February 8th, 2017
As the Internet of Things brings cloud-connected devices increasingly into all corners of our lives, a new area emerges in which the Children’s Online Privacy Protection Act (COPPA) will need to be enforced: cloud-connected children’s toys. COPPA applies to online services that collect personal information from children under thirteen, including voice, audio, or image files containing a child’s voice or image. Therefore, toys that use cloud-based services to allow interactivity via verbal or visual signals are likely to fall within the law’s regulations.
If the cloud-based technologies powering these toys are treated as online services under COPPA, the law’s regulations would apply to any toy marketed toward children that uses a similar technology for voice or facial prompts, as “file[s] containing a child’s voice and/or image” are considered “personal information” under COPPA. 16 C.F.R. § 312. In practice, implementing notice and consent requirements will require any such toy to be activated through an app or website where consent can be collected before any of these functions can operate. If in-app notice is deemed insufficient for inherent difficulties in readability, as the privacy advocates current complaint alleges, this universe of toy support would have to grow to include website portals or similar mechanisms. All in all, integration of online services with toys appears to be leading us into a world far more complex than Teddy Ruxpin, that past model of interactivity, and far more involved for the parents who will be required to engage in the steps to start the toys working.