December 1, 2020

Volume X, Number 336


November 30, 2020

Subscribe to Latest Legal News and Analysis

FTC Staff Publish COPPA Guidance for Businesses

The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).

The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways.  First, the definition now includes persistent identifiers, such as device IDs and IP addresses.  Second, the definition now covers audio, video, and image files of children.  Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function.  (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)

The guidance does not, however, break new ground on COPPA’s substantive requirements.  For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of “knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.

As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.

© 2020 Covington & Burling LLPNational Law Review, Volume VII, Number 173



About this Author

Lindsey Tonsager, Covington, regulatory and public policy lawyer

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws. She co-chairs the firm’s Artificial Intelligence Initiative.

In addition to assisting clients engage strategically with the Federal Trade Commission, Federal Communications Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement...

415 591 7061