The Federal Trade Commission (FTC) has recently updated its compliance plan for businesses regarding the Children’s Online Privacy Protection Act (COPPA). Ultimately, the COPPA places control over a child’s engagement with a website or online service with his or her parents. The FTC previously released a six-step compliance plan for businesses who collect personal information from children under the age of 13, outlining the requirements under the COPPA and how businesses may best comply, and this update addresses the ever-evolving effect of technology on data collection practices.
The updates to the FTC’s compliance plan reflect the increasing impact of evolving technologies, both in the applicability of COPPA requirements on a greater range of businesses, and in the way in which businesses are permitted to obtain permission from parents to engage in data collection activities with their children. There are three key updates to the compliance plan.
First, the updated compliance plan addresses the advancing way in which companies are collecting personal information from children. The updated compliance plan expands to new business models that are collecting data through less traditional channels. For example, the updated plan suggests that the use of voice-activated devices to collect personal information may attract obligations under the COPPA.
Second, the updated compliance plan extends its definition of what products are covered by COPPA. Previously, the COPPA focused the majority of its compliance power on businesses' collection of children's personal information on websites and through personal apps. The FTC has now made it clear that the COPPA also applies to connected toys and devices marketed to children that collect personal information, including voice recordings and geographical location.
Third, the FTC has updated the methods by which businesses may obtain the requisite parental consent prior to collecting personal information from their children under the age of 13. Adding to the list of methods that includes obtaining a signed consent form and having the parent call a toll-free number staffed by trained personnel, the FTC has suggested two additional acceptable methods that businesses may use to obtain parental consent. Businesses may now obtain consent by asking a series of knowledge-based challenge questions that would be difficult for someone other than a parent to answer, or by using facial recognition technology to identify the parent.
Takeaway: The recent updates to the FTC’s compliance plan with regard to the COPPA attempt to address the increasing impact of technology on the data collection practices of businesses. Businesses in the practice of collecting personal information from users, including but not limited to the user’s full name, email address, physical address, telephone number, or geolocation, should be aware of potential obligations under the COPPA, even if its website or app is not directly marketed to children under 13.
PartnerMarketers, advertisers, agencies and suppliers, among others, regularly seek Andy’s counsel regarding legal aspects of their advertising and promotional marketing businesses. He’s pragmatic and always looks for ...