Smart Toys and the Children’s Online Privacy Protection Act of 1998




Legal Sidebari

Smart Toys and the Children’s Online Privacy
Protection Act of 1998

January 8, 2018

A growing number of devices in American households, including televisions, appliances, security
systems, and heating and cooling devices, rely on Internet connectivity to perform a range of
functions. And the “Internet of Things” includes a growing number of products primarily used by
children, including “smart toys.” In the 1980’s, the popular Teddy Ruxpin bear “talked” to
children by way of a tape player hidden inside. Today, children may have real-time two-way
“conversations” with their smart toys. Sensors, mics, cameras, storage devices, speech
recognition technology, Internet-connectivity, and GPS are used to tailor the toy’s behaviors
based on the child’s interactions. Some more sophisticated smart toys may record a child’s voice
on an audio file, convert the audio to text, query a searchable database, and return an appropriate
voice response back to the child. But smart toys’ use of Internet-connectivity potentially to
collect children’s personal information may require the toys’ makers to take certain steps to
comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) and its
implementing rules and requirements.

Security researchers have found that unsecured Bluetooth-enabled toys may be vulnerable to
hacking, allowing third-parties to surreptitiously communicate with a child through the Internet-
connected toy. Concern over potential misuse of such toys prompted Germany to ban certain
smart toys. In the United States, at least one legal complaint has been filed with the Federal
Trade Commission (FTC) alleging that certain smart toy makers unfairly and deceptively collect,
use, and disclose audio files of children’s voices, without providing adequate notice or obtaining
verified parental consent. Such practices are alleged to violate COPPA and its implementing
regulations, along with Section 5 of the Federal Trade Commission Act. Entities that violate
COPPA and the FTC Act potentially could, among other things, be enjoined from continuing
their unlawful conduct and face civil monetary penalties.

Congressional Research Service
https://crsreports.congress.gov
LSB10051
CRS INSIGHT
Prepared for Members and
Committees of Congress




Congressional Research Service
2
COPAA regulates unfair and deceptive acts and practices in connection with the collection and
use of personal information on the Internet from and about children under 13 years of age.
COPPA requires an operator of a website or online service directed to children, or any operator
that has actual knowledge that it is collecting personal information from a child, to provide
notice on its website of what information is collected from children by the operator, how the
operator uses such information, and the operator's disclosure practices for such information. The
COPPA Rule, through which the FTC implements COPPA, requires that operators provide notice
to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal
information from children under 13 years of age. The Rule also requires operators to keep secure
the information they collect from children. The COPPA Rule defines “website or online service”
to include connected toys or other Internet of Things Devices. The FTC enforces the COPPA
Rule, and provides guidance to companies to determine whether a company is covered by
COPPA and how to comply with the COPPA. In 2013, the COPPA Rule was amended to include
within its definition of “personal information” a photograph, video, or audio file that contains a
child’s image or voice. This modification was undertaken to clarify the scope of the Rule and
strengthen its protections for children’s personal information, in light of changes in online
technology since the Rule initially went into effect in April 2000.

This past year two federal agencies issued warnings about privacy and security risks associated
with smart toys. On July 17, 2017, the Federal Bureau of Investigation issued a Consumer Notice
about Internet-connected toys encouraging consumers to consider cyber security prior to
introducing smart toys into their homes because these toys typically contain features that could
put the privacy and safety of children at risk due to the large amount of personally identifiable
information that may be disclosed.

On October 20, 2017, the FTC issued a new Enforcement Policy Statement Regarding the
Applicability of the COPPA Rule to the Collection and Use of Voice Recordings. After the 2013
COPAA Rule amendment, several companies had inquired whether the practice of collecting
audio files that contain a child’s voice, immediately converting the audio to text, and deleting the
file containing the voice recording triggers COPPA’s requirements. In its new Enforcement
Policy Statement, the FTC advised Internet-connected toy makers that the FTC would not take
an enforcement action against an operator on the basis that the operator collects an audio file
containing a child’s voice solely as a replacement for written words, such as to perform a search
or fulfill a verbal instruction or request, but only maintains the file for the brief time necessary
for that purpose. However, the covered operator is required to provide clear notice of its
collection and use of audio files and its deletion policy in its privacy policy.

COPAA focuses on web sites and online services directed to children, or web sites and online
services that have actual knowledge they are collecting personal information from a child. While
the statute’s potential application to children's smart toys seems fairly straightforward, it might
be less clear with respect to other devices that comprise the Internet of Things which, while not
primarily directed at children, may be readily available to them. Some observers have questioned
whether “virtual assistant” devices marketed towards the general populace, such as Amazon’s
Alexa, Apple’s Siri, and Google’s Assistant may run afoul of COPPA’s requirements given those
devices’ potential use by children. These questions prompted the FTC in July 2017 to issue a
public statement specifying circumstances when the agency will seek to enforce COPPA


Congressional Research Service
3
provisions concerning the collection of audio files of children’s voices. As the Internet of Things
develops an increasingly ubiquitous role in American life, and a greater amount of personal
information about children is potentially collected through such devices, it seems likely that there
will be continuing questions about whether the approach taken by COPPA and similar laws to the
protection of such information is appropriate or sufficient.





Author Information

Gina Stevens

Legislative Attorney





Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

LSB10051 · VERSION 4 · NEW