As technology becomes more ubiquitous in daily life, the Internet of Things (IoT) has begun to pervade children’s toys, and more and more toys are becoming connected to the Internet and responsive to both parents and children. Children can now interact with “smart” toys in ways once thought unimaginable: they can communicate with dolls, participate in story-telling with wearable virtual reality, and play digital games with teddy bears. Often linked to the Internet for cloud-based computing benefits, the intensifying connectivity materialized by these products raises privacy and security concerns around the information these toys collect from children.
On June 21st, 2017, the Federal Trade Commission (FTC) altered the “Six-Step Compliance Plan” under its Children’s Online Privacy Protection Act (COPPA). COPPA pertains to websites and services that gather data about children under the age of 13. These services – geared for its child demographic – comprise mobile applications, internet-enabled gaming platforms, and businesses themselves that obtain personal information from users of another online service (i.e. plug-ins). COPPA obligates the operators of these websites to give notice to parents or guardians about its information methods, and in return, must receive prior consent from parents. The Compliance Plan is a guide to ascertain whether a business is covered by COPPA and lays out the necessary actions that companies must take to abide by the act.
The updated Compliance Plan offers a more specific account for the vast span of “online services” overseen by COPPA. The FTC detailed new mandatory information collection practices and rulings over recently released IoT products. Knowledge-based identification questions, voice-activation, and facial recognition technology that can match a verified photo ID are now necessary protocol for devices to implement in order to pass COPPA’s parental consent requirement.
The update arrives as a result of a letter written by Sen. Mark Warner (D-VA) to the FTC. Warner raised questions regarding security of personal data transmitted and stored by internet-enabled children’s toys, and urged the Commission to address these heightening concerns.
The Federal Investigative Bureau (FBI) released a public service announcement on July 19th, through its Crime Complaint Center, encouraging “consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.” Advising parents to be aware of cybersecurity implications of the connected toy and to only connect to secure Wi-Fi before use, the announcement states,
These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options…The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety.
Read more here – “FTC Updates COPPA Guidance for IoT and New Consent Options,” (Julia Kernochan Tama and Jared Bomberg, Lexology)
Read more here – “FTC Reaffirms that IoT Devices Must Comply with COPPA,” (The National Law Review)