- Companies with significant consumer base among children under 13 should carefully assess business processes.
- FTC update to COPPA trends toward broader regulation of internet of things.
As younger and younger children connect to the internet, and as internet-connected devices, including toys, become more and more commonplace, it is no surprise that regulators are increasingly turning their attention to how children’s privacy and the dramatic growth in demand for these toys intersect.
The Federal Trade Commission once again took the lead in providing regulatory guidance for connected toys when, on June 21, it updated its Children’s Online Privacy Protection Act (COPPA) compliance plan for companies that sell internet-connected children’s toys and devices. On July 17, the Federal Bureau of Investigation followed suit by issuing a public service announcement cautioning parents on the security issues inherent in these toys. The FTC and FBI notices come on the heels of an open letter to the FTC from U.S. Senator Mark R. Warner (D-VA) calling for increased efforts to protect children’s privacy following several high-profile instances of children’s data being hacked.
COPPA prohibits unfair and deceptive acts and practices in connection with the collection, use and/or disclosure of children’s personal information on the internet. In 2013, the FTC issued an amended rule that, in part, modified the definition of “personal information” that cannot be collected without verifiable parental consent to also include photographs, voice recordings and device identifiers. However, in 2013, internet-connected toys, or “smart toys,” were still in their infancy. Recently, a class action lawsuit alleging that Mattel recorded children’s conversations with its Hello Barbie doll – a talking doll with internet-based speech recognition – without parental consent renewed national attention on toys and children’s privacy. Another lawsuit filed by consumer action groups against the creator of My Friend Cayla and i-Que Robot challenged the data collection and surveillance capabilities of the two toys. Specifically, the lawsuit alleged that data collected from these toys can easily be hacked due to the lack of controls around how data is shared and retained. Nevertheless, the FTC has yet to take action. That may change, however, as the FTC’s and FBI’s closely timed actions may signal that a related enforcement campaign is forthcoming.
The updated compliance plan makes clear that a company providing smart toys to children is covered by COPPA under the definition of a “website or online service,” and the company must take several specific steps to ensure that personal information is collected and handled in compliance with COPPA:
- Determine whether its products are collecting children’s “personal information”;
- Notify parents directly about the company’s information practices before collecting a child’s personal information;
- Obtain verifiable parental consent before collecting a child’s personal information;
- Honor parents’ ongoing decisions regarding the processing of a child’s personal information (such as refusing the further use of the child’s personal information or requesting that the child’s personal information be deleted); and
- Implement reasonable security procedures to protect children’s personal information.
In addition, the compliance plan provides two new ways a company may obtain verifiable parental consent when required under COPPA:
- Have the parent answer a series of knowledge-based authentication questions that would be challenging for someone other than the parent to answer; and
- Verify a picture of a driver’s license or other photo identification submitted by the parent and compare that photo to a second photo using facial recognition technology.
Companies that have a significant consumer base among children under 13 and offer smart toys should carefully review company operations and advertising programs and assess whether they need to update their consent procedures in response to the updated compliance plan. Beyond smart toys, the updated FTC guidance may also represent a trend toward broader regulation of the internet of things. The FTC is likely to focus not only on data collection missteps, but also on potential security flaws.