Legal Sidebari Smart Toys and the Children’s Online Privacy Protection Act of 1998 January 8 2018 A growing number of devices in American households including televisions appliances security systems and heating and cooling devices rely on Internet connectivity to perform a range of functions And the “Internet of Things” includes a growing number of products primarily used by children including “smart toys ” In the 1980’s the popular Teddy Ruxpin bear “talked” to children by way of a tape player hidden inside Today children may have real-time two-way “conversations” with their smart toys Sensors mics cameras storage devices speech recognition technology Internet-connectivity and GPS are used to tailor the toy’s behaviors based on the child’s interactions Some more sophisticated smart toys may record a child’s voice on an audio file convert the audio to text query a searchable database and return an appropriate voice response back to the child But smart toys’ use of Internet-connectivity potentially to collect children’s personal information may require the toys’ makers to take certain steps to comply with the Children’s Online Privacy Protection Act of 1998 COPPA and its implementing rules and requirements Security researchers have found that unsecured Bluetooth-enabled toys may be vulnerable to hacking allowing third-parties to surreptitiously communicate with a child through the Internetconnected toy Concern over potential misuse of such toys prompted Germany to ban certain smart toys In the United States at least one legal complaint has been filed with the Federal Trade Commission FTC alleging that certain smart toy makers unfairly and deceptively collect use and disclose audio files of children’s voices without providing adequate notice or obtaining verified parental consent Such practices are alleged to violate COPPA and its implementing regulations along with Section 5 of the Federal Trade Commission Act Entities that violate COPPA and the FTC Act potentially could among other things be enjoined from continuing their unlawful conduct and face civil monetary penalties Congressional Research Service https crsreports congress gov LSB10051 CRS INSIGHT Prepared for Members and Committees of Congress Congressional Research Service 2 COPAA regulates unfair and deceptive acts and practices in connection with the collection and use of personal information on the Internet from and about children under 13 years of age COPPA requires an operator of a website or online service directed to children or any operator that has actual knowledge that it is collecting personal information from a child to provide notice on its website of what information is collected from children by the operator how the operator uses such information and the operator's disclosure practices for such information The COPPA Rule through which the FTC implements COPPA requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting using or disclosing personal information from children under 13 years of age The Rule also requires operators to keep secure the information they collect from children The COPPA Rule defines “website or online service” to include connected toys or other Internet of Things Devices The FTC enforces the COPPA Rule and provides guidance to companies to determine whether a company is covered by COPPA and how to comply with the COPPA In 2013 the COPPA Rule was amended to include within its definition of “personal information” a photograph video or audio file that contains a child’s image or voice This modification was undertaken to clarify the scope of the Rule and strengthen its protections for children’s personal information in light of changes in online technology since the Rule initially went into effect in April 2000 This past year two federal agencies issued warnings about privacy and security risks associated with smart toys On July 17 2017 the Federal Bureau of Investigation issued a Consumer Notice about Internet-connected toys encouraging consumers to consider cyber security prior to introducing smart toys into their homes because these toys typically contain features that could put the privacy and safety of children at risk due to the large amount of personally identifiable information that may be disclosed On October 20 2017 the FTC issued a new Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings After the 2013 COPAA Rule amendment several companies had inquired whether the practice of collecting audio files that contain a child’s voice immediately converting the audio to text and deleting the file containing the voice recording triggers COPPA’s requirements In its new Enforcement Policy Statement the FTC advised Internet-connected toy makers that the FTC would not take an enforcement action against an operator on the basis that the operator collects an audio file containing a child’s voice solely as a replacement for written words such as to perform a search or fulfill a verbal instruction or request but only maintains the file for the brief time necessary for that purpose However the covered operator is required to provide clear notice of its collection and use of audio files and its deletion policy in its privacy policy COPAA focuses on web sites and online services directed to children or web sites and online services that have actual knowledge they are collecting personal information from a child While the statute’s potential application to children's smart toys seems fairly straightforward it might be less clear with respect to other devices that comprise the Internet of Things which while not primarily directed at children may be readily available to them Some observers have questioned whether “virtual assistant” devices marketed towards the general populace such as Amazon’s Alexa Apple’s Siri and Google’s Assistant may run afoul of COPPA’s requirements given those devices’ potential use by children These questions prompted the FTC in July 2017 to issue a public statement specifying circumstances when the agency will seek to enforce COPPA Congressional Research Service 3 provisions concerning the collection of audio files of children’s voices As the Internet of Things develops an increasingly ubiquitous role in American life and a greater amount of personal information about children is potentially collected through such devices it seems likely that there will be continuing questions about whether the approach taken by COPPA and similar laws to the protection of such information is appropriate or sufficient Author Information Gina Stevens Legislative Attorney Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10051 · VERSION 4 · NEW