September 30, 2020

Volume X, Number 274

September 30, 2020

Subscribe to Latest Legal News and Analysis

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

Voice-Activated Devices May Collect Audio from Children

The US Federal Trade Commission (FTC)’s newly-released “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” policy provides that parental consent is no longer required when a child’s voice is collected solely “as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request.” The audio file collected from a child must only be “for a limited purpose and immediately destroyed.”


Children’s “personal information” is one of the foundational concepts of the Children’s Online Privacy Protection Rule (COPPA Rule). When passed by the FTC in 1999, the COPPA Rule pronounced that operators of commercial websites or online services directed at children needed to obtain parental consent before collecting a child’s “personal information.”

At the time of its passing, the COPPA Rule’s definition of “personal information” included a child’s name, address, and social security number. In 2013, the FTC amended the COPPA Rule, expanding the definition to include a photograph, video, or audio file that contains a child’s image or voice.

FTC’s New Policy on the Content of Children’s Speech

Recognizing the proliferation of voice-controlled devices that offer many benefits to their users, the FTC announced a new approach and published a new policy in late October providing that the content and context of a child’s speech matters. The FTC’s “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” allows for the collection of an audio file containing a child’s voice “solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request” without parental consent.

This policy is rooted in two important considerations: (1) that there is value in using voice as a replacement for written words to perform “search and other functions on internet-connected devices”; and (2) that there is little risk the audio file will be used to contact a child as long as certain procedures are followed. To allow companies to deliver that value and to manage that risk, the FTC’s policy requires that companies abide by the following procedures:

  • In a privacy policy, provide clear notice about the collection of audio files, the use of those files, and the deletion policy;

  • Use the audio file only as a replacement for written words, such as to effectuate an instruction or request, and not to collect what “otherwise would be considered personal information under the Rule, such as name”;

  • Do not make use of the audio file in the brief period before it is destroyed to conduct “behavioral targeting” for “profiling purposes” or “identification purposes”;

  • Do not post, sell, or otherwise share the audio file with third parties; and

  • Maintain the audio file long enough to accomplish the limited purpose for which the file was collected, and then immediately delete it.

Practical Implications

Companies that have a significant consumer base among children under the age of 13 and offer internet-connected toys or devices, including those directed at children, should consider the type of speech they are collecting from children. Because there remains ambiguity about the exact content of the speech that may be collected without parental consent, companies should ensure that only declarative “instruction[s] or request[s]” are collected from children under the age of 13 without parental consent.

International Perspective

When the new General Data Protection Regulation (GDPR) is in force, on 25 May 2018, European countries can set the age at which children are capable of consenting themselves to the processing of their personal data between the ages of 13 and 16. Parental consent must be obtained for those under the age of 13. On this point, therefore, there will not necessarily be uniformity across the EU countries. “Personal data” under the GDPR is broadly defined and includes any written information or other recorded data, including video files and photos, from which an individual is or can be identified.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VII, Number 319


About this Author

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international employee misconduct investigations and has been appointed as a Compliance Monitor for a transnational organization.