The Federal Trade Commission (“FTC”) released an updated version of its guidance on complying with the Children’s Online Privacy Protection Act (“COPPA”) on June 21, 2017. Companies that collect personal information from children under 13 years of age need to comply with COPPA. To help companies with COPPA compliance, the FTC’s guidance presents a six-step plan:

  • Step 1: Determine whether your company is a website or online service that collects personal information from kids under 13;
  • Step 2: Post a privacy policy that complies with COPPA;
  • Step 3: Notify parents directly before collecting personal information from their kids;
  • Step 4: Get parents’ verifiable consent before collecting personal information from their kids;
  • Step 5: Honor parents’ ongoing rights with respect to personal information collected from their kids; and
  • Step 6: Implement reasonable procedures to protect the security of kids’ personal information.

The updated guidance makes two important changes. First, the FTC clarifies that “website or online service” includes Internet of Things devices as well as connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.

Second, the updated guidance provides two additional methods by which businesses can obtain verifiable consent from parents to collect personal information from children:

  • Parents can answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
  • Parents can provide a picture of a driver’s license or other photo ID which is then compared to a second photo submitted by the parent using facial recognition technology.