On June 21, 2017, the FTC updated its COPPA Compliance Guidance for businesses. The new guidance includes new descriptions of services and products covered by COPPA, and new methods for obtaining parental consent.
Though the guidance is new, the subjects of the guidance generally are not; for example, “internet-enabled location-based services” have long been within the ambit of COPPA because geolocation information has long been part of the definition of “personal information” of children that COPPA regulates. However, the new guidance, confirms the FTC’s continued interest in these areas.
So what are the FTC’s declared areas of focus?
- Voice-activated devices that collect personal data, including location data. As we have written, Amazon’s Alexa and similar devices are creating a host of unresolved privacy issues. The FTC now adds to that list the potential that voice-activated devices may collect data from children without parental consent.
- Internet-connected toys. This inclusion is particularly interesting given the March 2017 filing of a complaint with the FTC by privacy advocates regarding internet-connected dolls. More broadly, this should be seen to signal continued interest in any part of the Internet of Things that the FTC may consider to be child-directed.
- Parental consent based on authentication questions and facial recognition. These too are not new, because the COPPA Rule allows new parental verification methods to be proposed and added, as we have noted.
- These updates reflect the FTC’s efforts to keep pace in regulating a space that is moving very quickly. The rapid proliferation of connected devices is creating COPPA issues with a large number of services that, at first blush, might not be considered directed to children (although, as we have stated repeatedly, COPPA compliance matters for general audience websites, too). The guidance signals that the FTC expects those offering all of these services to examine their policies and take the necessary COPPA precautions.