There was a time when a child’s rubber duck was merely a rubber duck. No longer. Today, the duck may be connected to the internet, able to respond to the child’s gestures on a phone, and alert parents if bath water is too warm. A raft of smart toys debuted at this year’s New York Toy Fair, and by 2020 the smart toy market is projected to reach $11.3 billion.
Members of Congress have begun to express concern about the privacy impact of this growing segment of the Internet of Things, as reflected in a December 2016 minority staff report of the Senate Commerce Committee. In addition, Senator Bill Nelson has recently urged the Federal Trade Commission to vigorously enforce the Children’s Online Privacy Protection Act (COPPA) in the wake of a reported breach that exposed the recordings of hundreds of thousands of children’s voices collected via a smart toy. Likewise, Senator Mark Warner has inquired into COPPA enforcement with regard to smart toys.
These letters were received by an FTC that was already focused on the Internet of Things. It is a safe bet that the FTC is paying close attention and before long will announce enforcement actions in the connected toy arena.
In this climate, it is important for providers of connected toys to ensure that their practices comply with COPPA, the main privacy law governing connected toys, which authorizes the FTC and state attorneys general to seek fines of up to $40,000 per violation.
When Does COPPA Apply?
Although COPPA was enacted before the proliferation of smart toys, it will often cover such devices if they are internet-enabled, directed to children under 13 (which toys designed to appeal to children will almost surely be), and collect personal information from kids. “Personal information” under COPPA broadly covers not only “traditional” PII such as first and last name, but other information relevant to many connected toys, such as precise geolocation information, personal identifiers such as device ID and IP address, audio files containing a child’s voice, and a photograph or video file containing a child’s image.
In addition, even providers of connected devices that are designed to appeal to teens could be subject to COPPA if they obtain actual knowledge they are collecting personal information from a child under 13, such as if they collect users’ birth dates and then do not block those who indicate that they are 12 or younger. COPPA also may reach devices that are directed to children but for whom teens are the primary audience, under a “mixed audience” provision that has yet to be enforced and remains murky in its application.
What Does COPPA Require?
COPPA imposes a host of requirements, including parental notice and consent:
Direct Notice:
Operators must give parents direct notice, beyond a posted privacy policy — such as via email — of specified data practices.
Verifiable Parental Consent Before Data Collection:
An operator may use any mechanism reasonably designed to ensure that the person providing consent is the child’s parent, such as requiring the parent to place a charge on a credit or debit card that provides notice of each charge to the primary account holder. Operators that do not disclose children’s personal information have the option of obtaining consent via email plus an additional verification step.
The notice and consent requirements do not apply to operators that collect only persistent identifiers used solely for support for internal operations, such as authenticating users, personalizing the content on a service (such as saving a color preference), or maintaining or analyzing the functioning of a service.
What if a child shares a smart toy with a friend? COPPA only requires consent mechanisms “reasonably designed” to ensure that the individual providing consent is the parent of the child, and the several methods that the FTC has approved under this standard do not demand special steps to rule out the possibility that a site or service has been shared with an unrelated child. And such a requirement would require operators to use more intrusive technology to distinguish between children, thereby undermining COPPA’s purpose.
Importantly, even if exempt from COPPA’s notice and consent requirements, operators subject to COPPA must comply with its other requirements, including:
- data minimization,
- reasonable data security,
- limits on data retention,
- and parental rights of review and data deletion.
In the past, COPPA enforcement has focused on notice and consent, but with connected devices, security is certain to figure prominently. For many, building secure devices will be the most challenging task. FTC guidance for IoT device manufacturers and its Start with Security guide are important references. They highlight the FTC’s emphasis on, among other things, independent security audits, use of strong encryption for the transport of personal information, encouraging consumers to use strong passwords, and creating and publicizing effective channels for receiving vulnerability reports.
Who Must Comply?
Toy manufacturers often partner with technology companies who provide the mobile apps and interactivity that makes a toy “connected.” While fact-specific, both companies may be subject to COPPA. As written, COPPA regulations make an operator of a child-directed service strictly liable for the activities of third parties who collect data from the service. Third parties are also responsible if they have actual knowledge they are collecting personal information from users of a child-directed service.
More than COPPA
The FTC will also examine adherence to the prohibitions on deceptive or unfair practices under Section 5 of the FTC Act. Connected toy providers should therefore be attentive to their representations about their privacy and security practices and other key aspects of their product. For example, although misrepresenting a privacy practice is not actionable under COPPA, it may be under Section 5.
Class action lawyers have noticed the emergence of connected toys and can be expected to look to state unfair competition, wiretap, invasion of privacy, and biometrics laws as potential bases for lawsuits.
As internet-enabled toys grow, so will the interest of regulators and class action lawyers. Compliance with COPPA, Section 5, and potentially applicable state laws is essential. But regulators and courts will be more likely to forgive any breaches if companies pay attention to privacy and security throughout the design process.
Likewise, parents may pay more attention to such issues in making their purchasing decisions, as organizations like Consumer Reports increasingly evaluate privacy and security. To engender trust of both regulators and parents, businesses should consider the FTC’s general privacy best practices as well as best practices specific to connected toys, such as those articulated by the Future of Privacy Forum and Family Online Safety Institute.