Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"
In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios.
The FTC was clear that certain limitations applied to the foregoing non-enforcement policy. First, this new policy does not apply to requests for voice recordings that contain other types of personally identifiable information, such as a child’s name. Second, the new guidance does not relieve online operators from their obligation to provide a COPPA-compliant privacy notice regarding the collection, use, and deletion of voice recordings from children under 13. Third, the voice recording cannot be used for any other purpose than for which it was obtained (i.e. behavioral tracking) and it must be immediately destroyed. Fourth, this non-enforcement policy does not relieve online operators from any other applicable compliance requirements under COPPA. Therefore, while this new policy may be a welcome relief for certain operators, it may be of limited applicability.
If you have any additional questions regarding COPPA, please contact the author or a member of Polsinelli’s Privacy and Data Security team.