The Internet evolves at such a quick pace that many legal standards quickly become antiquated. We are seeing such a development play out now with COPPA and Internet of Things devices; law and technology not meshing well at all.
COPPA and Virtual Assistants
The issue of the day is whether Internet of Things devices known as virtual assistants violate COPPA. The Guardian published an article claiming Google Talk, Amazon Echo, and Apple Siri collect information from children under 13 and target such children in marketing pieces, which suggests the need for COPPA compliance.
But is this assessment accurate?
COPPA applies to scenarios where companies collect personal information from children under 13. Typically, the FTC focuses on whether the platform being used to collect data is “directed at children under 13.” Commentators in the Guardian article suggest the inclusion of kids in marketing pieces satisfies the directed at children standard, but such a conclusion is questionable based on a previous FTC ruling involving Amazon.
In 2004, a number of privacy interest groups filed a complaint with the FTC asserting Amazon was violating COPPA. The functionality in question was a review mechanism kids could use on Amazon.com to leave reviews about toys. The complaint specifically alleged that:
“Amazon directs portions of its website towards children and, with actual knowledge of its actions, collects personal information from children, but complies with neither COPPA nor the COPPA Rule.”
The allegation is essentially the same one being made now against the virtual assistant devices.
In rejecting the complaint, the FTC made an interesting distinction regarding the targeting of children under 13. Although the Amazon website section in question listed toys for young kids, the FTC found Amazon was really targeting parents to generate toy sales. Given this distinction, the “directed at children under 13” claim failed.
Of course, COPPA compliance can also be triggered if a company has “actual knowledge” it is collecting information from children under 13. Returning to the 2004 Amazon complaint, the company provided children with an online “Kid’s Review Form” to leave reviews on toys. The privacy groups argued this functionality proved Amazon had “actual knowledge” it was collecting private information from kids under 13 – a cogent argument.
The FTC disagreed:
“Your complaint also contends that Amazon has actual knowledge that it is collecting personal information from children under 13 through its systematic monitoring of product reviews posted on its website. Amazon’s “Review Guidelines” requests that all reviewers refrain from including certain information, including profanity, phone numbers, mail address, and URLs, in their product reviews. Some reviewers nevertheless may include personal information in their reviews. Amazon screens these reviews to determine whether they include personal information in their reviews. However, it generally uses an automated system to conduct this screening, and the screening criteria do not evaluate whether the review contains personal information, including whether such information was posted by children under 13. Consequently, [the FTC] staff believes that [it] is unlikely that Amazon had actual knowledge that children had posted personal information through the produce review function.”
Put another way, the FTC bent over backward to avoid an “actual knowledge” finding. It would not be surprising to see the FTC use the same reasoning to excuse any COPPA compliance requirements for the virtual assistants. It is difficult to fault the FTC in this regard when one considers the actual application of COPPA to these virtual assistants and Internet-connected devices in general.
Actual Knowledge and Internet of Things
The FTC began looking into Internet of Things devices in 2015 and came out with a fascinating policy position. The Commission opined that no new laws are needed to address the topic, not because such legislation is unnecessary, but because we are too early in the evolution of such devices to understand the legal implications. While I am often critical of the FTC, this position is well-reasoned. Internet of Things development is still in its infancy, which makes one wary of enacting laws and passing regulations that might deter development.
Consider the virtual assistants at the heart of the current COPPA debate. Let’s pick on Amazon Echo in particular. The device is clearly not “directed at children under 13.” This virtual assistant is not the device equivalent of Dora the Explorer even if children are shown interacting with the device in marketing pieces. Unfortunately, the discussion around actual knowledge is a bit murkier.
What data collected by Echo is sufficient to trigger an “actual knowledge” finding on the part of Amazon? Consider the practical problems in making the determination. Bob Smith purchases an Echo for his family, which consists of his wife and two dogs. Clearly, there is no actual knowledge triggering event with this family profile because no children are present. However, tweak the scenario to include a 12-years-old son. How is Amazon to determine the son exists and the age of each member of the household? Requiring Bob to provide the name and age of each family member is burdensome on Amazon and going to produce an unholy racket of criticism from privacy groups.
Perhaps the answer is to consider classifications of content. If an individual tells Echo to record a Dora the Explorer episode, is it reasonable to conclude a child under 13 is making the request? Perhaps. However, the dividing line becomes less clear when the content is attractive to individuals aged 11 through 15. How Amazon or any other company is supposed to parse such information to determine if the requesting party is 12 [triggering compliance] or 14 [not triggering] is difficult to envision. The current COPPA Rule is woefully inadequate.
Who Will Think Of The Children?
Perhaps the parents? Unlike a social media website or gaming app, parents can and do act as a barrier between their children and Internet of Things devices. A parent purchases an Amazon Echo, not a child. If a parent is concerned about data collection, perhaps they shouldn’t buy the devices. We’ve managed to survive as a species for thousands of years without digital conveniences, so one surmises forgoing Internet-connected digital devices will not result in a life spent on a new ring of hell in Dante’s Inferno.
Of course, parents need information on data collection practices of these devices when deciding whether to purchase them. Clear, plain English disclosures should be a minimum requirement at the time of purchase as well as at any point in which an online account is set up by the parent. Once provided, however, parents are in the best position to determine whether introducing an Internet-connected device that collects data into their household is a prudent move.
The law and the Internet have long had a pained relationship. The concerning issue with COPPA is the law was drafted specifically for the Internet, yet is almost archaic only 18 years after its enactment. The development of new Internet-connected device technology will only age the law more so as time passes.
Is there a concise solution for the Internet of Things and COPPA conundrum? No. For commentators to suggest the interplay between the two is a simple matter is misplaced.
Richard A. Chapo, Esq.