This week, the Federal Trade Commission (FTC) updated its guidance on COPPA, the Children’s Online Privacy Protection Act, to clarify that the 1998 statute applies not just to websites and online service providers that collect data from children, but also to Internet of Things devices, including children’s toys. The updated guidance has been applauded by advocates, and is a welcome clarification that COPPA’s strong protections of COPPA apply to toys like Hello Barbie, Dino, and Fischer Price’s Smart Toy. The guidance acknowledges the potential harm to children of deceptive data practices, writing “when companies surreptitiously collect and share children’s information, the risk of harm is very real, and not merely speculative.”
In December 2016, Future of Privacy Forum and Family Online Safety Institute published “Kids & The Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots,” an early analysis of the privacy and security implications of connected children’s toys. At the time, some advocates were calling for a legal update to cover the unique issues of screen-less dolls and teddy bears that might collect information from children. In our white paper, we were one of the first to analyze COPPA in the context of children’s toys and concluded that it almost certainly already applied to the wide range of Internet-connected toys on the market:
“Although COPPA was written long before a mainstream market for connected toys existed, there is a growing consensus that the federal statute applies to the wide range of modern toys that connect to the Internet. Most connected toys available today connect to the Internet through a mobile app or other mechanism … and it is well-established that COPPA applies to Internet-connected devices and platforms, including smartphones, tablets, and apps. The FTC is vested with the legal authority to interpret COPPA, and it has promulgated more detailed requirements in the COPPA Rule. COPPA applies to any provider (“operator”) of “a Website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child . . .”. Although the FTC has not yet taken an enforcement action against a connected toy operator, the Commission has stated that the term “online service” broadly covers any service available over the Internet or that connects to the Internet or a wide-area network.”
Although COPPA’s protections are strong, we recommend that providers of connected toys go even farther in protecting sensitive information collected from children, and discuss suggested best practices. Privacy-conscious steps include:
- Companies should invest in developing creative and intuitive ways to alert children and parents when data is being collected or transmitted—including glyphs, and other visual, audio, and haptic cues.
- It is important to establish strong data security practices, including: implementing strong encryption standards (HTTPS / TLS) so that the toy will not send personal information over insecure channels, or store personal information in an insecure format on the toy itself; ensuring that technical safeguards prevent the toy from communicating with unauthorized devices or servers; and avoiding the creation of passwords that cannot be changed by users or the use of the same default password for all toys.
Children’s personal information, and parents’ ability to make informed, meaningful choices, should be given the highest level of legal protection. The FTC’s updated guidance represents an important step towards this goal, as well as towards protecting privacy in the growing Internet of Things.