February 08, 2021 Feature

Protecting Children’s Privacy in the Age of Smart Toys

Madhavi K. Seth
Toy manufacturers should stay current on evolving FTC guidance to ensure that they comply with best practices for their products and their customers.

Toy manufacturers should stay current on evolving FTC guidance to ensure that they comply with best practices for their products and their customers.

GettyImages

©2021. Published in Landslide, Vol. 13, No. 3, January/February 2021, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

Since 2015, the advent of smart and internet-connected toys has, according to some practitioners, transformed this age from that of the “Internet of Things” to the “Internet of Toys.”1 The potential unlawful surveillance and hackability of such toys have raised privacy issues, for both parents and national security agencies.

In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning parents that their children’s new internet-connected toy could be secretly spying on them. The FBI warned that “[t]hese toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options.”2 It also encouraged parents and consumers to consider cybersecurity before introducing smart, interactive, and internet-connected toys into their homes.3 The FBI’s release highlighted that the Children’s Online Privacy Protection Act (COPPA)4 is the law that protects children from the privacy risks associated with internet-connected toys. The FBI encouraged all consumers to “research areas and circumstances concerning the toys and Web services where laws may or may not provide coverage.”5

In light of such concerns, the Federal Trade Commission (FTC) developed and provided guidance to toy companies that highlights COPPA. The COPPA Rule outlines a six-step compliance plan for businesses to comply with COPPA and implement key protections with respect to internet-connected toys and associated services.6 This article provides an overview of COPPA and best practices based on FTC guidance for toy manufacturers to consider in order to comply with COPPA as to their internet-connected toys.

Children’s Online Privacy Protection Act

In 1999, the FTC enacted COPPA. COPPA falls within the Federal Trade Commission Act (FTC Act), which gives the FTC the authority to enforce COPPA. Section 5 of the FTC Act gives the FTC the power to protect consumers from “unfair or deceptive acts or practices in or affecting commerce.”7

COPPA’s Application to Manufacturers of Smart Toys as “Operators”

COPPA applies to online services providers, namely websites directed to children under 13 years old, or any “operator that has actual knowledge that it is collecting or maintaining personal information from a child” under 13 years old.8 An “operator” includes “any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service.”9 With this, manufacturers of internet-connected toys that run websites or online services to distribute those toys may be “operators” subject to COPPA.

Under COPPA, “personal information” is defined fairly broadly and permits the FTC to add interpretations and expand the definition. “Personal information” includes the child’s first and last names; home or physical address; email addresses; telephone numbers; Social Security numbers; information that identifies and permits the operator to contact the individual physically or online; and information about the child or that child’s parents that the operator collects online from the child, in conjunction with any of the other identifiers.10 The definition of “personal information” also includes “a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; [and] geolocation information sufficient to identify a street name and city or town.”11

Under COPPA, children under the age of 13 are protected from certain online activity. COPPA requires that operators give direct notices to parents of their data collection practices as to children.12 In 2013, the FTC amended the COPPA Rule and added several new types of data to the definition of personal information, including a photograph, video, or audio file that contains a child’s image or voice. The FTC explained that “the very personal nature” of such files supported the FTC’s finding that they met the standard for personal information set forth in the COPPA statute because they “permit the physical or online contacting of a specific individual.”13 Therefore, under the amended COPPA Rule, a covered operator must provide notice and obtain verifiable parental consent before it collects any of these types of personal information from a child.14 The FTC’s rationale in amending the COPPA Rule was to keep pace with changes to technology, children’s increased use of mobile devices, and the development of new business models that did not exist when the FTC issued COPPA in 1999.15

“Operators” Must Provide Online Notices and Maintain Reasonable Security Procedures to Protect Children’s Data

The COPPA Rule highlights that an operator’s, and likely a toy manufacturer’s, failure to implement “reasonable security measures” for data collected by its internet-connected toys could subject that company to an FTC enforcement action under section 5 of the FTC Act, which prohibits unfair or deceptive practices in the marketplace.16

