Amazon Accused of Violating Children's Privacy: Businesses and the Children’s Online Privacy Protection Act
Amazon's Echo Dot Kids is illegally violating children's privacy, per a complaint filed with the Federal Trade Commission. The Campaign for a Commercial Free Childhood & Center for Digital Democracy, along with a number of other groups, allege Amazon's children's smart speaker collects information in violation of the Children's Online Privacy Protection Act (COPPA).
What is COPPA?
When visiting nearly any website, including this one, you will see a popup alerting you to review our terms of service and privacy policy. You almost assuredly did not review either document, but you have agreed to a number of things, including consent to the type of information we collect, why we collect it, and how we process it. In the same way a child could not agree to a contract, they cannot consent to a privacy policy.
With the increase of online data collection, Congress passed COPPA in 2000 to protect children from companies that target and profit from children's personal information. If a company targets those under 13, or knows those under 13 use their website, service, game, or app, they need to take steps to get into compliance with COPPA.
What are the COPPA requirements?
COPPA is intended to get parental consent for data processing of persons under 13. The requirements fall generally under notice, consent, access, integrity, and limits.
Notice requires a clear and comprehensive online privacy policy describing what information is collected, why it is collected, and how it is processed. While not required in every state, a privacy policy should be included on every website and app.
Consent requires verifiable parental consent. For instance, once Microsoft and Google have identified the user is under 13 years old, they will process a small credit card transaction to verify the parent's identity. Amazon uses the same process, however, it is unclear that's an acceptable way to verify parental consent. Smaller organizations can use third-party verification or even email confirmation. The California Consumer Privacy Act, effective on January 1, 2020, will additionally require affirmative consent from Californian children ages 13 to 16.
Access means the user's parents must be able to access information collected about their child, and ultimately, refuse further processing on the information. You can see this added protection embodied in both the EU's General Data Protection Regulation and the California Consumer Privacy Act.
Integrity relates to keeping the data protected from breaches, modifications, and third parties that cannot maintain the data's integrity. Typically data is protected by physical, technical, and administrative means. Physical locks, firewalls and encryption, and limiting employee access are examples of each, respectively.
Limits encompass limiting what information is collected and how long it is kept. Similar to the General Data Protection Regulation, children's personal information must be limited to what's needed to process their information, and there should be a defined data life cycle. Google may keep a list of your search history, but doesn't require users to input things like their Social Security number or home address. A data life cycle requires a company to determine a purpose for collecting personal information and when the purpose is complete. Personal information should no longer be processed at that time, and should either be deleted or securely stored.
Fines for COPPA violations
The FTC can levy fines for COPPA violations ranging from $16,000 to $40,654 per violation. This law sunk Dinesh Chugtai's time running Pied Piper in HBO's Silicon Valley after facing an estimated $21 billion in FTC fines.
Luckily, the FTC hasn't been that strong-armed, with the biggest fine coming from early 2019. TikTok, a video app targeting teens, collected names, email addresses, video, and audio of children under 13.
The FTC will investigate potential violations, and offer violators to agree to a consent decree. Here, TikTok agreed to pay $5.7 million and to comply with COPPA instead of fighting the claims.
Violations have historically hovered around $1 million, but many expect some social media companies like Facebook to face steeper fines in the near future.
What did Amazon do wrong?
A smart speaker is a lot different than a website or app but the same COPPA standards apply. Per the complaint, the Echo Dot collects lots of child information and pairs the information with persistent identifiers linking the information to that child. Amazon's privacy notice is allegedly not compliant with COPPA, their consent verification is insufficient, information is kept too long, rights to delete the information are not simple or enforced, and the speaker can collect information from other children, among other complaints.
Most alarming is the Echo Dot reportedly will recall deleted information. That is a clear violation of COPPA but also disturbing for users who may feel the device cannot be trusted.
While the FTC should investigate the allegations, if proven true, could result in a sizable fine. With millions of Echo Dots sold, it could easily become the biggest COPPA fine in history.
What every business must know about COPPA
There is a different standard for children even if information collected does not appear sensitive. Any online product or service that targets teen or children users must ensure compliance with COPPA as described above. With new California legislation targeting larger organizations, children's privacy cannot be ignored.
Businesses should consider if COPPA applies by determining if they have users under 13, or if there is a way to find out. Moving forward, age verification can help prove or disprove children users.
Is your business COPPA compliant? A qualified privacy attorney and Certified Information Privacy Professional (CIPP/US) can assist with compliant privacy practices.
To contact us, or to sign up for our newsletter, please visit our Contact page or reach out to the relevant attorney directly through their bio page. In addition, you can find primary contacts for each practice area by visiting our Areas of Practice page.