The FTC recently announced the removal of Aristotle International, Inc. from the list of seven approved safe harbor programs under the Children’s Online Privacy Protection Act. Programs that are approved by the FTC must place requirements on participating organizations that are the same -or greater- than the requirements of COPPA. (As we have reported in the past, COPPA requires, inter alia, getting verified parental consent before collecting personal information from children online.) Companies that participate in those approved COPPA safe harbor programs are deemed in compliance with COPPA. Such protection can be valuable with a law, like COPPA, that has been found to be confusing to operationalize.

Continue Reading A COPPA First: Safe Harbor Program Removed From Approved List

The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.
Continue Reading UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.

The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Continue Reading Connected Toys, COPPA, and What’s Next

The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing digital devices. COPPA requires collecting parental consent before collecting personally identifiable information from children online. The definition of “personal information” under COPPA is broad, and includes audio files. Arguably, then, online operators would need parental consent before children “submitted” audio files, including in the form of conducting verbal searches or giving verbal instructions to their connected device.
Continue Reading FTC Gives COPPA Guidance on Voice Recordings