Recently, the Federal Trade Commission (FTC) released its updated six-step compliance plan for businesses which may be subject to the Children’s Online Privacy Protection Act (COPPA). This updated plan provides companies with guidance on whether they are subject to COPPA, which regulates collection of personal information of children under 13, and if so, how to comply. The plan has been updated to reflect developments in the marketplace and developing technology.

COPPA applies to “websites or online services” that: (1) are directed to children and personal information is collected about them, either by the operator of the online services or third parties; (2) are directed to a general audience, but the operator has actual knowledge that its collects personal information from children under 13; or (3) are an ad network or plug-in and have actual knowledge personal information of kids under 13 collected. If the website or online services are subject to COPPA, then you must post a COPPA-compliant privacy policy, and obtain verifiable parental consent prior to collecting personal information of children under 13. You must also honor parents’ ongoing rights with respect to their choices regarding the personal information of their child, such as honoring their request to delete the information, and provide reasonable security to protect the personal information collected from children.

The updated plan provides the following key changes:

  • IoT and Connected Devices Covered: The updated plan clarifies that COPPA applies to the connected devices that make up the Internet of Things (IoT), including specifically “connected toys”. The FTC also states that new technologies such as voice-activated devices that collect personal information may affect companies’ obligations under COPPA. As a result, as more companies offer IoT devices, including devices that collect voice recordings, geolocation data, persistent identifiers from connected devices and other personal information of kids under 13, it will be important to consider and evaluate one’s COPPA obligations.
  • Two New Parental Consent Methods: COPPA requires parental permission to collect information online from children under 13 prior to such collection, which presents challenges to many companies. The updated guidance includes two new approved methods for obtaining parental consent: (1) asking knowledge-based authentication questions, and (2) using facial recognition technology to match a driver’s license photo and additional photo submitted by the parent.

As a result of these changes, companies, particularly those which are offering IoT devices directed at children under 13 or may have actual knowledge they are collecting personal information, which may include geolocation data and device identifiers, of children under 13, should evaluate their COPPA compliance obligations.