The COPPA rule prevents kids from having their personal information hoovered up and distributed online the way adults often consent to. Verifiable parental consent is required if that information is to be collected — but the FTC has just relaxed the rule just enough that common tasks like searches can be done for kids without risk to the operator.
The issue was that, under the current rules, any audio from a kid is considered as being “collected” — which isn’t a problem if it’s in the Sesame Street app or something, where parents will have already consented to its use. But what at some random time a kid is saying “call 911!” or trying to turn off the music? Should Amazon or Apple wait to get consent from the parents before carrying out these tasks?
In a guidance statement issued today, the FTC said “no,” cutting out simple interactions like this from the COPPA requirements.
The Commission recognizes the value of using voice as a replacement for written words in performing search and other functions on internet-connected devices. Verbal commands may be a necessity for certain consumers, including children who have not yet learned to write, or the disabled.
The rule remains the same, but the Commission won’t pursue any action against companies that collect the data, turn it into text for the purposes of tasks that don’t involve personal information, and then immediately delete it.
This is probably a load off the minds of the legal teams at dozens of companies, where technically their basic functionality was possibly illegal. As long as the data is handled properly, they won’t be in violation.
The FTC does add, however, that it’s not a free-for-all. The process of this collection and deletion must be well-documented and consented to (at least via EULA). The companies can’t request personal data via voice (i.e. asking a kid’s name for a game or configuration) and they can’t use that window of legality to do anything else with the data other than convert it to text.