On June 21, 2017, the Federal Trade Commission (FTC) updated one of its Children’s Online Privacy Protection Act (COPPA) compliance guides for businesses. Known as the “Six-Step Compliance Plan,” this document provides a step-by-step road map for determining if a company is covered by COPPA and what to do to comply.
COPPA applies to operators of websites and online services that collect “personal information” from children under 13 years of age, where the site or service is directed to children or has actual knowledge that it is collecting personal information from a child. COPPA’s coverage extends to a variety of online services, such as mobile apps, internet-enabled gaming platforms, and – in some cases – companies that collect personal information directly from users of another website or online service (such as ad networks and plug-ins).
The FTC’s updated guidance further clarifies the broad scope of “online services” under COPPA. For instance, the guidance specifies that COPPA can apply to internet-connected toys. The updates include information on COPPA’s coverage of
- New data collection activities, such as voice-activated devices that collect personal information; and
- New products, such as internet-enabled devices for kids that collect personal information and other “Internet of Things” devices.
The FTC’s updates also include information on new consent mechanisms to satisfy COPPA’s parental consent requirement, such as the use of knowledge-based authentication questions that would be difficult for someone other than the parent to answer or the use of facial recognition technology to match a face to a verified photo identification. These methods are now recognized by the FTC as acceptable consent mechanisms that can satisfy COPPA’s “verifiable” parental consent requirement.
The FTC issued its guidance update a month after U.S. Senator Mark Warner sent a letter to the FTC asking the agency about its efforts to protect children’s privacy following several high-profile instances of children’s data allegedly being hacked. Children’s privacy historically has been a focus of the FTC’s enforcement and oversight efforts, and this updated guidance signals the Commission’s continued attention to this area.
Additional information on COPPA’s obligations can be found on the FTC’s children’s privacy guidance website, which includes the updated Six-Step Compliance Plan, the FTC’s “Complying with COPPA: Frequently Asked Questions” guidance, and other materials. The COPPA rule is codified at 16 CFR Part 312.