• FTC's Updated COPPA Compliance Plan Confirms Applicability to IoT Products
  • July 20, 2017 | Authors: Sheila A. Millar; Nathan A. Cardon
  • Law Firms: Keller and Heckman LLP - Washington Office; Keller and Heckman LLP - Washington Office
  • The Federal Trade Commission (FTC) has updated its guidance on complying with Children's Online Privacy Protection Rule (COPPA Rule) "to reflect developments in the marketplace."

    The updated COPPA Compliance Plan now covers new ways of collecting information, such as voice-activated devices that collect personal data. It also includes "the growing list of connected devices that make up the Internet of Things," such as "connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data." As before, readers are led through a set of six steps to determine whether a particular site or service is covered by the COPPA Rule, and how to comply with it.

    The revised plan also discusses two new methods for obtaining parental consent: knowledge-based authentication questions and facial recognition. These techniques may offer additional flexibility for businesses seeking to make providing consent easier for parents.

    Makers of connected children's products know that their IoT devices are subject to the COPPA Rule; this isn't news. However, the FTC's updated guidance document offers a good opportunity to consider some practical ways to approach COPPA compliance. First, since technology firms and traditional product manufacturers often partner together to bring connected products to market, it is important to contractually establish which party is primarily responsible for COPPA compliance as the "operator." Second, COPPA compliance requirements relate to the product's capabilities and how it is used. Understanding what, how, and when data is collected, and how it is used - in other words, mapping the data flows - is essential, as it determines whether, and how, parental consent must be obtained. Third, that same data mapping exercise is crucial to establishing the appropriate set of security measures for the collected data.

    The FTC's updated guidance sketches out COPPA basics, including the exceptions and different scenarios for different types of verifiable parental consent. This serves to reaffirm that while there are overarching principles of privacy and security, there is no one-size-fits-all approach to COPPA compliance for connected children's products any more than there is for websites or apps. That, in and of itself, is a helpful reminder.