Online notices must include how parents may give consent; indicate that no personal information of a child will be collected, used, or disclosed without verifiable parental consent; and provide that such information will be collected as outlined in the operator’s privacy policy. In order to get verifiable parental consent, operators may: (1) ask parents to sign and mail a hard-copy consent form, (2) allow parents to use an online payment system to provide notification of each transaction to the primary account holder, (3) have parents provide consent via phone or video, or (4) check government-issued identification.17

Operators must also maintain reasonable security procedures to “protect the confidentiality, security, and integrity of the personal information collected from children.”18 If any of the information is transferred to a third party, the operator must ensure the third party has taken similar steps to protect the protected data.19 Finally, operators must only keep personal information collected online from a child as long as reasonably necessary to fulfill the purpose for which it was collected. When the personal information is no longer needed, the data must be deleted through reasonable measures.20

Due to COPPA’s requirements, any smart or internet-connected toy that collects personal information from a child could trigger COPPA’s requirements. COPPA fines range from $16,000 to $40,000 per violation.21 While the FTC has not taken many actions against a connected toy operator, COPPA and the COPPA Rule present complicated issues for toy manufacturers to ensure compliance. Toys and the websites they connect to which do not collect personal information or only collect nonpersonal data are not subject to COPPA and therefore would not trigger the manufacturer’s disclosure and notice obligations.22

FTC’s Recent Guidance on COPPA

In June 2017, the FTC updated its online advisory COPPA compliance plan for businesses to include internet-connected toys and other devices for children.23 This new guidance highlighted that COPAA does not apply only to websites and mobile applications but also to the “growing list of connected devices that make up the Internet of Things . . . [including] connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”24

In October 2017, the FTC also released additional guidance to address some of the issues with connected toys, through its Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings.25 Although this guidance addresses the collection and use of voice recordings, it provides that the FTC will not institute an enforcement action against an operator for not obtaining parental consent before collecting an audio recording of a child’s voice when it is collected solely as a replacement for written words, such as to perform a search or to fulfill a verbal instruction or request.26

FTC Enforcement of COPPA against Toy Manufacturers

While the FTC has filed more enforcement actions against website operators targeting children, it has only filed and settled a handful of actions against toy manufacturers that have had online applications associated with the use of their products. The first children’s privacy case involving internet-connected toys was United States v. VTech Electronics Ltd.27 In this case, the FTC filed a lawsuit alleging that electronic toy maker Vtech Electronics and its U.S. subsidiary violated COPPA and the FTC Act by collecting children’s personal information without providing direct notice and without obtaining parental consent and by failing to take reasonable steps to secure the data collected.28

Specifically, the FTC alleged that VTech’s “Kid Connect” application, which children used with some of VTech’s electronic toys, collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under COPPA.29 The complaint charged that “Defendants participated in deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in the making of a deceptive statement relating to their collection, storage, and transmittal of covered information.”30

The complaint further outlined that VTech violated the COPPA Rule by doing the following: (1) failing to post a privacy policy for its “Kid Connect” online service providing clear, understandable, and complete notice of its information practices; (2) failing to provide direct notice of its information practices to parents; (3) failing to obtain verifiable parental consent prior to collecting, using, and/or disclosing personal information from children; and (4) failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.31 Although the case ultimately settled, VTech had to pay $650,000 as part of its settlement; was permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices; and was required to implement a comprehensive data security program, which would be subject to independent audits for 20 years.32

Best Practices for Toy Manufacturers

With this, toy manufacturers should take affirmative steps to avoid potential issues related to their technology-based products, consistent with the FTC’s guidance. First, toy manufacturers should determine if their company operates an affiliated website or other online service that collects personal information from children under 13 years old. Second, toy manufacturers should post a privacy policy that complies with the requirements of COPPA and additional FTC guidance. Third, toy manufacturers should notify parents and consumers directly before collecting personal information from their children, or enclose such disclosures with the packaging of their products. Fourth, toy manufacturers should get parents’ verifiable consent before collecting personal information from their children and honor parents’ ongoing rights with respect to collecting personal information from their children. Finally, toy manufacturers should implement reasonable procedures to protect the security of children’s personal information.33

