Last week, the Federal Trade Commission (“FTC”) released a policy enforcement statement to provide additional guidance under the Children’s Online Privacy Protection Act (“COPPA”) for organizations that use audio voice recordings of children. This additional guidance builds on the FTC’s 2013 updates to COPPA that brought additional data types, such as photographs, videos and audio files containing images of children or their voices, under COPPA’s regulatory authority.

This “non-enforcement policy” confirms for the industry and the public what the FTC has been telling individual companies in response to individual inquires: namely, that the FTC is not interested in enforcing COPPA where an application or internet-enabled device allows children to make voice commands in place of written inputs to perform a search or fulfill a verbal instruction or request, so long as the operator maintains the data file for a very brief time period necessary for that purpose and none other.

This policy does NOT change most of the regulatory requirements associated with such devices that collect voice commands. In particular:

  • it does not turn the application or internet-enabled device into a general audience site, app, or service. If the internet service at issue is “directed to children”, as that phrase is interpreted under COPPA, then all of the other requirements associated with COPPA compliance apply;
  • the operator must continue to provide a COPPA-compliant notice, including clear notice of its collection and use of audio files and its deletion policy, in its privacy policy;
  • the policy does not apply if the operator is asking for a name and other personal information. Thus, the policy would not apply if an operator were asking for the verbal input of contact information for a sweepstakes entry. (There is another exception for a one-time collection of online contact information that can be used in the sweepstakes entry context);
  • the policy also does not apply if the operator makes any other use of the audio file other than merely to effectuate the requested function. For example, if the operator engages in behind-the-scenes analytics of the audio file, or any sort of behavioral targeting or profiling based on the audio file, the policy would not apply;
  • if the operator uses the voice to identify a child or posts, sells, or shares the audio file, the policy will not apply;
  • if the operator goes beyond collecting the child’s voice for the narrow purpose of enabling the child to give a command or effectuate a search request, all verifiable parental consent requirements will apply.

Takeaway: In an age in which the use of digital assistants is becoming more prevalent and voice-command devices are becoming more commonplace, it makes sense for the FTC to acknowledge that children will naturally assume that they can talk to devices to make them work and obtain desired information. From a practical standpoint, it would be wise to consider this announcement to be a very narrow exception designed to enable innovation in the voice-recognizing device industry and to expand that industry, especially in the context of applications, like toys, that are targeted to children.