The FTC has updated its Children’s Online Privacy Protection Rule (COPPA) Six-Step Compliance Plan for Your Business “to reflect developments in the marketplace” – including the introduction of internet-connected toys and the Internet of Things.
COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The primary goal of COPPA is to place parents in control over what information operators of websites collect from their young children on the Internet.
In its updated COPPA Compliance Plan, the FTC cautions that COPPA applies not only to websites and mobile apps, but also “to the growing list of connected devices that make up the Internet of Things.” These devices include connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data. The updated COPPA Compliance Plan also discusses two recently-approved methods for obtaining parental consent:
- ask a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer, and
- request a copy of a parent’s driver’s license or other photo identification and then compare that photo to a second photo submitted by the parent using facial recognition technology.
The FTC issued its updated guidance on COPPA less than a month after receiving a letter from U.S. Sen. Mark R. Warner (D-VA) concerning the agency’s efforts to protect children’s privacy following several high-profile instances of children’s data allegedly being hacked through internet-connected “smart toys.” According to multiple media reports, CloudPets, a product line marketed as “a message you can hug,” stored customers’ personal data in an insecure, public-facing online database. CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children. Subsequent reports raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range. Sen. Warner also inquired about FTC action in relation to the children’s doll “My Friend Cayla.” In December 2016, privacy advocates filed a complaint with the FTC regarding the doll and raised concerns that it can be used for unauthorized surveillance. In February 2017, Germany’s equivalent of the FTC pulled “My Friend Cayla” off the market due to concerns over the doll’s surveillance capabilities.
Companies should consider how new ways of collecting data, such as voice-activated devices that collect personal information from children, may subject them to obligations under COPPA. The FTC’s guidance also serves as a general reminder to all business to consider how new ways of collecting data from consumers – children and adults alike – may impact their compliance obligations under applicable privacy regulations.