COPPA regulates websites and online services that collect personal information from kids under 13. The FTC revised its COPPA Compliance Plan for businesses a few days ago. The major revisions address “changes in technology,” namely the proliferation of connected toys and other internet-connected devices aimed at kids.
In this revised guidance, the FTC concludes that online services include internet-connected toys and other internet-connected devices that collect personal information from children under 13. If a toy or device collects pictures of the child, for example, it’s covered. If it records the child’s actions or voice, that’s covered too. If it uses persistent identifiers associated with a child, that’s also in. The same for toys that collect geolocation data which would disclose the child’s location.
The new Plan does identify two new options for obtaining verified parental consent—knowledge-based authentication questions and facial recognition against a verified photo ID.
COPPA makes some exceptions. The FTC views these exceptions as applicable to “a narrow class of personal information” in “certain circumstances.” Be careful if you intend to rely on one of them.