By William Baker.
The Children's Online Privacy Protection Act ("COPPA") restricts the collection by online services of personal information from children under the age of 13. Enacted in 1998 with the initial purpose of deterring predators from contacting children through online chat rooms, COPPA as applied now restricts many categories of information collection, including targeting advertising, and applies to far more than merely websites. Recent guidance from the Federal Trade Commission - noting its applicability to Internet-connected devices and "smart" toys - highlights the broad scope of the law.
COPPA applies to websites that are directed to children under 13, or that have actual knowledge that they are collecting personal information from such young children. The law generally prohibits such sites from collecting personal information from children under 13 without "verifiable parental consent," with certain limited collection exceptions. The FTC has promulgated a regulation to implement COPPA (found at 16 C.F.R. Part 312), and has brought numerous enforcement actions. Helpfully, the FTC has published guidance on how businesses can comply, which it recently revised.
What makes COPPA compliance particularly challenging are the definitions of "website or online service" and "personal information." The FTC's recent revision to its guidelines emphasized that COPPA applies not only to conventional websites and similar online services, but also to a wide range of devices, including those connected to the Internet of Things:
- other Internet of Things devices, including voice-activated devices.
Thus, something as seemingly innocent as a connected child's toy may trigger a host of complex compliance obligations. A fundamental issue is what entity is the "operator" of an Internet-connected toy - the toy company or the technology company whose service is built into the device.
Adding to the complexity is a broad definition of "personal information." Congress defined the term in conventional terms - first and last name, physical address, email address, telephone number, and Social Security number - but also included "any other identifier that the Commission determines permits the physical or online contacting of a specific individual." Using this authority, the FTC has defined "personal information" to include such items as persistent IP addresses, processor serial numbers, photographs and audio files of a child's image or voice, and geolocation information to the street and town level.
A further challenge is that the FTC interprets "collect" to include not merely active receipt of input information (such as entering an email address) but also passive tracking. Thus, it is fairly easy for a business to inadvertently trigger COPPA compliance obligations through normal activity where children are involved.
The FTC's revised guidance also includes two new methods by which operators may confirm the identity of a parent for the purpose of obtaining the necessary verifiable parental consent. One is a knowledge-based test, asking questions to which only a parent would likely know the answers. The second allows operators to use facial recognition software to compare a photo image of a parent with a different image known to be that of the parent.
Businesses have experience designing websites and, in recent years, mobile apps in ways that comply with COPPA. However, designing Internet of Things devices in a manner that accommodates COPPA can be problematic. As businesses increasingly introduce IoT devices, they must remain aware of the risks if the devices are directed to children under 13 or knowingly collects personal information from pre-teens.
Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.