A recent update of the FTC’s COPPA compliance plan for businesses focuses on internet-connected toys and devices aimed at children; FBI issues a Public Service Announcement with a similar focus.
In recent weeks—and just in time for the back-to-school season—both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement about the dangers of internet-connected toys and other kids’ devices.
COPPA prohibits unfair or deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information on the internet from and/or about children. COPPA is one of the strictest privacy statutes in the world, and even has been touted as a model by European and other regulators in jurisdictions known for more rigid privacy laws than are typically found in the United States. COPPA applies to websites or other online services such as mobile apps that collect personal information from children under the age of 13.
Among other requirements, the FTC’s rules implementing COPPA require
For a more detailed overview of COPPA and its implementing rules, see our prior LawFlash on the subject.
The “Hello Barbie” doll sparked national attention around connected toys and children’s privacy after a class action lawsuit alleged that Mattel recorded children’s conversations with the doll without parental consent. In response to such developing technology—particularly “smart” toys like Hello Barbie that are directed at children—the FTC updated its six-step COPPA compliance plan for businesses (Compliance Plan). The updated Compliance Plan addresses two key changes: (1) New internet-connected products for children and (2) new methods to secure verifiable parental consent.
Internet-Connected Toys or Other Internet of Things Devices
The updated Compliance Plan makes clear that any company providing “connected toys or other Internet of Things devices” are covered by COPPA—falling within COPPA’s definition of a “website or online service.” The Compliance Plan also covers new ways of collecting information such as voice-activated devices that collect personal data from children.
Updates to Verifiable Parental Consent: Data Collection Methods
The Compliance Plan now includes the following two additional ways that companies can obtain verifiable parental consent:
Emphasizing that the challenges related to internet-connected toys are more than theoretical, last week, the FBI took the unusual step of issuing a Public Service Announcement warning consumers about privacy risks associated with internet-connected toys.
The FBI warning encourages consumers to “consider cyber security prior to introducing smart, interactive, internet-connected toys into  homes or trusted environments” and “examine toy company user agreement disclosures and privacy practices, and know where [your] family’s personal data is sent and stored, including if it’s sent to third-party services.”
The FBI identifies COPPA as the consumer law protecting children and provides a number of recommendations for consumers to protect themselves when using “smart” toys such as researching toys’ internet and device connection and security measures (including whether the toys can receive firmware and/or software updates and security patches) as well as carefully reading disclosures and privacy policies.
Companies that have a significant consumer base among kids under 13 and that offer internet-connected toys or devices should carefully review company operations and advertising programs in response to the updated Compliance Plan. COPPA is vigorously enforced by the FTC and state attorneys general, and the added attention in these areas will only increase the level of scrutiny for companies.
In addition, when the new European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, any organization targeting the European consumer market will need to consider the obligation of “privacy by design” as well as provide a privacy notice to any individual whose data is collected through smart toys or internet-connected devices. Consent from a parent or guardian also will be required to process a child's personal data. The GDPR states that, if consent is the basis for processing a child’s personal data, a child under the age of 16 cannot give such consent and, instead, consent is required from a person holding “parental responsibility”—but note that the GDPR does permit EU member states to provide for a lower age in law, as long as it is not below 13.
The updates from the FTC and FBI—as well as the continued focus on these issues in the European market—highlight the risks and challenges around kids’ privacy, and can serve as an opportune reminder for companies to revisit policies, processes, and procedures to ensure full compliance in this area.
Morgan Lewis has experience advising clients on children’s privacy matters, including designing privacy-compliant apps, websites, and devices, as well as successfully handling FTC and other government investigations related to children’s privacy. We routinely advise a wide array of consumer and technology companies on these issues. If we can be of assistance to you, please contact any of the following Morgan Lewis lawyers.
Ron Del Sesto