Tech & Sourcing @ Morgan Lewis


In May 2017, Senator Mark Warner of Virginia sent a letter to the Federal Trade Commission (FTC) raising concerns about the security of data collected, transmitted, and/or stored by internet-connected products geared toward children. FTC acting Chairman Maureen Ohlhausen sent a response letter discussing Senator Warner’s concerns and the FTC’s enforcement of the Children’s Online Privacy Protection Act (COPPA), and the FTC released updated guidance on COPPA compliance in late June 2017.

COPPA aims to protect children by enforcing certain requirements and prohibitions related to the collection, use, and disclosure of data collected from and about children. The FTC’s rules implementing COPPA cover

  • a notice for the collection, use, and disclosure of information collected from children;
  • related parental consent requirements;
  • the provision of a means for parents to review such information and prevent its further use;
  • the prohibition of conditioning children’s game participation, prize eligibility, or other activities on children disclosing more personal information than is reasonably necessary for such participation; and
  • necessary steps to protect the confidentiality, security, and integrity of such collected information, among other requirements.

For a more detailed overview of COPPA and its implementing rules, see the prior LawFlash written by Morgan Lewis partner Ron Del Sesto.

Acting Chairman Ohlhausen’s response letter highlighted the FTC’s ability to enter into enforcement proceedings and promulgate rules to update COPPA regulations under the Administrative Procedures Act as a means to meet changes in technology. Updates to the FTC’s guidance on COPPA compliance include the application of COPPA rules to internet-connected devices and new methods for obtaining parental consent.

The full FTC COPPA compliance guidance covers

  • when COPPA applies to a company,
  • privacy policy compliance with COPPA,
  • notification requirements under COPPA,
  • adequate parental consent and certain exceptions,
  • ongoing parental rights related to personal information collected from children, and
  • reasonable security procedures.

It is important to determine whether COPPA applies to your company, and if so, to ensure your business practices comply with COPPA.