Take out the microphone and get ready to record! Just don’t ask any personal questions and make sure that you’re prepared to then dump it all. This sums up the guidance provided by the Federal Trade Commission in a recently released Enforcement Policy. The Policy was released in response to frequently raised concerns from industry members regarding the need for developers of voice commanded technologies to comply with the Children’s Online Privacy Protection Act (COPPA) Rule, particularly where such technologies are designed for home use and may record the voices of children. Under the Policy, the FTC has stated that it will not take action against companies that offer devices that can record the voice of children if several requirements are met:
- No information may be requested from a child that would otherwise qualify as personal information under COPPA.
- The audio files must be held for a brief period for the sole purpose of routing the request and then destroyed. Therefore, these may not be used for behavioral advertising, profiling, or any purpose beyond using the audio file to implement the command.
- All other COPPA requirements remain untouched.
The concerns above are primarily targeting companies that develop technologies that are likely to collect audio recordings from child users. This serves as welcome news as many in the technology industry were left unclear regarding the application of COPPA to audio files collected by Internet of Things (IoT) connected devices. This is a particular concern given that the development of these technologies is on the rise and children act as active participants with many devices.
Subject to limited exceptions, the COPPA Rule prohibits operators of child-directed websites and/or those with knowledge that they attract children from collecting personal information from children without first obtaining verifiable parental consent. Under the COPPA Rule, “personal information” is defined to include geolocation data, screen and usernames, persistent identifiers, photographs and videos, as well as audio files that contain a child’s image or voice. Given this, the voice collection that takes place with IoT devices that are placed in the home that may be used to order items, search the Internet, or complete other tasks may technically fall within the purview of the COPPA Rule.
Tablets or toy watches that permit children to ask questions regarding the time and weather would be considered child-directed IoT devices that may have triggered the need for parental consent. The creators of such clearly child-focused devices may be more clear regarding the need to comply with COPPA. However, the presence of a device that permits anyone in the vicinity to ask questions may also be considered a device covered by the COPPA Rule where it is known that children are interacting with the device. This is an area in which many developers faced difficulty with compliance and have often been unsure regarding the need to obtain parental consent. Now, based upon the recently released Enforcement Policy, many of these concerns have been put to rest. The FTC will not take action as long as the recording meets the four criteria listed above.
Mindful of the limitations attached to the recent Enforcement Policy, creators of IoT devices should still be cautious to ensure that they otherwise comply with the COPPA Rule. There are still some questions surrounding application of the COPPA Rule in the IoT context—particularly in connection with items placed in homes for general audiences whose collection extends beyond the four criteria listed. Given this, developers involved with IoT devices should conduct a thoughtful COPPA analysis during the development phase and when preparing privacy notices to determine if, when, and how parental consent may be collected.