Mind the COPPA Rule protecting children online or expect to hear from the FTC
By Pierre Grosdidier
The Federal Trade Commission, or FTC, is busy monitoring internet-connected toys to enforce their compliance with the Children’s Online Privacy Protection Act, or the COPPA Rule, (16 C.F.R. § 312).1 The COPPA Rule aims to protect the online privacy of children under 13. Its breach “constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act.”2 The recent settlement between the FTC and VTech Electronics, a seller of internet-connected toys, games, and apps, shows that companies that sell online products to children must comply with the COPPA Rule or risk the travails attendant to a regulatory enforcement action.3
The COPPA Rule grants parents ultimate control over the storage and disposition of information that websites and online service providers (“operators”) collect from children.4 The law requires that qualifying operators seek “verifiable parental consent” prior to collecting, using, or disclosing children’s personal information.5 The operator must make the collected information available for review by parents, who can deny their permission.6 The operator must also prominently display on its webpages a “clearly labeled link” to its information collection, use, and disclosure practices.7 Other provisions regulate the personal information’s confidentiality, security, integrity, and eventual deletion.8
The law defines the term “personal information,” as it applies to children, extremely broadly.9 It includes not only the usual name, address, and identifying numbers, but also children’s photos, video, and audio files. Importantly, the definition includes any information that can be used to track children through the internet, namely:
[a] persistent identifier that can be used to recognize a user over time and across different Web sites or online services[, including] . . . a customer number held in a cookie, an Internet Protocol (IP) address, . . . [or] . . . Geolocation information sufficient to identify street [and city] name[s].10
It is easy to imagine how smart toys in this Internet of Things era can create situations that run afoul of the COPPA Rule. A GPS-capable toy might suffice if the child registered it on the manufacturer’s website to activate its warranty or to download a matching app.
Recently, the FTC settled its first-ever “children’s privacy case involving Internet-connected toys.”11 In VTech, the government alleged inter alia, that VTech sold “electronic learning products,” or ELPs, aimed at children younger than 10. The complaint alleged that children could use the ELPs to access VTech-created online games, including an online service called the Learning Lodge Navigator. Users could download from this service apps, games, e-books, and other online material targeted at children. In the U.S. alone, by year-end 2015, parents had created Learning Lodge accounts for almost three million children, of whom almost 638,000 used a downloaded ELP communication app.12
The FTC complaint alleged that VTech violated the COPPA Rule by, inter alia:
failing to obtain verifiable parental consent for collecting or using children’s personal information;
failing to post links to its children’s information practices on its webpages;
“failing to provide direct notice to parents” of its children’s information practices; and
failing to implement and maintain a comprehensive information security program.13
Compounding VTech’s predicament, and demonstrating its information security failings, VTech learned in late 2015 that its systems had been breached. The hacker penetrated VTech’s test environment through “commonly known and reasonably foreseeable vulnerabilities,” then navigated into its live environment where it collected records containing children’s personal information.14
The district court’s stipulated order “permanently restrained and enjoined [VTech] from violating” the COPPA Rule and ordered it to pay a $650,000 civil penalty judgment to the U.S.15 The order also compelled VTech to develop and implement a plan to comprehensively overhaul its information security practices. This plan must be audited by an independent third-party for 20 years.16
VTech follows in the footsteps of two other COPPA Rule-related complaints that the FTC settled in late 2015 that alleged—for the first time—that companies allowed advertisers to use persistent identifiers to target children.17 More recently, in April 2018, the FTC sent notice letters to two foreign companies that it suspected were collecting “precise geolocation” data from children in the United States.18 The letters “encourag[ed]” the companies to comply with the COPPA Rule. TBJ
This article was originally published in the May 2018 edition of Circuits and has been edited and reprinted with permission.
is counsel to Haynes and Boone’s business litigation practice group in Houston. Grosdidier divides his practice between construction litigation and construction contract drafting. He belongs to the first group of attorneys certified in construction law by the Texas Board of Legal Specialization in 2017. Grosdidier’s practice also includes litigating unauthorized computer access and software copyright infringement claims. Prior to practicing law, Grosdidier worked in the process control industry. He holds a Ph.D. from Caltech and a J.D. from the University of Texas. He is a member of the State Bar of Texas and is a registered professional engineer in Texas (inactive).