Recently, the Federal Trade Commission (FTC) released its updated six-step compliance plan for businesses which may be subject to the Children’s Online Privacy Protection Act (COPPA). This updated plan provides companies with guidance on whether they are subject to COPPA, which regulates collection of personal information of children under 13, and if so, how to comply. The plan has been updated to reflect developments in the marketplace and developing technology.
The updated plan provides the following key changes:
- IoT and Connected Devices Covered: The updated plan clarifies that COPPA applies to the connected devices that make up the Internet of Things (IoT), including specifically “connected toys”. The FTC also states that new technologies such as voice-activated devices that collect personal information may affect companies’ obligations under COPPA. As a result, as more companies offer IoT devices, including devices that collect voice recordings, geolocation data, persistent identifiers from connected devices and other personal information of kids under 13, it will be important to consider and evaluate one’s COPPA obligations.
- Two New Parental Consent Methods: COPPA requires parental permission to collect information online from children under 13 prior to such collection, which presents challenges to many companies. The updated guidance includes two new approved methods for obtaining parental consent: (1) asking knowledge-based authentication questions, and (2) using facial recognition technology to match a driver’s license photo and additional photo submitted by the parent.
As a result of these changes, companies, particularly those which are offering IoT devices directed at children under 13 or may have actual knowledge they are collecting personal information, which may include geolocation data and device identifiers, of children under 13, should evaluate their COPPA compliance obligations.