Mind the COPPA Rule Protecting Children Online or Expect to Hear From the FTC


If Internet-connected toys catch your attention and your kids’ fancy, rest assured you are not alone. The Federal Trade Commission (“FTC”) is watching them too, but not because its counsel are itching to buy them for their progeny. Instead, the FTC is focused on enforcing the toys’ compliance with the Children’s Online Privacy Protection Act (“COPPA,” 15 U.S.C. §§ 6501−6506). COPPA and its regulatory embodiment, the COPPA Rule, aim to protect the online privacy of children under 13.Congress tasked the FTC with the statute’s enforcement. A violation of the COPPA Rule “constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act.” The recent settlement between the FTC and VTech Electronics Ltd., a seller of Internet-connected toys, games and apps, shows that companies that sell online products to children must comply with the COPPA Rule or risk the travails attendant to a regulatory enforcement action.

COPPA grants parents ultimate control over the collection and disposition of information that websites and online service providers (“operators”) collect from children. The law applies not only to operators that target children, but also to operators that use others to collect information and to operators that have actual knowledge that information is collected from children.

The law requires that qualifying operators seek “verifiable parental consent” prior to collecting, using, or disclosing children’s personal information. Such consent can be secured through means that “must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” For example, a parent can be asked to provide a signed consent form or call an appropriately staffed toll-free call center. The list of verification methods is not exhaustive and parties can petition the FTC to approve new ones.

Recently, the FTC approved a verification method based on “knowledge-based authentication,” a technique that uses questions that a child would struggle to answer. The FTC also approved a method that involves facial recognition software to compare two photos of the parent, one from the parent’s government-issued identification (e.g. , driver’s license or passport) and the other of the parent taken with his or her phone camera.

Excerpted from Circuits Newsletter of the Computer & Technology Section of the State Bar of Texas, May 2018. To read the full article, click here.

A version of this article also appeared in the July 2018 issue of the Texas Bar Journal. Read it here.

Email Disclaimer