FTC Releases Updated Six-Step Plan for Business Compliance With Children’s Online Privacy Rules


The Federal Trade Commission has released updated guidance that adds new products and new methods of consent to the coverage of the Children’s Online Privacy Protection Act (COPPA).

The guidance clarifies that web-connected toys and other internet of things devices fall under COPPA’s broad definition of “website or online service” that collects personal information.

COPPA applies to websites and online services that collect information of children under 13 years of age. In addition to standard websites, COPPA applies to children’s information collected through mobile applications, internet-connected video game platforms, and internet-enabled location-based services. 

COPPA requires “parent’s verifiable consent” before collecting using or disclosing personal information from a child under 13.

Two new methods of obtaining parental consent were also added to the guidance. Companies may now obtain consent from parents by asking a series of knowledge-based questions that would be difficult for someone other than a parent to answer. Banks and other institutions also use knowledge-based questions—such as father’s middle name and customer’s first school—to allow consumers to access sensitive information.

Consent may now also be legally obtained by having a parent submit a photo of themselves and then using facial recognition technology to compare the photo to a driver’s license or other photo identification of the parent.

COPPA last underwent substantial revision in 2013 when the FTC addressed children’s’ use of the internet, mobile devices, and social networking. The 2013 reboot broadened the definition of children’s personal information to include persistent identifiers, such as tracking cookies, internet protocol addresses, geolocation information, photos, videos, and audio.

The FTC has issued COPPA enforcement actions in situations where internet-connected toys recorded and disclosed the voices of children without parental notice and consent, and where persistent identifiers obtained through apps were used to deliver adds to children.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.