Trying to keep pace with developments in internet-connected toys and other devices for children, the Federal Trade Commission (“FTC”) announced June 21, 2017 that it has updated its guidance, a “Six-Step Compliance Plan for Your Business,” for complying with the Children’s Online Privacy Protection Act (“COPPA”). COPPA is intended to help parents control what information is collected from young children. The FTC’s updated guidance, which is intended to help businesses understand when COPPA applies and how to comply with COPPA, includes the following changes:
Broad Covered Technologies: COPPA applies not only to websites and mobile apps. The guidance makes clear that COPPA can also can apply to the expanding universe of connected devices that make up the Internet of Things. That includes internet-connected toys and other products intended for children that collect personal information, like children’s geolocation data or voice recordings.
Additional Methods for Getting Parental Consent: Getting parents’ permission before collecting personal information from children under 13 has always been a keystone of COPPA. The revised guidance expands acceptable means to collect consent, allowing for answering of knowledge-based challenge questions it would be difficult for someone not the child’s parent to answer, and using facial recognition technology to match an image submitted by the parent with their verified driver’s license.
Devices not directed to children, but used by children, like voice-activated personal assistants and wearables (like connected jackets, shoes, or pins), are creating COPPA issues for services that might not be considered directed to children. Even if your website, app, or connected device is not for children, it is prudent to know and assess COPPA’s potential requirements on your business.