The Federal Trade Commission (FTC) clarified in recent guidance how the Children’s Online Privacy Protection Act (COPPA) applies to internet-connected device companies and other businesses that collect and use children’s voice recordings.
COPPA compliance is necessary for all commercial websites and online or mobile service operators that collect personal information of children under the age of 13. Previously, the FTC has released clarifying updates regarding requirements for companies obtaining verifiable parental consent and the applicability of the law to educational institutions and businesses that provide online services to educational institutions. More recently, it has become important for new business models, such as those involved with Internet of Things devices, to understand how they can remain in compliance with COPPA obligations. In light of COPPA enforcement actions in recent years, we have prepared a helpful guide to ensure businesses know how to avoid violations.
The recent FTC guidance elaborated on instances in which the agency will continue to take enforcement actions against businesses that collect and use children’s voice recordings.
The FTC may take enforcement action when:
-
An organization requests and collects voice information that would otherwise be considered personal information under COPPA, including, for example, a child’s name.
-
The organization fails to provide notice of its collection, use, and deletion policy for the audio files in its privacy policy.
-
The organization uses the audio file before it is destroyed, such as for behavioral targeting or profiling; voice-recognition identification; or posting, selling, or sharing the file with third parties.
To ensure compliance given these recent clarifications, organizations subject to COPPA should examine their practice of collecting audio files containing a child’s voice. Further the FTC reminded organizations that this guidance did not affect existing COPPA compliance requirements, such as obtaining verifiable parental consent when collecting other types of personal information.
Eric Halliday and Alex Blutman contributed to this post.