(Reuters) — Electronic toymaker VTech has agreed to settle charges it violated a U.S. children's privacy law by collecting personal information without providing sufficient notice of its policies or obtaining verifiable parental consent, the Federal Trade Commission said Monday.

Hong Kong-based VTech Electronics Ltd. and its U.S. subsidiary agreed to pay $650,000 to settle the charges brought by the FTC, the U.S. agency said in a statement. The two are part of Hong Kong-based VTech Holdings Ltd.

The FTC alleged in a complaint filed by the Justice Department that the Kid Connect application sold with some of VTech's electronic toys collected personal information of hundreds of thousands of children without obtaining verifiable parental consent or providing sufficient notice of its information collection and use practices.

The firm also failed to take reasonable steps to secure the data it collected, the FTC said, and it made misleading claims about the extent to which information transmitted through its systems were encrypted to protect privacy.

Due to security shortcomings, a hacker in 2015 was able to access the VTech computer network and take personal information of customers, including names of adults and children as well as addresses and email addresses, the complaint said.

Although children's photos and audio files were stored in encrypted files, the hacker was able to access a database that included the decryption keys that would have permitted access to the pictures and audio files.

"The information was stored so that the children's information was linked to their parents' information. Thus, for example, if a child had submitted a photo ... the hacker could have found that photo, along with their physical address," the complaint said.

The complaint said VTech was unaware that the personal information of its customers had been copied from its computer network until a journalist contacted the firm about it.

Kaleigh Steinorth, a spokeswoman for VTech, said parents were fully aware of what personal information was being collected from their children and were fully in control of who the children could communicate with.

VTech used the information it collected solely to enable children and adults to communicate on the platform, not for marketing or other purposes, Ms. Steinorth said.