The Federal Trade Commission (“FTC”) recently issued an updated “Six-Step Compliance Plan for Businesses” (“Compliance Plan”) for entities subject to the Federal Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501-6506, to “reflect developments in the marketplace—for example, the introduction of internet-connected toys and other devices for kids.” COPPA requires operators of online services that have actual knowledge that they are collecting personal information from children under 13, or that are directed to children and collect personal information from anyone, must obtain verifiable parental consent before collecting, using or disclosing the children’s personal information. Unlike Section 5 of the FTC Act, the FTC can and has issued rules related to COPPA; these rules are enforced by the FTC and state attorneys general.

The updated Compliance Plan provides several critical changes, most importantly clarifying the types of entities and products that are covered by COPPA and providing additional methods for obtaining parental consent. First, the Compliance Plan clarifies that any company providing “connected toys or other Internet of Things devices” are covered by COPPA. The FTC Compliance Plan identifies a number of examples including “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads); internet-enabled gaming platforms; plug-ins; advertising networks; internet-enabled location-based services;” and under certain conditions, voice-over internet protocol services.

Second, the updated Compliance Plan identifies additional ways to obtain verifiable parental consent prior to using a child’s personal information. Obtaining verifiable parental consent is a challenging aspect of COPPA compliance and previously, the FTC had only enumerated the following permissible methods of obtaining consent:

  • Provide a consent form for a parent to sign and return (via email, mail, fax);
  • Require a parent to use a credit card, debit card, or some other online payment system that notifies the account holder of a transaction;
  • Ask the parent to verify their identity by calling a phone number with trained agents or connecting with the entity by videoconference; or
  • Email the parent and request that the parent respond to the email while also conducting an additional confirmatory step (i.e. following up with the parent via phone or mail).

The updated Compliance Plan seeks to ease this burden by permitting a COPPA covered entity to obtain verifiable consent using the methods described above or through the following:

  • Ask a series of knowledge-based authentication questions that would be challenging for someone other than a parent to answer; or
  • Utilize facial recognition technology to compare a verified photo ID, such as driver’s license, with a second photo submitted by the parent.

The Compliance Plan also reiterates that entities subject to COPPA must post a COPPA compliant privacy policy that “clearly and comprehensively describes how personal information collected online from kids under 13 is handled,” and details “not only your practices, but also the practices of any others collecting personal information on your site or service—for example, plug-ins or ad networks.” Such a policy must also inform parents about their rights, including (i) that the entity will not require a child to disclose more information than is reasonably necessary to participate in an activity; (ii) that a parent can review their children’s personal information, direct the entity to delete it and refuse to permit any further collection or use of their child’s information; (iii) that, unless disclosure is part of the service, parents can agree to collection and use—but not disclosure to third parties—of their child’s personal information; and (iv) the necessary procedures parents must take to exercise these rights.

Although not all web-connected products or services are subject to COPPA, to the extent that an entity’s product or service is directed to children under 13, it is critical to review the FTC’s updated Compliance Program and consider whether it is necessary to modify personal information-related policies and procedures accordingly.