Apitor Technology Toys Transmitted Children's Geolocation Data to China

Red Dog Security

07 Sep 2025 — 2 min read

The U.S. Department of Justice (DOJ) has filed a lawsuit against toy manufacturer Apitor Technology, alleging that the company allowed a third party in China to collect children’s geolocation data without their knowledge or parental consent.

Alleged COPPA Violations

The lawsuit, filed by the DOJ after a referral from the Federal Trade Commission (FTC), claims that Apitor violated the Children's Online Privacy Protection Act (COPPA) by failing to notify parents about the collection of data and not obtaining consent before gathering precise location information.

Apitor Technology markets robotic toys for children aged 6–14, which are operated through a free Android app. To use the toys, children must grant the app permission to transmit location data.

According to the lawsuit, the app includes JPush, a third-party SDK developed by the Chinese company Jiguang (Aurora Mobile). Since 2022, JPush has allegedly collected precise geolocation data from thousands of children, using it for purposes such as targeted advertising.

How the Data Was Collected

“After Android users grant the Apitor app permission to access location, it begins collecting their precise geolocation data in the background and transmits it to JPush’s internet servers,” the lawsuit states.

“The respondent does not inform users that the app allows a third party to collect precise geolocation data and does not obtain parental consent for the collection of their children’s precise geolocation data.”

Settlement Terms

Under the proposed settlement, Apitor will be required to:

Ensure all third-party software complies with COPPA requirements
Notify parents about the collection of their children’s data
Obtain parental consent before collecting personal information
Delete all previously collected personal data
Retain children’s data only when strictly necessary

In addition, Apitor will pay a $500,000 fine.

Regulatory Response

The FTC emphasized that COPPA obligations apply even when data collection is carried out by third parties.

“COPPA is clear: companies providing online services to children must notify parents if they are collecting their children’s personal information and obtain parental consent—even if the data is being collected by a third party,” stated the FTC.

Kaspersky Lab Studies Hack Groups Attacking Russia

Kaspersky Lab specialists have conducted a technical analysis of the activity of 14 hacker groups that are actively targeting organizations in Russia, Belarus, and several other countries. Among them are hacktivist groups that appeared on the Russian threat landscape after 2022 and publicly identified themselves as “pro-Ukrainian.” Three Clusters of

Salesloft Temporarily Disables Drift Following Mass Data Theft

Salesloft has announced that it will temporarily disable its AI chatbot Drift starting September 5, 2025, after a large-scale supply chain attack resulted in the mass theft of authentication tokens. The Attack Last week it was revealed that hackers had compromised the Salesloft sales automation platform and stole OAuth and

Hacker Attack Disrupts Operations at Bridgestone

Japanese corporation Bridgestone—one of the world’s largest tire manufacturers—has reported a cyberattack that disrupted operations at several of its manufacturing plants in North America. Scope of the Attack The incident affected Bridgestone Americas (BSA), the company’s North American subsidiary. BSA operates 50 manufacturing plants with more

August Windows Updates May Hinder Application Installation

Microsoft has reported that the August 2025 Windows security updates may trigger unexpected User Account Control (UAC) prompts and cause issues with application installations. The bug affects users without administrator rights across all supported versions of Windows. Root Cause: Security Fix in Windows Installer The issue stems from a patch