Additionally, toy manufacturers should ensure that any toy products they distribute are certified through the FTC’s certification program.34 This program allows manufacturers to get a seal to put on their packaging or website if their toy has been reviewed and found in compliance with children privacy requirements.35 Toy manufacturers should also modify their user agreements to ensure that they include relevant COPPA disclosures. Specifically, manufacturers must make sure that they issue certain disclosures regarding the collection, retention, and use of collected information and tell parents what personal information of their children is collected, where it is stored, whether it is provided to third parties, and what toy manufacturers can or will do with the collected information.

Finally, toy manufacturers should ensure that their legal departments stay current on evolving FTC guidance as well as enforcement actions, to ensure that they are complying with best practices for their products and their customers. In light of the vast distribution and evolving nature of internet-connected consumer products to collect and store personal information, it is and will likely become crucial for companies to ensure that their privacy policies and practices are updated to reflect current regulations, such as COPPA, and future regulations to protect the privacy of consumers.

Endnotes

1. See, e.g., Sara H. Jodka, The Internet of Toys: Legal and Privacy Issues with Connected Toys, Dickinson Wright (Dec. 2017), https://www.dickinson-wright.com/news-alerts/legal-and-privacy-issues-with-connected-toys.

2. Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children, Fed. Bureau Investigation (July 17, 2017), https://www.ic3.gov/media/2017/170717.aspx.

3. Id.

4. 15 U.S.C. §§ 6501–6506.

5. Consumer Notice, supra note 2.

6. Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, Fed. Trade Commission (June 2017), https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance [hereinafter FTC COPPA Compliance Plan].

7. 15 U.S.C. § 57a(a)(1)(B); see id. § 6502(c).

8. 15 U.S.C. § 6502(a)(1); see id. § 6501(1).

9. 15 U.S.C. § 6501(2)(A).

10. Id. § 6501(8).

11. FTC COPPA Compliance Plan, supra note 6.

12. Children’s Online Privacy Protection Rule (COPPA Rule), 78 Fed. Reg. 3972, 3982 (Jan. 17, 2013).

13. Id.

14. Id.

15. Id.

16. FTC COPPA Compliance Plan, supra note 6.

17. See 15 U.S.C. § 6501(9); COPPA Rule, 78 Fed. Reg. 3972.

18. FTC COPPA Compliance Plan, supra note 6.

19. Id.

20. Id.

21. Id.

22. Jodka, supra note 1.

23. Kristen Cohen & Peder Magee, FTC Updates COPPA Compliance Plan for Business, Fed. Trade Commission (June 21, 2017), https://www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-compliance-plan-business.

24. Id.

25. Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings (Oct. 20, 2017), https://www.ftc.gov/public-statements/2017/10/federal-trade-commission-enforcement-policy-statement-regarding.

26. Id.

27. No. 1:18-cv-00114 (N.D. Ill. filed Jan. 8, 2018).

28. Id.

29. Id.

30. See Stipulated Order for Permanent Injunction and Civil Penalty Judgment at 2, VTech, No. 1:18-cv-114 (N.D. Ill. Jan. 8, 2018).

31. Id.

32. Press Release, Fed. Trade Comm’n, Electronic Toy Maker VTech Settles FTC Allegations That It Violated Children’s Privacy Law and the FTC Act (Jan. 8, 2018), https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated.

33. Jodka, supra note 1.

34. Id.

35. Press Release, Fed. Trade Comm’n, FTC Approves kidSAFE Safe Harbor Program (Feb. 12, 2014), https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-kidsafe-safe-harbor-program.

Entity:
Topic:

Madhavi K. Seth is an associate at Benesch, Friedlander, Coplan & Aronoff LLP.