Voice-Activated Devices May Collect Audio from Children
The US Federal Trade Commission (FTC)’s newly-released “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” policy provides that parental consent is no longer required when a child’s voice is collected solely “as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request.” The audio file collected from a child must only be “for a limited purpose and immediately destroyed.”
Children’s “personal information” is one of the foundational concepts of the Children’s Online Privacy Protection Rule (COPPA Rule). When passed by the FTC in 1999, the COPPA Rule pronounced that operators of commercial websites or online services directed at children needed to obtain parental consent before collecting a child’s “personal information.”
At the time of its passing, the COPPA Rule’s definition of “personal information” included a child’s name, address, and social security number. In 2013, the FTC amended the COPPA Rule, expanding the definition to include a photograph, video, or audio file that contains a child’s image or voice.
FTC’s New Policy on the Content of Children’s Speech
Recognizing the proliferation of voice-controlled devices that offer many benefits to their users, the FTC announced a new approach and published a new policy in late October providing that the content and context of a child’s speech matters. The FTC’s “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” allows for the collection of an audio file containing a child’s voice “solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request” without parental consent.
This policy is rooted in two important considerations: (1) that there is value in using voice as a replacement for written words to perform “search and other functions on internet-connected devices”; and (2) that there is little risk the audio file will be used to contact a child as long as certain procedures are followed. To allow companies to deliver that value and to manage that risk, the FTC’s policy requires that companies abide by the following procedures:
Use the audio file only as a replacement for written words, such as to effectuate an instruction or request, and not to collect what “otherwise would be considered personal information under the Rule, such as name”;
Do not make use of the audio file in the brief period before it is destroyed to conduct “behavioral targeting” for “profiling purposes” or “identification purposes”;
Do not post, sell, or otherwise share the audio file with third parties; and
Maintain the audio file long enough to accomplish the limited purpose for which the file was collected, and then immediately delete it.
Companies that have a significant consumer base among children under the age of 13 and offer internet-connected toys or devices, including those directed at children, should consider the type of speech they are collecting from children. Because there remains ambiguity about the exact content of the speech that may be collected without parental consent, companies should ensure that only declarative “instruction[s] or request[s]” are collected from children under the age of 13 without parental consent.
When the new General Data Protection Regulation (GDPR) is in force, on 25 May 2018, European countries can set the age at which children are capable of consenting themselves to the processing of their personal data between the ages of 13 and 16. Parental consent must be obtained for those under the age of 13. On this point, therefore, there will not necessarily be uniformity across the EU countries. “Personal data” under the GDPR is broadly defined and includes any written information or other recorded data, including video files and photos, from which an individual is or can be identified.