The Federal Trade Commission (FTC) announced that it has updated its COPPA Compliance Plan to specifically cover toys intended for children. COPPA requires website operators and online services to obtain verifiable parental consent before collecting any personal information from children under 13.
The new FTC guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other Internet of Things devices that collect personal information from children. The definition of “personal information” is broad and includes a child’s name, voice, address, photo, email address or telephone number.
The FTC now provides new and updated guidance in three main areas:
- New Business Models. The FTC broadens the scope of covered businesses to account for new ways that companies collect data.
- New Products. If your franchise offers and sells a product that connects to the Internet and collects personal information, including voice recordings or geolocation data, then COPPA applies to your business.
- Parent Consent Collection Methods. One of the main features of COPPA is its requirement that businesses obtain parental consent before collecting a child’s personal information. The new guidance discuses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.
Finally, the FTC has the statutory authority to pursue fines and civil penalties of up to $16,000 for each COPPA violation. The amount of civil penalties a court may assess may depend on a number of factors, including the extent of violations, previous violations of federal regulations, the number of children involved, how the information was used and the size of the company.