By Carolyn Krol
On June 21, 2017, the U.S. Federal Trade Commission (“FTC”) published an update to the Children’s Online Privacy Protection Rule (“COPPA”) compliance plan for businesses. The FTC Business Blog describes the update as a reflection of the developments in the marketplace, such as internet-connected toys. The compliance plan provides businesses with a step-by-step guide to determine if a business activity is covered by COPPA, and if so, how to comply with COPPA.
There are three major updates to the compliance plan, regarding:
new business models,
new products covered by COPPA, and
new methods for getting parental consent.
The updated compliance plan considers new business models in its revisions which may affect COPPA obligations. In publishing this update, the FTC acknowledges companies have new ways of collecting data (e.g., voice-activated devices that collect personal information). As such, businesses should keep COPPA compliance in mind if they are implementing new ways to collect personal information.
COPPA applies to businesses with a website or online service that is directed to children under 13 collects personal information from them. The updated compliance plan clarifies that the meaning of “website or online service” may include internet-enabled location-based services, voice-over internet protocol (VOIP) services, and connected toys or other Internet of Things devices. If they have not done so already, businesses providing location-based services and VOIP services or are in the connected toy or Internet of Things space should evaluate whether their products or services could trigger COPPA obligations.
Subject to a few exceptions, COPPA requires that businesses obtain parents’ verifiable consent before collecting, using, or disclosing personal information from a child. The compliance plan discusses acceptable methods for obtaining verifiable parental consent. The updated compliance plan lists two new acceptable methods. First, parents now may provide consent by answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer. Second, parents may now submit a picture of a driver’s license or other photo ID and then compare that photo to a second photo submitted by the parent, using facial recognition technology.
In addition to reviewing the updated compliance plan, the FTC recommends reviewing the COPPA Frequently Asked Questions.