As reported on Hunton’s Privacy and Information Security Law blog, on June 21, 2017, the Federal Trade Commission updated its guidance, Six-Step Compliance Plan for Your Business, for complying with the Children’s Online Privacy Protection Act (“COPPA”). The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online. The updated guidance adds new information on situations where COPPA applies and steps to take for compliance. The changes include:
- New products and technologies. COPPA applies to the collection of personal information through a “website or online service.” The term is defined broadly, and the updates to the guidance clarify that technologies such as connected toys and other Internet of Things devices can be covered by COPPA.
- New parental consent methods. Before collecting the personal information of children under the age of 13, COPPA requires that businesses obtain parental consent. The revised guidance addresses two newly-approved methods for obtaining parental consent: (1) answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or (2) verifying a picture of a driver’s license or other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology.
These updates follow a recent letter from Senator Mark Warner asking the FTC to strengthen efforts to protect children’s personal information in the face of new technologies such as Internet-connected “Smart Toys.”