Children's Products and the "Internet of Things": Data Privacy Beyond COPPA
In this internet age, "smart" children’s products—those that collect, transmit or store electronic data—are on the rise. By some estimates, the smart toy market will reach $11.3 billion in sales by 2020. Manufacturers of smart products, including toys, baby monitors, and children’s wearable devices, are likely aware of the Children’s Online Privacy Protection Act (COPPA), which is specifically aimed at protecting the online privacy of children under the age of 13. Last year, we published a discussion of that law as it applies to mobile apps. But COPPA is not the only law that could apply to smart children’s products. A number of other laws, such as the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, and state data privacy laws, could be applicable depending on the type of information collected and shared. Manufacturers of smart children's products should keep these laws in mind as they assess data privacy compliance, as each of these laws are likely to be strictly enforced when data related to children is at issue.
Section 5 of the Federal Trade Commission Act (FTC Act) bars unfair and deceptive acts and practices in or affecting commerce. Since 2002, the FTC has brought over 60 cases under this law alleging that companies’ data security practices put consumers’ personal data at risk. The courts have upheld the FTC’s authority to use Section 5 to address alleged cybersecurity issues.
The reach of the FTC Act is broad—much broader than COPPA. For example, COPPA generally applies only to certain entities that provide online services directed to children under the age of 13 (or companies that know they are collecting personal information from children under 13). The FTC Act, however, applies to all entities whose practices affect interstate commerce; in other words, almost every company. COPPA is also limited to information collected from children under 13 while the FTC Act could apply to information about children of any age, regardless of whether it is collected from a child, their parent, or others. Because the FTC is the federal agency responsible for enforcing COPPA, an enforcement action under the FTC Act could be brought in conjunction with an action under COPPA (if applicable) or as a stand-alone action in an instance where COPPA does not apply.
The FTC Act is less specific than COPPA with regard to what conduct is prohibited. While COPPA has fairly detailed requirements and prohibitions, the text of the FTC Act simply prohibits “unfair and deceptive” acts. Despite (or maybe because of) the vague wording of the FTC Act, the FTC has issued a number of guidance documents about data privacy and cybersecurity issues, including guidance focused specifically on the internet of things and mobile heath apps. The FTC has also stated that compliance with the NIST Cybersecurity Framework “is consistent” with the agency’s “process-based approach” to cybersecurity and the agency’s “educational messages to companies.”
Most people have probably heard of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA sets standards for disclosure of protected health information by covered entities and business associates. HIPAA also has specific standards for protecting certain health information held in electronic form. In most instances, manufacturers of children’s products would not be governed by HIPAA, even if the product collects and stores health information, such as a baby monitor or child’s wearable device. That is because “covered entities” that are governed by HIPAA are generally limited to health plans, health care clearinghouses, and health care providers. If a customer buys a child’s wearable device for personal use, the device is most likely not covered by HIPAA. If the same device is obtained through a pediatrician or a hospital, however, HIPAA may apply to the information collected and shared by that device. Some manufacturers of wearable devices have decided to comply with HIPAA in order to facilitate the distribution or subsidization of their product through group health plans. In addition, some customers may feel more secure purchasing a product if they know that their child’s health information is being protected by compliance with HIPAA standards.
State Data Privacy Laws
Manufacturers of smart children’s products should not discount state law. Data privacy laws vary greatly among the states. Some states require only “reasonable safeguards” to protect personal information that is collected or maintained by companies while other states impose more granular requirements for cybersecurity.
In June of 2017, Washington joined Illinois and Texas to become the third state to enact a biometric privacy law. Generally, these laws prohibit the collection of biometric information used to identify an individual—such as fingerprints, voiceprints, or retina scans—without prior consent. Smart toys that have fingerprint locking capability or voice recognition capability would likely be subject to these biometric laws. It is important to analyze the data privacy and cybersecurity laws of any state from which information may be collected by a smart children’s product.
Manufacturers and distributors of “smart” products, particularly those that collect, transmit, or store data related to a child, should be familiar with the requirements of COPPA, the FTC Act, HIPAA, and state data privacy laws. Each of these laws are geared toward protecting consumer privacy and are likely to be strictly enforced, especially when data related to children is at issue.