On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement Policy Statement acknowledges the value of certain voice-dependent technologies and outlines how the COPPA Rule should be interpreted with respect to the rapidly growing number of voice-enabled services and applications.
COPPA applies to operators of websites and online services (which may include connected home devices, wearables, toys, and mobile apps) that obtain personal information from children under the age of 13; it imposes restrictions on the collection, use, and sharing of such personal information, requiring notice and parental consent absent certain limited exceptions. The COPPA Rule covers sites and services that are directed to children as well as those that are not targeted to children, but have actual knowledge that they are collecting personal information from children.
Following the FTC’s 2013 amendments to the COPPA Rule that added audio files that contain a child’s voice to the definition of personal information, even ostensibly innocuous audio recordings collected through the internet could trigger COPPA, creating compliance challenges for businesses in the IoT space. Many such companies do not seek to extract personal information or a child’s voice from the audio files they collect. Rather, they retain only the content of the communication using speech recognition software that processes audio in a way that disregards the sound of the speaker’s voice. Nevertheless, the addition of “audio file” to the definition of personal information gave rise to several lawsuits alleging that certain internet-connected toys with audio capacity violated the COPPA Rule.
In its new guidance, the FTC indicates that if a company “collects an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, but only maintains the file for the brief time necessary for that purpose, the FTC would not take an enforcement action against the [company] on the basis that the [company] collected the audio file without first obtaining verifiable parental consent.”
This new nonenforcement policy appears to open the door for companies to integrate certain voice-enabled features into their products without creating COPPA compliance risk. That said, the guidance is merely a policy of nonenforcement, not a formal amendment to the COPPA Rule. Although COPPA does not provide a private right of action, in recent years plaintiffs’ attorneys have brought cases alleging COPPA violations under state consumer protection acts that do. Accordingly, the makers of children’s IoT products that otherwise might benefit from the FTC’s nonenforcement policy may still be stifled by the threat of civil lawsuits under state law.
In addition, IoT products that use voice recognition may trigger COPPA restrictions in other ways. Even if audio files are deleted in line with the FTC’s guidance, a company could obtain a child’s personal information through speech-to-text processing if the child provides the personal information orally, whether or not the voice is recorded. As such, a company that markets its connected device or mobile app to a youth audience may need to get COPPA-compliant verifiable parental consent prior to collection via audio file, even if the only data collected is in speech-to-text form. Software work-arounds may help mitigate this concern. For instance, a toy might be programmed to recognize and transcribe only certain key terms, and thus not inadvertently collect extraneous information offered by a child.
It is also worth noting that even if a parent provides the requisite verifiable consent when enabling a child’s connected toy, he or she would not have authority to consent on behalf of the parents of other children whose voices might later be captured by the toy during a play date. And companies that use voice recognition software to allow connected devices to distinguish between individual voices should be aware that the FTC’s new enforcement policy does not carve out an exception for audio files used for identification purposes.
The FTC also emphasizes in its new guidance that even if verifiable parental consent is not required, companies still must provide clear COPPA-compliant notice regarding how they collect, use, and dispose of audio files, and they may not use such audio files for any other purpose (such as behavioral targeting) prior to deletion.
In conclusion, although the FTC’s new policy addresses one particular COPPA compliance concern, there remain myriad regulatory obstacles to the robust development of IoT products and services for children. Additional formal rulemaking may be necessary to create an environment that can support meaningful innovation when it comes to the use of IoT and artificial intelligence in children’s products.