March 18, 2018

March 16, 2018

Subscribe to Latest Legal News and Analysis

March 15, 2018

Subscribe to Latest Legal News and Analysis

Voice-Activated Devices May Collect Audio from Children

The US Federal Trade Commission (FTC)’s newly-released “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” policy provides that parental consent is no longer required when a child’s voice is collected solely “as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request.” The audio file collected from a child must only be “for a limited purpose and immediately destroyed.”


Children’s “personal information” is one of the foundational concepts of the Children’s Online Privacy Protection Rule (COPPA Rule). When passed by the FTC in 1999, the COPPA Rule pronounced that operators of commercial websites or online services directed at children needed to obtain parental consent before collecting a child’s “personal information.”

At the time of its passing, the COPPA Rule’s definition of “personal information” included a child’s name, address, and social security number. In 2013, the FTC amended the COPPA Rule, expanding the definition to include a photograph, video, or audio file that contains a child’s image or voice.

FTC’s New Policy on the Content of Children’s Speech

Recognizing the proliferation of voice-controlled devices that offer many benefits to their users, the FTC announced a new approach and published a new policy in late October providing that the content and context of a child’s speech matters. The FTC’s “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” allows for the collection of an audio file containing a child’s voice “solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request” without parental consent.

This policy is rooted in two important considerations: (1) that there is value in using voice as a replacement for written words to perform “search and other functions on internet-connected devices”; and (2) that there is little risk the audio file will be used to contact a child as long as certain procedures are followed. To allow companies to deliver that value and to manage that risk, the FTC’s policy requires that companies abide by the following procedures:

  • In a privacy policy, provide clear notice about the collection of audio files, the use of those files, and the deletion policy;

  • Use the audio file only as a replacement for written words, such as to effectuate an instruction or request, and not to collect what “otherwise would be considered personal information under the Rule, such as name”;

  • Do not make use of the audio file in the brief period before it is destroyed to conduct “behavioral targeting” for “profiling purposes” or “identification purposes”;

  • Do not post, sell, or otherwise share the audio file with third parties; and

  • Maintain the audio file long enough to accomplish the limited purpose for which the file was collected, and then immediately delete it.

Practical Implications

Companies that have a significant consumer base among children under the age of 13 and offer internet-connected toys or devices, including those directed at children, should consider the type of speech they are collecting from children. Because there remains ambiguity about the exact content of the speech that may be collected without parental consent, companies should ensure that only declarative “instruction[s] or request[s]” are collected from children under the age of 13 without parental consent.

International Perspective

When the new General Data Protection Regulation (GDPR) is in force, on 25 May 2018, European countries can set the age at which children are capable of consenting themselves to the processing of their personal data between the ages of 13 and 16. Parental consent must be obtained for those under the age of 13. On this point, therefore, there will not necessarily be uniformity across the EU countries. “Personal data” under the GDPR is broadly defined and includes any written information or other recorded data, including video files and photos, from which an individual is or can be identified.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author


Gregory T. Parks is a partner in Morgan Lewis's Litigation Practice, with a focus on commercial, privacy and consumer matters for retailers, financial services organizations, and other businesses. Mr. Parks counsels and represents clients in a wide variety of matters, including consumer class actions, data privacy class actions, privacy and data security compliance, litigation involving retailers, disputes arising from mergers and acquisitions, contract and indemnification matters, and fraud lawsuits.

Pulina Whitaker, Morgan Lewis, European privacy Lawyer, Acquisitions attorney

Pulina Whitaker focuses her practice on a variety of labor and employment matters, including transactional employment law in sales and acquisitions; acting for corporations and multinationals in defense of claims for unfair dismissal, discrimination claims related to sex, race, religion, age, and disability, and breach of contract claims; European data privacy and antibribery issues; whistleblower hotlines for European-based companies and compliance with Sarbanes-Oxley Act requirements; and other international investigations and compliance matters.