The FTC held meetings on the “Internet of Things” earlier this year. As government agencies often do, the Commission issued a report detailing different aspects of this new technological revolution that raise potential privacy concerns and how, for the purposes of this article, COPPA plays into the situation.
Internet of Things
The Internet of Things refers to the practice of connecting devices we use in our lives to digital hubs. The devices can range from interactive dolls to tablets to smart thermostats in your home. While the collection of data can be used to improve products, the FTC concern is the data may be used to also develop consumer profiles for each of us.
In its report on the Internet of Things, the FTC suggests Congress need not issue new legislation as 1) we are too early in the development of Internet-connected devices for the legislation to be helpful, and 2) current legislation including COPPA can meet the enforcement needs of the FTC at this time. While I agree with the first assertion, the suggestion COPPA can be used to enforce child privacy practices related to Internet-connected devices opens a can of worms.
A large can of worms.
The primary problem with applying COPPA to devices with Internet capability is the typical process used for parental verification becomes unwieldy. Consider the new Barbie. She “communicates” with children playing with her. The doll provides verbal responses based on keywords and phrases in the statements made by the child, which are uploaded and analyzed by the company.
Mattel, makers of Barbie, is taking a public relations beating over the “creepy doll” and faces a COPPA compliance conundrum. The company is clearly collecting personal information from an Internet-connected device directed at children under 13. COPPA applies. How then does the company comply with the notification requirements as well as obtain verified parental consent? The obvious answer is to require the purchasing parent to go online and participate in a notice and verification process; a process that will need to be repeated for practically every toy in the near future.
Ah. Just imagine Christmas. The kids awake to a mystery noise in the middle of the night. Is it Santa and his reindeer on the rooftop? No. The noise is just dad knocking a bunch of boxes over in frustration as the websites of various toy manufacturers crash as millions of parents try to work through the parental verification process to activate toys.
General Audience Devices
The COPPA-Internet of Things topic only grows more complex when the electronic device in question is not “directed at children under 13” per se. In February of 2015, Samsung issued a press release that created a media storm – Samsung Smart TVs sometimes record the conversations of users. Specifically, Samsung notes:
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
Samsung is hardly acting with subversive intent, but one has to contemplate how this collection of data might tie into a COPPA analysis. A television is clearly a device directed at and used by a general audience. COPPA compliance is not required. However, what happens if a young child contacts Samsung customer service to ask a question about ordering a movie directed at 5 to 7-year-olds through the movie section of the Samsung Smart TV? In this scenario, a website could be required to obtain verified parental consent to collect data from the child if more than one exchange occurs given the notice of actual use. Will the same be true for Internet-connected device companies?
Predicting the future is futile in most cases, but it is difficult to picture a future where Internet-connected devices are not present in our lives in large numbers. The more growth, the more unwieldy COPPA compliance becomes.
Consider Google’s transition to utter evil. The company with the “do no evil” slogan is in the process of patenting a robotic teddy bear butler. The teddy bear is designed to sync with multiple devices in your home and uplink to servers controlled by Google. The bear will then be able to take commands and learn to configure electronic devices in the home to your desired settings. What could possibly go wrong? Think of an unholy cross between the evil Chucky doll of horror movie fame and Skynet from the Terminator franchise and you have the idea.
All kidding aside, Google’s robotic teddy bear raises a host of COPPA issues. By definition, a teddy bear is a toy “directed at children under 13,” which triggers COPPA compliance requirements. Google will need to obtain parental verification with each purchase of the device, even if a child is not present in the home. Does this not seem a bit excessive?
The obvious answer to these situations is to amend the COPPA Rule to reflect the new digital environment. Given it took 15 years for the FTC to update a grossly out of date COPPA Rule in the past, we can’t hold out much hope for such a development. Whether it is even possible to create a new COPPA Rule that applies seamlessly to a wide variety of devices performing a wide variety of functions is questionable.
Could the Internet of Things finally motivate Congress to pass a comprehensive consumer privacy law? One would like to believe so, as the Internet of Things presents the perfect forum for debating what is necessary versus overkill on the field of privacy. Given the ongoing political gridlock in the capital, the practical outlook is less than hopeful.
Richard A. Chapo, Esq.