The Federal Trade Commission has updated its guidance for businesses on complying with the Children’s Online Privacy Protection Act. The updated “Six-Step Compliance Plan for Your Business,” released June 21, outlines how to determine whether a business is covered by COPPA and how to comply with the law. The revised plan reflects three evolving areas: (1) the development of new internet-connected products for children, (2) new technology for collecting data and (3) new methods for securing parental consent.
Internet-connected toys and devices. The updates emphasize that COPPA doesn’t apply only to websites and mobile apps. The guidance also adds internet-connected toys and devices intended for children, which may collect personal information, including voice recordings and geolocation data, to the products covered by COPPA.
New data collection methods. New data collection technology could affect a company’s COPPA obligations. For example, voice-activated devices are increasingly being used to collect personal information, and companies that sell or incorporate these devices into their products may need to consider whether COPPA applies and to review and update their compliance efforts.
New methods for parental consent. The updated revised plan recognizes two recently approved methods for securing parental consent before collecting personal information online from children under 13: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.
Compliance. The FTC has already demonstrated that businesses could pay a hefty price for COPPA violations. In December 2016 settlements with the agency, two developers of mobile apps for children paid a total of $360,000 in civil penalties for violating the privacy of children under age 13. LAI Systems LLC paid a $60,000 civil penalty, and Retro Dreamer paid $300,000. The FTC maintained the developers’ apps for children violated COPPA because the apps let third-party advertisers collect personal information to create targeted advertising for the app based on users’ activity over time and across sites. The FTC accused the app makers of failing to tell third-party advertisers that the apps are made for children and failing to require the advertisers to refrain from child-targeted advertising.
To help businesses determine and meet their obligations under COPPA, the FTC updated and reissued its “Six-Step Compliance Plan for Your Business” to reflect the new developments in products, data collection technology and parental consent.