The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).

The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways.  First, the definition now includes persistent identifiers, such as device IDs and IP addresses.  Second, the definition now covers audio, video, and image files of children.  Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function.  (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)

The guidance does not, however, break new ground on COPPA’s substantive requirements.  For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.

As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.

 

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.