- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
June 28th, 2017
Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices
Last week, the Federal Trade Commission ("FTC") released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children's Online Privacy Protection Act ("COPPA"). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things ("IoT"). Here's what you need to know.
Congress enacted COPPA to protect the personal information of children under the age of 13. The FTC, charged with enforcing COPPA, issued the original COPPA Rule in 2000 and an amendment in 2013. Designed to place parents in control of the personal information collected from their children online, COPPA requires operators of websites and online services that knowingly collect, use, or disclose personal information of children under the age of 13 to allow parents the opportunity to review or restrict the personal information being collected and used. Violations of COPPA can carry hefty fines of $40,000+ per violation, as illustrated by a recent episode of HBO's hit comedy series Silicon Valley.
In addition to providing a six-step COPPA compliance plan, the FTC's report includes important new guidance:
- The FTC cautions that harnessing emerging technologies may impact a business's COPPA obligations. In particular, the FTC advises businesses to examine how the use of newer technologies may have changed the way they collect data, and encourages businesses to ask whether they are still in compliance with COPPA.
- The FTC reminds everyone that COPPA extends beyond "traditional" platforms like websites and mobile apps. IoT devices and other new technologies marketed to children, including connected toys and online games, are equally subject to COPPA if they collect any personal information, which includes voice recordings, geolocation data and unique device identifiers.
- The FTC highlights two newly approved methods for obtaining "verifiable parental consent" ("VPC"), which is the cornerstone of COPPA compliance: knowledge-based authentication questions and facial recognition to match a verified photo ID. These methods add to a growing list of FTC-approved VPC mechanisms that offer businesses flexibility when structuring their technologies to comply with COPPA.
Updated Six-Step Compliance Plan
The FTC's six-step compliance plan aims to help businesses determine whether their products or services are covered by COPPA and, if so, how to comply with COPPA's requirements. Here's a quick summary.
Step 1: Determine if your company is a website or online service that collects personal information from children under the age of 13. Businesses that directly target children should confirm whether they are actively collecting or allowing third parties to collect personal information from their users. Even if businesses do not intend to target children and collect their information, they still may fall within the scope of COPPA if the business has actual knowledge that it is collecting personal information from children under 13.
Step 3: Notify parents directly before collecting personal information from their children. COPPA requires businesses to provide parents with direct notice of their data practices before collecting any personal information from children, and to provide parents with updated direct notices when these practices change.
Step 4: Obtain verifiable parental consent before collecting personal information from children. In general, COPPA requires businesses to obtain VPC before collecting any personal information from children. COPPA allows businesses to decide what method they will use to obtain VPC, but the selected method must be reasonably designed to ensure the person giving the consent is the child's parent. There are narrow, but very important exceptions to the VPC requirement, including an exception that allows operators to collect persistent identifiers (e.g., cookies, IP addresses, unique device identifiers) without VPC when the sole purpose of the collection is to support the internal operations of the website or online service. What that means, and when it applies, are often tricky questions subject to legal interpretation.
Step 5: Honor parents' ongoing rights to control personal information collected from their children. Businesses must comply with the requests of parents to delete or modify their children's personal information even if consent was initially given.
Step 6: Implement reasonable procedures to protect the security of children's personal information. Businesses should limit the information they collect from children to only that which is necessary and restrict the third party entities with whom they share this information to ensure the confidentiality, security, and integrity of the personal information collected.
Frankfurt Kurnit advises many clients on complex issues regarding COPPA compliance in the digital age. If you market products or services to children, or have any questions about COPPA, please contact Jeremy S. Goldman at (310) 579 9611 or email@example.com, or any other member of Frankfurt Kurnit's Privacy and Data Security group.
Other Privacy & Data Security Law Alerts
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
July 11 2017
A Big Phone Bill: Dish Network Telemarketing Violation Verdicts Total Approximately $341 Million
In a cautionary tale for marketers, two courts recently found satellite TV provider Dish Network ("Dish") liable for repeated and willful violations of federal and state telemarketing laws.
June 23 2017
Start Your Engines: We Have to Deal With GDPR, What Now?
Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Here we will provide a high level checklist to help you start down the path of GDPR readiness.
April 13 2017