FTC Reaffirms that IoT Devices Must Comply with COPPA
The Internet of Things (“IoT”) can be thought of as a group of different devices that can communicate with each other, perhaps over a network such as the internet. We have written extensively about many of the privacy challenges that IoT devices can create. Recently, the Federal Trade Commission (“FTC”) made clear that its Children’s Online Privacy Protection Rule (the “COPPA Rule”) would continue to be applicable to new business models, including “the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”
To assist companies in complying with their COPPA obligations, the FTC has released an updated Six Step Compliance Plan. These steps are:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
Step 2: Post a Privacy Policy that Complies with COPPA.
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
Notably, per Step 1, the FTC has made it clear that COPPA defines “Website or Online Service” broadly, to include “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, connected toys or other Internet of Things devices.” A key takeaway for companies everywhere is that, if your service collects personal information from kids under 13, it is unlikely that the FTC will be swayed by an argument that your service is not subject to the COPPA Rule. Instead, entitles would be wise to either limit their data collection activities such that personal information is not collected, or take the time to understand and comply with their COPPA obligations from the outset.
If your IoT device or app does collect personal information from kids under 13, “verifiable parental consent” is the most important compliance concept, and also tricky to implement. There are exceptions to this “verifiable parental consent” requirement in the COPPA Rule, but those exceptions are limited and reliance on any exception should only be done with careful consideration of your collection practices and the COPPA Rule.
Similarly, the FBI has warned consumers, regarding Internet connected toys presenting privacy concerns for children. Companies may wish to pay particular attention to the recommendations that the FBI has for consumers, as many of them involve the consumer researching whether the company has used basic measures to protect the privacy of children that use these toys, including using authentication and encryption as well as providing for security patches at the device level. Companies may wish to consider whether these suggestions could form part of the basis for a reasonable standard of care, and whether, given their IoT devices “use case,” a failure to support one or more of these measures could subject them to additional liability.
If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz Levin.