Protecting Children's Privacy in the Age of Smart Toys

AuthorBy Madhavi K. Seth
Pages10-61
Published in Landslide® magazine, Volume 13, Number 3, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2020 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
10 LANDSLIDE n January/February 2021
Image: GettyImages
Protecting
Children’s
Privacy in
the Age of
Smart Toys
Madhavi K. Seth
Published in Landslide® magazine, Volume 13, Number 3, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2020 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
January/February 2021 n LANDSLIDE 11
S
ince 2015, the advent of smart and internet-connected toys has,
according to some practitioners, transformed this age from that of
the “Internet of Things” to the “Internet of Toys.”1 The potential
unlawful surveillance and hackability of such toys have raised pri-
vacy issues, for both parents and national security agencies.
In July 2017, the Federal Bureau of Investigation (FBI) issued
a public service announcement warning parents that their chil-
dren’s new internet-connected toy could be secretly spying on
them. The FBI warned that “[t]hese toys typically contain sen-
sors, microphones, cameras, data storage components, and other
multimedia capabilities—including speech recognition and GPS
options.”2 It also encouraged parents and consumers to consider
cybersecurity before introducing smart, interactive, and internet-
connected toys into their homes.3 The FBI’s release highlighted
that the Children’s Online Privacy Protection Act (COPPA)4 is
the law that protects children from the privacy risks associated
with internet-connected toys. The FBI encouraged all consumers to “research
areas and circumstances concerning the toys and Web services where laws
may or may not provide coverage.”5
In light of such concerns, the Federal Trade Commission (FTC) developed
and provided guidance to toy companies that highlights COPPA. The COPPA
Rule outlines a six-step compliance plan for businesses to comply with COPPA
and implement key protections with respect to internet-connected toys and
associated services.6 This article provides an overview of COPPA and best
practices based on FTC guidance for toy manufacturers to consider in order to
comply with COPPA as to their internet-connected toys.
Published in Landslide® magazine, Volume 13, Number 3, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2020 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
“Operators” Must Provide Online Notices and Maintain
Reasonable Security Procedures to Protect Children’s Data
The COPPA Rule highlights that an operator’s, and likely a
toy manufacturer’s, failure to implement “reasonable security
measures” for data collected by its internet-connected toys
could subject that company to an FTC enforcement action
under section 5 of the FTC Act, which prohibits unfair or
deceptive practices in the marketplace.16
Online notices must include how parents may give con-
sent; indicate that no personal information of a child will be
collected, used, or disclosed without veriable parental con-
sent; and provide that such information will be collected as
outlined in the operator’s privacy policy. In order to get ver-
iable parental consent, operators may: (1) ask parents to
sign and mail a hard-copy consent form, (2) allow parents to
use an online payment system to provide notication of each
transaction to the primary account holder, (3) have parents
provide consent via phone or video, or (4) check government-
issued identication.17
Operators must also maintain reasonable security proce-
dures to “protect the condentiality, security, and integrity
of the personal information collected from children.”18 If any
of the information is transferred to a third party, the operator
must ensure the third party has taken similar steps to protect
the protected data.19 Finally, operators must only keep personal
information collected online from a child as long as reason-
ably necessary to fulll the purpose for which it was collected.
When the personal information is no longer needed, the data
must be deleted through reasonable measures.20
Due to COPPA’s requirements, any smart or internet-
connected toy that collects personal information from a child
could trigger COPPA’s requirements. COPPA nes range
from $16,000 to $40,000 per violation.21 While the FTC
has not taken many actions against a connected toy opera-
tor, COPPA and the COPPA Rule present complicated issues
for toy manufacturers to ensure compliance. Toys and the
websites they connect to which do not collect personal infor-
mation or only collect nonpersonal data are not subject to
COPPA and therefore would not trigger the manufacturer’s
disclosure and notice obligations.22
FTC’s Recent Guidance on COPPA
In June 2017, the FTC updated its online advisory COPPA com-
pliance plan for businesses to include internet-connected toys
and other devices for children.23 This new guidance highlighted
that COPAA does not apply only to websites and mobile appli-
cations but also to the “growing list of connected devices that
make up the Internet of Things . . . [including] connected toys
and other products intended for children that collect personal
information, like voice recordings or geolocation data.”24
In October 2017, the FTC also released additional guid-
ance to address some of the issues with connected toys,
through its Enforcement Policy Statement Regarding the
Applicability of the COPPA Rule to the Collection and Use
of Voice Recordings.25 Although this guidance addresses the
collection and use of voice recordings, it provides that the
FTC will not institute an enforcement action against an oper-
ator for not obtaining parental consent before collecting an
Children’s Online Privacy Protection Act
In 1999, the FTC enacted COPPA. COPPA falls within the
Federal Trade Commission Act (FTC Act), which gives the
FTC the authority to enforce COPPA. Section 5 of the FTC Act
gives the FTC the power to protect consumers from “unfair or
deceptive acts or practices in or affecting commerce.7
COPPA’s Application to Manufacturers of Smart Toys as
“Operators”
COPPA applies to online services providers, namely web-
sites directed to children under 13 years old, or any “operator
that has actual knowledge that it is collecting or maintain-
ing personal information from a child” under 13 years old.8
An “operator” includes “any person who operates a website
located on the Internet or an online service and who collects
or maintains personal information from or about the users
of or visitors to such website or online service.”9 With this,
manufacturers of internet-connected toys that run websites
or online services to distribute those toys may be “operators”
subject to COPPA.
Under COPPA, “personal information” is dened fairly
broadly and permits the FTC to add interpretations and
expand the denition. “Personal information” includes the
child’s rst and last names; home or physical address; email
addresses; telephone numbers; Social Security numbers;
information that identies and permits the operator to contact
the individual physically or online; and information about the
child or that child’s parents that the operator collects online
from the child, in conjunction with any of the other identi-
ers.10 The denition of “personal information” also includes
“a persistent identier that can be used to recognize a user
over time and across different sites, including a cookie num-
ber, an IP address, a processor or device serial number, or a
unique device identier; a photo, video, or audio le contain-
ing a child’s image or voice; [and] geolocation information
sufcient to identify a street name and city or town.”11
Under COPPA, children under the age of 13 are protected
from certain online activity. COPPA requires that operators
give direct notices to parents of their data collection practices
as to children.12 In 2013, the FTC amended the COPPA Rule
and added several new types of data to the denition of per-
sonal information, including a photograph, video, or audio
le that contains a child’s image or voice. The FTC explained
that “the very personal nature” of such les supported the
FTC’s nding that they met the standard for personal infor-
mation set forth in the COPPA statute because they “permit
the physical or online contacting of a specic individual.”13
Therefore, under the amended COPPA Rule, a covered opera-
tor must provide notice and obtain veriable parental consent
before it collects any of these types of personal information
from a child.14 The FTC’s rationale in amending the COPPA
Rule was to keep pace with changes to technology, children’s
increased use of mobile devices, and the development of
new business models that did not exist when the FTC issued
COPPA in 1999.15
Madhavi K. Seth is an associate at Benesch, Friedlander, Coplan &
Aronoff LLP. She can be reached at mseth@beneschlaw.com.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT