Client Alert: FTC: COPPA Applies to the Internet of Things

Related Practices

Recently, the Federal Trade Commission (FTC) released its updated six-step compliance plan for businesses which may be subject to the Children’s Online Privacy Protection Act (COPPA). This updated plan provides companies with guidance on whether they are subject to COPPA, which regulates collection of personal information of children under 13, and if so, how to comply. The plan has been updated to reflect developments in the marketplace and developing technology.

COPPA applies to “websites or online services” that: (1) are directed to children and personal information is collected about them, either by the operator of the online services or third parties; (2) are directed to a general audience, but the operator has actual knowledge that its collects personal information from children under 13; or (3) are an ad network or plug-in and have actual knowledge personal information of kids under 13 collected. If the website or online services are subject to COPPA, then you must post a COPPA-compliant privacy policy, and obtain verifiable parental consent prior to collecting personal information of children under 13.   You must also honor parents’ ongoing rights with respect to their choices regarding the personal information of their child, such as honoring their request to delete the information, and provide reasonable security to protect the personal information collected from children.

The updated plan provides the following key changes:

As a result of these changes, companies, particularly those which are offering IoT devices directed at children under 13 or may have actual knowledge they are collecting personal information, which may include geolocation data and device identifiers, of children under 13, should evaluate their COPPA compliance obligations. For questions regarding COPPA or your company’s compliance obligations, contact Heather Enlow-Novitsky or your Vorys attorney.