Voice-Activated Devices May Collect Audio from Children

November 15, 2017

A new FTC policy eliminates the requirement to obtain parental consent to collect a recording of a child’s voice in certain circumstances.

The US Federal Trade Commission (FTC)’s newly-released “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” policy provides that parental consent is no longer required when a child’s voice is collected solely “as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request.” The audio file collected from a child must only be “for a limited purpose and immediately destroyed.”


Children’s “personal information” is one of the foundational concepts of the Children’s Online Privacy Protection Rule (COPPA Rule). When passed by the FTC in 1999, the COPPA Rule pronounced that operators of commercial websites or online services directed at children needed to obtain parental consent before collecting a child’s “personal information.”

At the time of its passing, the COPPA Rule’s definition of “personal information” included a child’s name, address, and social security number. In 2013, the FTC amended the COPPA Rule, expanding the definition to include a photograph, video, or audio file that contains a child’s image or voice.

FTC’s New Policy on the Content of Children’s Speech

Recognizing the proliferation of voice-controlled devices that offer many benefits to their users, the FTC announced a new approach and published a new policy in late October providing that the content and context of a child’s speech matters. The FTC’s “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” allows for the collection of an audio file containing a child’s voice “solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request” without parental consent.

This policy is rooted in two important considerations: (1) that there is value in using voice as a replacement for written words to perform “search and other functions on internet-connected devices”; and (2) that there is little risk the audio file will be used to contact a child as long as certain procedures are followed. To allow companies to deliver that value and to manage that risk, the FTC’s policy requires that companies abide by the following procedures:

  • In a privacy policy, provide clear notice about the collection of audio files, the use of those files, and the deletion policy;
  • Use the audio file only as a replacement for written words, such as to effectuate an instruction or request, and not to collect what “otherwise would be considered personal information under the Rule, such as name”;
  • Do not make use of the audio file in the brief period before it is destroyed to conduct “behavioral targeting” for “profiling purposes” or “identification purposes”;
  • Do not post, sell, or otherwise share the audio file with third parties; and
  • Maintain the audio file long enough to accomplish the limited purpose for which the file was collected, and then immediately delete it.

Practical Implications

Companies that have a significant consumer base among children under the age of 13 and offer internet-connected toys or devices, including those directed at children, should consider the type of speech they are collecting from children. Because there remains ambiguity about the exact content of the speech that may be collected without parental consent, companies should ensure that only declarative “instruction[s] or request[s]” are collected from children under the age of 13 without parental consent.

International Perspective

When the new General Data Protection Regulation (GDPR) is in force, on 25 May 2018, European countries can set the age at which children are capable of consenting themselves to the processing of their personal data between the ages of 13 and 16. Parental consent must be obtained for those under the age of 13. On this point, therefore, there will not necessarily be uniformity across the EU countries. “Personal data” under the GDPR is broadly defined and includes any written information or other recorded data, including video files and photos, from which an individual is or can be identified.

How We Can Help

Morgan Lewis advises clients on children’s and educational privacy matters, including designing compliant apps, websites, and devices, as well as successfully handling FTC and other government investigations related to children’s privacy. We routinely advise a wide array of consumer and technology companies on these issues. If we can be of assistance to you, please contact any of the following Morgan Lewis lawyers:

Pulina Whitaker

Greg Parks
Ezra Church
Kristin Hadgis

San Francisco
Reece Hirsch

Silicon Valley
Mark Krotoski

Washington, DC
Ron Del Sesto