The Federal Trade Commission (FTC) has provided new guidance on how it will enforce the Children’s Online Privacy Protection Act (COPPA) against companies collecting voice recordings from children, loosening the rules on how companies can collect and use voice data. Under the guidance, online services covered by COPPA can now collect voice recordings from children without obtaining verifiable parental consent so long as they collect and use the voice recording solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, and maintain the file for only the brief period of time necessary for that purpose. The FTC’s publication builds on previous FTC guidance making clear that COPPA applies to Internet of Things devices, including connected children’s toys. The publication marks the first time that the FTC has publicly signaled that it will refrain from bringing enforcement actions in circumstances where it believes COPPA has been violated.
COPPA and Voice Recordings
The FTC rule implementing COPPA, which governs websites’, apps’, and other online services’ collection of personal information from children, was updated in 2013, expanding the definition of personal information to include a broad array of data, including photos, videos, or audio files that contain a child’s image or voice in addition to information such as names, email addresses, and phone numbers. Based on the text of the revised 2013 COPPA Rule, a company would need to obtain verifiable parental consent before collecting voice recordings from a child. However, some companies questioned whether a “collection” even occurs if a company stores the audio file only momentarily while converting the file to text and then immediately deletes the underlying file.
FTC Enforcement Policy Statement
The FTC issued its “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings” on October 23, 2017, to respond to companies’ inquiries on this point. The FTC confirmed that a collection indeed occurs for purposes of the COPPA Rule as soon as the operator gathers the audio file, regardless of how long the operator maintains possession of it. Nonetheless, the FTC made clear that it will not bring COPPA enforcement actions against online services that collect voice recordings from children without parental consent, so long as the online service collects the audio file containing a child’s voice only as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, and maintains the file only for the brief period of time neessary for that purpose. The FTC set forth the following additional limits:
- While the online service need not obtain verifiable parental consent, it does still need to provide notice in its privacy policy regarding how it collects and uses audio files, as well as its policy for deleting the audio files.
- If online services collect information in the audio file that would otherwise constitute personal information, such as the child’s name, the policy of non-enforcement does not apply (that is, the online service will need to obtain verifiable parental consent).
- The online service may not make other use of the audio file in the brief period before the file is destroyed — for example, for behavioral targeting or profiling purposes, for identification purposes through voice recognition, or for posting, selling, or otherwise sharing the file with third parties.
Behind the new policy is the FTC’s recognition that using voice as a replacement for written words in performing search and other functions on internet-connected devices has value for consumers such as children who have not yet learned to write. The FTC also explained that there is little risk that an audio file will be used to contact a child where the online service can use the audio file only to replace written words and then must immediately delete it. It is important to note that the FTC’s reasoning regarding voice recordings does not apply to other types of personal information. For example, if an online service collects a photo or precise geolocation information without verifiable parental consent, uses it only momentarily, and then destroys the data, the FTC’s policy of non-enforcement does not apply.
Implications for Business
Online services covered by COPPA are now afforded greater flexibility in collecting audio files from children without parental consent. Nevertheless, the limits on this policy must be closely observed, or companies will be at risk of an FTC enforcement action.