In June, the FTC updated its guidelines for businesses complying with the Children’s Online Privacy Protection Rule (COPPA) to address new products and toys that are connected to the internet.
COPPA requires that websites that direct products or services to children under the age of 13, and/or otherwise collect personal information online from children under 13, post a privacy policy notifying parents of the collection of personal information, obtain parents’ verifiable consent before its collection, and implement procedures to protect the personal information.
These updated guidelines address new business models in the marketplace, new products, and new methods for obtaining parental consent. The updated Compliance Plan recognizes that companies have new ways of collecting data, such as voice-activated devices that capture personal information. The updated Compliance Plan also addresses new products geared towards children that go beyond a standard website, such as internet-enabled location-based services, voice-over internet protocol services, and toys or devices connected to the internet (commonly referred to as “Internet of Things” or “IoT” devices). Finally, the Compliance Plan recognizes two newly-approved methods for parents to provide consent before collecting information from children under the age of 13. Those new methods are: Parents can provide consent by answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer, or they can provide a driver’s license or other form of photo ID that can be compared to a second photo submitted by the parent using facial recognition technology.
The FTC’s announcement of the updated Compliance Plan was accompanied by a statement that the guidance is an effort to assist businesses in light of “developments in the marketplace.” Recent news stories have highlighted security and privacy concerns related to children’s IoT products or toys. Earlier this year, Spiral Toys, a toy company that sold internet-connected teddy bears called CloudPets, exposed customer data on a database when it failed to protect the database behind a firewall or by using password protection. CloudPets allowed children and parents to record and share messages with each other. The failure to institute basic security protections exposed more than 800,000 customer credentials, as well as two million recordings between children and their parents.
Last year, a coalition of consumer privacy advocates, including the Electronic Privacy Information Center (EPIC), filed a complaint with the FTC against Genesis Toys and alleged that the toy manufacturer’s My Friend Cayla doll and i-Que Intelligent Robot had the capabilities to eavesdrop on children and their families. Genesis Toys allegedly then sent records to text-to-speech company Nuance Communications, which also has contracts with law enforcement and the military. The Complainants alleged that the privacy disclosures for these products did not explain what information was collected from children, how that information was used or where it ended up. They also alleged that Genesis failed to obtain the consent of parents before collecting the data. As of January 2017, the FTC announced that it was reviewing the complaint. EPIC’s complaint helped guide the FTC’s COPPA Compliance Plan.
In 2015, Vtech, a manufacturer of toys and gadgets for children, including tablets, phones and baby monitors, suffered a large-scale data breach when a hacker accessed customer data on the company’s Learning Lodge app store customer database. The data breach exposed the personal information of approximately 5 million parents and 200,000 children. The information accessed included the names, email addresses, passwords, and home addresses of parents as well as the first names, genders and birthdays of children.
Companies should use the updated Compliance Plan as an opportunity to review their products and services and determine whether they fall within the scope of COPPA.