FTC Updates Children’s Online Privacy Protection (COPPA) Compliance Plan To Include Connected Toys

The Federal Trade Commission ("FTC") announced that it has updated its COPPA Compliance Plan to specifically cover toys intended for children. COPPA requires website operators and online services to obtain verifiable parental consent before collecting any personal information from children 12 years or younger. The FTC’s updated guidance, however, clarifies that certain web-enabled products directed to children under 13 with "Internet of Things" functionality may also be subject to COPPA. "Internet of Things" devices can include connected toys that collect personal information, such as voice recordings or location data. 

two little girls

The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience.

 If your website doesn’t target children as its primary audience, but is “directed to children under 13” based on those factors, you may choose to apply COPPA protections only to users under age 13. If that’s what you decide to do, you must not collect personal information from any users without first collecting age information.

two devices

For users who say they are under age 13, don’t collect any personal information until you have obtained verifiable parental consent.

In addition to specifically including "connected toys or other Internet of Things devices," the FTC’s Compliance Plan includes a broad list of commonly available services, such as "mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads); internet-enabled gaming platforms; plug-ins; advertising networks; internet-enabled location-based services; and voice-over internet protocol services."

Not all web-enabled products or services are subject to COPPA obligations, of course, but if your product or service is directed to children under 13, you may find yourself subject to COPPA’s stringent regulatory requirements. If you are subject to COPPA, you will need to post a COPPA compliant privacy policy and obtain verifiable parental consent before collecting personal information from children. 

mom and son

The FTC’s COPPA Compliance Plan provides further details, but some of the options for getting parents' verifiable consent have also been updated, including having parents "answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer" or using facial recognition to get a match with a verified photo ID such as a drivers' license. Finally, the FTC has the statutory authority to pursue fines and civil penalties of up to $16,000 for each COPPA violation. The amount of civil penalties a court may assess may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the federal law, the number of children involved, how the information was used, and the size of the company.


For more information on the FTC’s COPPA Compliance Plan, click here or review COPPA Privacy Rule at 16 CFR 312. If you have any questions about how this regulatory development may impact your product or service, please contact your Baker McKenzie attorney or any of the authors of this Alert.

Leave a Comment