear notice to parents about data collection practices and obtaining verifiable parental consent before collecting, using, or disclosing children's personal information.

The COPPA Rule defines personal information broadly to include geolocation information sufficient to identify street names and city locations. This definition clearly encompasses the precise location data that JPush allegedly collected through the Apitor App.

Recent COPPA rule amendments that took effect June 23, 2025, strengthened these requirements with enhanced consent mechanisms for third-party data sharing. The timing of the Apitor lawsuit coincides with this heightened regulatory scrutiny of children's privacy practices in digital environments.

Enforcement patterns emerge

The Apitor case represents part of a broader FTC enforcement campaign targeting children's privacy violations across digital platforms. The Commission sued TikTok in August 2024 for alleged COPPA violations involving collection of personal data from children under 13 without proper parental consent.

Disney faced a $10 million penalty announced September 2, 2025, for failing to protect children's privacy on YouTube by improperly labeling child-directed videos and enabling targeted advertising to users under 13.

These enforcement actions demonstrate the FTC's commitment to vigorous COPPA enforcement amid the digital advertising industry's adaptation to children's privacy regulations. The cases collectively highlight challenges facing companies that integrate third-party technologies without adequate privacy safeguards.

Technical and business implications

The Apitor lawsuit illustrates risks associated with third-party SDK integration in children's apps. Software development kits often provide valuable functionality but can create compliance vulnerabilities when they collect data beyond the primary app operator's control or knowledge.

Companies developing children's products must evaluate not only their direct data collection practices but also any information gathering enabled through third-party integrations. This includes understanding the privacy policies and data use practices of SDK providers, particularly those based in jurisdictions with different privacy standards.

The case also highlights tensions between product functionality and privacy protection. Apitor's Bluetooth connectivity requirement created a technical dependency on location permissions, which the company then leveraged through JPush for additional data collection purposes.

Marketing industry impact

For the digital advertising industry, the Apitor case reinforces the importance of COPPA compliance in age-directed services. The lawsuit demonstrates how third-party analytics and advertising technologies can create liability for app operators who fail to provide proper notice and obtain consent.

Google's implementation of machine learning age detection systems reflects industry efforts to automatically identify and protect child users from inappropriate data collection and advertising. These technological approaches aim to address compliance challenges highlighted by cases like Apitor.

The case occurs as marketing professionals navigate increasingly complex children's privacy requirements across multiple jurisdictions. Companies must balance advertising revenue opportunities with regulatory compliance obligations and child safety considerations.

Legal proceedings ahead

The Northern District of California will hear the case under venue provisions that consider Google LLC's Santa Clara County headquarters relevant to claims involving Android app distribution through the Google Play Store. This jurisdictional approach reflects the interconnected nature of modern digital commerce and advertising systems.

The FTC seeks permanent injunctions preventing future COPPA violations, civil penalties for each violation of the rule, and additional relief deemed appropriate by the court. Civil penalties under COPPA can reach substantial amounts, particularly when violations affect thousands of children over extended periods.

Apitor must comply with multiple COPPA requirements including notifying parents before collecting children's personal information, obtaining verifiable parental consent before collection or use, deleting children's information at parental request, and retaining personal information only as long as reasonably necessary.

The case timeline will depend on Apitor's response to the complaint and potential settlement negotiations. Recent COPPA enforcement actions have often resulted in consent agreements rather than extended litigation, suggesting possible resolution paths for the parties.

Regulatory environment shifts

The Apitor enforcement action occurs amid significant changes to children's privacy regulations. The Interactive Advertising Bureau previously warned about proposed COPPA changes potentially limiting children's online access, though industry concerns have not deterred FTC enforcement efforts.

State-level privacy regulations and international frameworks continue developing alongside federal COPPA requirements. Companies operating globally must navigate multiple regulatory systems with varying approaches to children's privacy protection.

The cumulative effect of these enforcement actions and regulatory changes is reshaping how companies approach children's digital products and services. Traditional business models relying on extensive data collection and third-party sharing face increasing compliance costs and legal risks.

Timeline

• 2022: Apitor begins selling app-enabled robot toys directed to children ages 6-14
• 2020-2025: Alleged COPPA violations occur through JPush SDK integration
• June 23, 2025: New COPPA rules take effect with enhanced third-party consent requirements
• August 2024: FTC sues TikTok for alleged COPPA violations
• September 2, 2025: Disney agrees to $10 million settlement for YouTube children's privacy violations
• September 2, 2025: Department of Justice files lawsuit against Apitor Technology Co., Ltd.

Summary

Who: The Federal Trade Commission sued Apitor Technology Co., Ltd., a Chinese corporation that develops programmable robot toys for children ages 6-14.

What: The lawsuit alleges Apitor violated the Children's Online Privacy Protection Rule by enabling unauthorized collection of children's geolocation data through a third-party software development kit called JPush without obtaining proper parental notice and consent.

When: The complaint was filed September 2, 2025, covering alleged violations occurring since at least 2022 when Apitor began selling its robot toys through retailers like Amazon.

Where: The lawsuit was filed in the U.S. District Court for the Northern District of California, with jurisdiction based on Google LLC's Santa Clara County headquarters where the Apitor App was distributed through the Google Play Store.

Why: The FTC acted because Apitor allegedly collected precise geolocation data from thousands of children through mandatory location permissions required for Bluetooth connectivity, then enabled JPush to use this data for advertising and other purposes without parental awareness or consent, violating fundamental COPPA requirements designed to protect children's online privacy.