UNITED STATES OF AMERICA
Federal Trade Commission
WASHINGTON, D.C. 20580 Acting Chairman Maureen K. Ohlhausen Office of the Chairman
June 22, 2017
The Honorable Mark R. Warner United States Senate Washington D.C. 20510 Dear Senator Warner: Thank you for your May 22, 2017 letter
expressing your concerns regarding children’s
privacy as it relates to Internet-connected products. I fully share your concern about the need to protect sensitive personal information collected from children, and appreciate the opportunity to discuss our work in this area. In particular, I agree with you that, when companies surreptitiously collect and share
children’s information, the risk
of harm is very real, and not merely speculative. The Federal Trade Commission
(“FTC” or “Commission”
) is committed to vigorously
enforcing the Children’s Online Privacy Protect
ion
Act (“COPPA”)
through its COPPA Rule.
1
The COPPA Rule applies not only to websites, but also to other online services, including connected toys and associated mobile apps. Indeed, given the growing popularity of connected toys, the Commission recently updated its COPPA business
guidance −
The Children’s Onl
ine Privacy Protection Rule: A Six-Step Compliance Plan for Your Business
−
to explicitly state that COPPA covers connected toys.
2
Additionally, Commission staff engages in extensive outreach on COPPA compliance and has engaged with industry and other stakeholders on the applicability of COPPA to connected toys as well as other
Internet of Things (“IoT”)
devices. Below are responses to your specific questions.
1.
While the
Children’s Online Privacy Protection Act (COPPA) has requirements regarding the security of children’s data, hacks of companies like CloudPets and VTech have shown that children’s data is still vulnerable. Do COPPA’s data
security
–
including retention and data minimization
–
standards need to be updated? Are companies ignoring COPPA requirements, or are COPPA requirements not keeping pace with developments in data security and cyber security best practices?
1
Children’s Online Privacy
Protection Act of 1998, 15 U.S.C. §§ 6501-
6506; Children’s Online Privacy Protection
Act Rule, 16 C.F.R. Part 312.
2
F
EDERAL
T
RADE
C
OMMISSION
,
T
HE
C
HILDREN
’
S
O
NLINE
P
RIVACY
P
ROTECTION
R
ULE
:
A
S
IX
-S
TEP
C
OMPLIANCE
P
LAN FOR
Y
OUR
B
USINESS
, https://www.ftc.gov/system/files/documents/plain-language/BUS84-coppa-6-steps.pdf
(last visited June 20, 2017)
(“In addition to standard websites, examples of others covered by
the Rule include: . . . connected toys or other Internet of Things devices.
”)
.
The Honorable Mark R. Warner
–
Page 2 The FTC has long recognized the need for companies to have strong data security practices in place to protect
children’s personal information.
Indeed, since 2000, the FTC has brought over 20 COPPA cases and collected millions of dollars in civil penalties.
3
In order to ensure that its COPPA Rule was keeping pace with changing technology and new threats, in 2013 the Commission updated and strengthene
d the Rule’s
security requirements. In addition to requiring operators to establish their own data security procedures, the Rule now requires operators to
“take reasonable steps to release children’s personal information only to service
providers and third parties who are capable of maintaining the confidentiality, security, and integrity
of such information.”
4
As an additional protection, the Rule also now imposes data retention and deletion requirements on covered operators.
5
These new requirements are intended to protect against unauthorized access
of children’s information
. I believe these changes to the COPPA Rule adequately protect the security of
children’s
personal information, and, where companies ignore these data security requirements, the Commission is committed to using its existing enforcement tools. The Commission has entered into approximately 60 data security settlements related to
companies’
failure to protect
consumers’ personal information.
6
The FTC will continue to monitor this area to determine whether any Rule changes become necessary.
2.
Does the FTC need additional authority from Congress to regulate the remote
storage of data by operators or by third parties who store and handle children’s
personal information?
One benefit of COPPA is that it allows the Commission to conduct rulemaking under the Administrative Procedures Act to promulgate and update rules.
7
This allows us to keep pace with technological developments, as we did in our COPPA rule update in 2013.
