FTC Issues New Guidance on COPPA
The Federal Trade Commission (FTC) has updated its compliance plan for the Children’s Online Privacy Protection Act (COPPA), which establishes the guidelines under which personal information may be collected and used from children under the age of 13. However, the latest guidance from the FTC should serve as a reminder for all businesses to perform an examination of their online privacy policies to ensure compliance with all regulations and thus avoid unnecessary exposure.
The Federal Trade Commission (FTC) has updated its compliance plan for the Children’s Online Privacy Protection Act (COPPA). Introduced in 1998, COPPA establishes the guidelines under which personal information on children under the age of 13 may be collected and used. The primary goal of COPPA is to allow parents to control the amount of information collected from children. Even if your business is not subject to COPPA compliance, the new FTC guidance highlights the vast amount of potential exposure businesses face with privacy policies in an expanding marketplace.
COPPA applies to operators of “websites and online services” that “collect, use or disclose personal information” from children under the age of 13. The definition of what constitutes “websites and online services” is expansive. COPPA further requires that operators provide direct notice to parents regarding what information is collected from children, whether the operator intends to make the information publicly available and the disclosure practices for such information.
The FTC’s updated guidance focused upon two areas of COPPA in an effort to reflect changes in technology. First, the definition of “websites or online services” was expanded to include connected toys and “other internet of things” devices. This now includes toys and devices that collect personal information such as voice recordings or geolocation data. The update comes just weeks after Senator Mark R. Warner sent a letter to the FTC urging for increased protections under COPPA following two instances of children’s data being hacked from internet-connected smart toys, including voice recordings sent between parents and children.
Next, the FTC introduced two new methods for obtaining parental consent prior to collecting personal information from children. The updated compliance plan provides that parental consent may be obtained by either (a) asking parents a series of knowledge-based authentication questions or (b) requesting a copy of a parent’s driver’s license and matching that photo to a second photo provided by the parent using facial recognition technology. These new methods are in addition to the already acceptable methods of obtaining parental consent, including consent forms, calling a toll-free number staffed by trained personnel or by video conference. There are exceptions to the general rule requiring parental consent before collecting personal information from children, but notice requirements may still exist despite the exception.
The recent updates highlight the broad scope of COPPA and the increasing difficulty of maintaining pace with evolving technology in the marketplace. As the FTC tries to keep pace by expanding COPPA into new areas, it offers little guidance in helping businesses implement the requirements of COPPA into these new areas. Moreover, the guidance misses the mark on confirming that other methods of obtaining parental consent are acceptable – such as when a parent makes a direct purchase of an internet-connected toy. As the marketplace continues to advance, additional guidance is likely to be necessary.
The FTC’s latest guidance will also have an impact upon the privacy policies of banks and other companies within the financial services industry that may use information collected on websites and apps for use in its business operations. COPPA compliance is required by all companies who have actual knowledge that information is collected from children under 13 or if the company runs an ad network or plug-in which collects information from websites or services directed to children under 13. Therefore, the potential for exposure can be expansive. Agencies in addition to the FTC have also increased enforcement actions against businesses for inadequate data security practices and procedures which fail to protect collected personal information. Businesses’ use of this information could create exposure under the Unfair, Deceptive, or Abusive Acts or Practices Act (UDAAP), the Telephone Consumer Protection Act (TCPA) or the Gramm-Leach-Bliley Act (GLBA), among other regulations. Many businesses are unaware of this potential exposure.
As regulations continue to be fluid due to expanding technology and an advancing marketplace, additional guidance will be necessary. However, the latest guidance from the FTC should serve as a reminder for all businesses to perform an examination of their online privacy policies to ensure compliance with all regulations.
Alexander Koskey is an attorney in Baker Donelson’s Financial Services practice in Atlanta. He represents individuals, businesses and financial institutions on a wide range of regulatory and compliance issues, real estate and commercial matters. He can be reached at 
