The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).
The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet. The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways. First, the definition now includes persistent identifiers, such as device IDs and IP addresses. Second, the definition now covers audio, video, and image files of children. Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function. (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)
The guidance does not, however, break new ground on COPPA’s substantive requirements. For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of “knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.
As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.