8
At that time, the FTC
took several steps to address third parties’ collection and handling of personal
information on child-directed sites and online services. First, as discussed above, the
Commission amended the Rule to require operators take reasonable steps to release children’s
personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and who provide assurances that they will maintain the information in such a manner.
9
Second, the Rule now states that entities that have actual knowledge they are collecting personal information from another website or
3
F
EDERAL
T
RADE
C
OMMISSION
,
Privacy & Data Security Update (2016)
, https://www.ftc.gov/reports/privacy-data-security-update-2016#children (last visited June 19, 2017).
4
16 C.F.R. 312.8.
5
16 C.F.R. 312.10.
6
See
F
EDERAL
T
RADE
C
OMMISSION
,
List of FTC Data Security Cases
(last visited May 31, 2017)
; see also
Commission Statement Marking the FTC’s 50
th
Data Security Settlement
7
15 U.S.C. § 6502(b).
8
78 Fed. Reg. 3972 (January 17, 2013).
9
16 C.F.R. 312.8.
The Honorable Mark R. Warner
–
Page 3 online service directed to children will be subject to the COPPA Rule.
10
Third, the Commission can hold operators of child directed sites or services liable for personal information collected on their site or service by third parties.
11
The FTC is committed to enforcing these new provisions. For example, the FTC brought cases against two app developers, Retro Dreamer and LAI Systems, for allegedly allowing third parties to collect personal information from the users of their child-directed apps without first obtaining verifiable parental consent.
12
The companies settled with the FTC. More recently, the FTC brought a case against InMobi, a mobile advertising network that the FTC alleged had actual knowledge it was collecting personal information from users of child-directed apps without first getting parental consent.
13
InMobi settled these allegations.
3.
In the case of a civil enforcement action related to a violation of either Section 5
or COPPA, does the FTC’s injunctive authority extend to requiring defendants
to recall insecure products designed for, marketed, and sold to U.S.-based consumers? Under what circumstances might the FTC require a
‘buy back’ for insecure products, as it did in a recent Section 5 case involving an automaker’s
deceptive marketing?
Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), provides that the Commission may seek preliminary and/or permanent injunctive relief to r
emedy “any provision of law
enforced by the
FTC,” including
Section 5 and COPPA.
14
In addition to permanently enjoining specific conduct, the Commission may also obtain various kinds of equitable relief to compensate for past violations. It was through th
is provision of law that the FTC’s order against Volkswagen Group
of America, Inc. required the company to buy back certain vehicles that consumers purchased as
a result of the automaker’s deceptive marketing.
15
Although the Commission has not yet required companies to buy back IoT devices that we alleged were not reasonably secure, the Commission has required companies to provide other relief to make consumers whole. For example, in the consent order against HTC, the Commission required the company to develop and deliver patches for millions of smartphones in order to address security vulnerabilities in the devices.
16
And, in a settlement with wi-fi router
10
16 C.F.R. 312.2 (
see
definition of “Website or online service directed to children”).
11
16 C.F.R. 312.2 (
see
definition of
“operator”
).
12
United States v. Retro Dreamer,
Case No. 5:15-CV-2529 (C.D. Ca. Dec. 17, 2015) (COPPA Consent Decree);
United States v. LAI Systems
, Case No. 2:15-CV-9691 (C.D. Ca. Dec. 17, 2015) (COPPA Consent Decree).
13
United States v. InMobi Pte. Ltd.
, Case No. 3:16-CV-3474 (N.D. Ca. June 22, 2016) (COPPA Consent Decree).
14
The FTC enforces COPPA and the COPPA Rule through the FTC Act. COPPA provides, “[T]his title shall be
enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41
et seq
.).”
See
15 U.S.C. § 6505(a).
15
FTC v. Volkswagen Group of America, Inc.
, Case No. 3:16-CV-1534 (N.D. Ca. filed March 29, 2016).
16
In the Matter of HTC America, Inc
., FTC File No. 122 3049 (June 25, 2013).
Much more than documents.
Discover everything Scribd has to offer, including books and audiobooks from major publishers.
Cancel anytime.