FTC and FBI Issue Compliance Reminder on Children’s Online Privacy Protection Act

August 01, 2017

A recent update of the FTC’s COPPA compliance plan for businesses focuses on internet-connected toys and devices aimed at children; FBI issues a Public Service Announcement with a similar focus.

In recent weeks—and just in time for the back-to-school season—both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement about the dangers of internet-connected toys and other kids’ devices.


COPPA prohibits unfair or deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information on the internet from and/or about children. COPPA is one of the strictest privacy statutes in the world, and even has been touted as a model by European and other regulators in jurisdictions known for more rigid privacy laws than are typically found in the United States. COPPA applies to websites or other online services such as mobile apps that collect personal information from children under the age of 13.

Among other requirements, the FTC’s rules implementing COPPA require

  • direct notice to a parent about a company’s personal information practices;
  • ·verifiable parental consent before any collection, use, and/or disclosure of personal information of children under the age of 13;
  • a means for parents to review such information and prevent its further use;
  • a conspicuously posted privacy policy that clearly and comprehensively describes how personal information collected online from children under 13 is handled;
  • a prohibition on conditioning children’s game participation, prize eligibility, or other activities on children disclosing more personal information than is reasonably necessary for such participation; and
  • steps to protect the confidentiality, security, and integrity of such collected information.

For a more detailed overview of COPPA and its implementing rules, see our prior LawFlash on the subject.

Updated COPPA Compliance Plan

The “Hello Barbie” doll sparked national attention around connected toys and children’s privacy after a class action lawsuit alleged that Mattel recorded children’s conversations with the doll without parental consent. In response to such developing technology—particularly “smart” toys like Hello Barbie that are directed at children—the FTC updated its six-step COPPA compliance plan for businesses (Compliance Plan). The updated Compliance Plan addresses two key changes: (1) New internet-connected products for children and (2) new methods to secure verifiable parental consent.

Internet-Connected Toys or Other Internet of Things Devices

The updated Compliance Plan makes clear that any company providing “connected toys or other Internet of Things devices” are covered by COPPA—falling within COPPA’s definition of a “website or online service.” The Compliance Plan also covers new ways of collecting information such as voice-activated devices that collect personal data from children.

Updates to Verifiable Parental Consent: Data Collection Methods

The Compliance Plan now includes the following two additional ways that companies can obtain verifiable parental consent:

  1. Having the parent answer a series of knowledge-based authentication questions that would be challenging for someone other than the parent to answer
  2. Verifying a picture of a driver’s license or other photo identification submitted by the parent and comparing that photo to a second photo using facial recognition technology

FBI Also Focuses on Internet-Connected Toys

Emphasizing that the challenges related to internet-connected toys are more than theoretical, last week, the FBI took the unusual step of issuing a Public Service Announcement warning consumers about privacy risks associated with internet-connected toys.

The FBI warning encourages consumers to “consider cyber security prior to introducing smart, interactive, internet-connected toys into [] homes or trusted environments” and “examine toy company user agreement disclosures and privacy practices, and know where [your] family’s personal data is sent and stored, including if it’s sent to third-party services.”

The FBI identifies COPPA as the consumer law protecting children and provides a number of recommendations for consumers to protect themselves when using “smart” toys such as researching toys’ internet and device connection and security measures (including whether the toys can receive firmware and/or software updates and security patches) as well as carefully reading disclosures and privacy policies.

Practical Implications

Companies that have a significant consumer base among kids under 13 and that offer internet-connected toys or devices should carefully review company operations and advertising programs in response to the updated Compliance Plan. COPPA is vigorously enforced by the FTC and state attorneys general, and the added attention in these areas will only increase the level of scrutiny for companies.

In addition, when the new European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, any organization targeting the European consumer market will need to consider the obligation of “privacy by design” as well as provide a privacy notice to any individual whose data is collected through smart toys or internet-connected devices. Consent from a parent or guardian also will be required to process a child's personal data. The GDPR states that, if consent is the basis for processing a child’s personal data, a child under the age of 16 cannot give such consent and, instead, consent is required from a person holding “parental responsibility”—but note that the GDPR does permit EU member states to provide for a lower age in law, as long as it is not below 13.

The updates from the FTC and FBI—as well as the continued focus on these issues in the European market—highlight the risks and challenges around kids’ privacy, and can serve as an opportune reminder for companies to revisit policies, processes, and procedures to ensure full compliance in this area.

How We Can Help

Morgan Lewis has experience advising clients on children’s privacy matters, including designing privacy-compliant apps, websites, and devices, as well as successfully handling FTC and other government investigations related to children’s privacy. We routinely advise a wide array of consumer and technology companies on these issues. If we can be of assistance to you, please contact any of the following Morgan Lewis lawyers.

Greg Parks
Ezra Church
Kristin Hadgis

San Francisco
Reece Hirsch

Washington, DC
Ron Del Sesto