The Federal Trade Commission (FTC) has been an active gatekeeper when it comes to children's privacy. Since 2000, the Commission has brought more than two dozen complaints against online operators under the Children's Online Privacy Protection Rule (COPPA Rule), which requires that "verifiable parental consent" be obtained by "covered operators" before they can collect any personal information from a child.
In 2013, the FTC amended the COPPA Rule, adding video, audio, and images to its definition of "personal information." However, the amended Rule triggered questions about "whether the practice of collecting audio files that contain a child's voice, immediately converting the audio to text, and deleting the file containing the voice recording triggers COPPA's requirements."
Increasingly, voice is replacing written words in online searches or when individuals -including children - give commands to connected devices or apps. Recognizing this, the FTC released a new policy enforcement statement that makes clear the Commission "will not take action against an operator for not obtaining parental consent before collecting the audio file with a child's voice when it is collected solely as a replacement of written words, such as to perform a search or to fulfill a verbal instruction or request - as long as it is held for a brief time and only for that purpose."
Thus, while the collection of voice data constitutes "collection" of personal information from a child under the COPPA Rule, and is not otherwise subject to an express exception to COPPA's parental consent requirement, the FTC's enforcement policy guidance provides a welcome dose of common sense. The FTC will exercise enforcement discretion when operators of websites and services collect personal information from children in specific, limited circumstances. The policy covers only those situations where "the audio file is used 'solely as a replacement of written words'" and "(a) it is used only for that purpose (running a search, fulfilling an instruction) and (b) it is held only for a brief period of time." It will not apply if the operator or manufacturer requests "information that would otherwise be viewed as personal, such as the child's name." Covered operators must also make clear in their privacy policies how they will collect, store and delete audio files.
The FTC's new guidance is a good example of how to take a commonsense approach to the real-world implications of COPPA's parental consent requirement. The temporary nature of the voice-command technology relied on by many operators convinced FTC of the wisdom of using enforcement discretion to create a narrow exception to strict reliance on pre-collection verifiable parental consent. Furthermore, the FTC guidance demonstrates that where children's personal information is not at risk, regulators can agree to minimize the burden on both operators and parents while making IoT products available to children in a privacy-safe way.