Sticking a Hand in the Internet Cookie Jar

But, why would, say, a refrigerator maker have to worry about COPPA? If the smart refrigerator incorporates voice-activated apps designed to promote healthy eating among children, for example, a 12 year old could have her voice “listened to,” potentially recorded and acted upon. Suddenly, this refrigerator manufacturer can be subject to regulatory fines for not following COPPA to the letter.

Traditionally, only companies “marketing to children” had to concern themselves with COPPA, but with the IoT and even expansion of targeted, online advertising, more companies potentially fall into COPPA's net. To determine whether a company is marketing to children, the FTC will look at: “the subject matter of the site or service, visual and audio content, the use of animated characters …, the age of models, the presence of child celebrities or celebrities who appeal to kids” and other factors. However, COPPA also contains a catchall provision for “any operator that has actual knowledge that it is collecting personal information from a child.” See, http://bit.ly/2HrH5wV.

If a company's website or services ask for age, grade, or any other details that allow a company to identify the age of users, then they could have “actual knowledge” of children. For example, as a result of collecting age data, the FTC fined Yelp $450,000 because, by requesting age when registering an account, they were aware of the collection of information on children under 13, and they failed to follow the COPPA notice and parental consent requirements. While Yelp was not designed to help children find a review on the latest craft breweries or get revenge for a cold burrito, the FTC invoked the “actual knowledge” clause to fine them. See, .

But let's say you aren't actually a website provider, but instead are in the industry of pop-up ads and spam content. Even these industries may be exposed to liability under COPPA. Third party services providers, including “ad network and plug-in [operators]” can be liable under COPPA if they are informed about the child-marketing nature of the sites for which they provide ads or plug-ins. This means even though a ten-year-old may want to learn how “a startup company has revolutionized car insurance in their zip code” or how “scientists are baffled by this one neat trick to lose weight fast,” those ads may be subject to COPPA penalties, even if it is not being marketed to children intentionally.

Conversely, if you are the operator of a children's website or app and you allow third parties to collect advertising information, you can be the one held liable. For example, the app developer Retro Dreamer was fined $300,000 for allowing third-party advertisers to gather information that originated in their apps like Ice Cream Jump, Happy Pudding Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket and Tappy Pop. See, .

COPPA Penalties

The penalties for violating COPPA vary, but they can be up to $41,484 per violation. See, http://bit.ly/2Hs2m9V. These numbers can add up quickly, and a seven-figure settlement is not unheard of. In a recent case, the children's tech company VTech was fined $650,000 for violating COPPA following a data breach that led to the disclosure of 6.3 million children's profiles that VTech collected. See, https://bbc.in/2HvuE3k.

Whether through integrating “smart components” or through integrating ad companies on your website, new COPPA pitfalls abound. And there are many challenges to COPPA compliance, especially if you do not fully realize you are subject to COPPA.

Of particular interest is the requirement to delete data collected from minors, even without any request to do so. As the FTC reminded companies in a May 2018 press release, COPPA requires the data be deleted once it has “fulfill[ed] the purpose for which the information was collected.” See, http://bit.ly/2HtOXOJ. This means the burden is on companies to determine when the data has served its purpose, and they must act unilaterally to delete unused data. For those already undertaking GDPR compliance, the concept of data minimization is already familiar, even if it remains painful. But, even for those companies that have escaped the GDPR, if they collect children's data, they must know to delete it.

Another requirement concerns location information. The FTC has recently warned two foreign companies, Gator Group Co. Ltd. and Tinitell, Inc., over the distribution of mobile phones and smartwatches that were marketed to children. These devices gathered location information through the use of a GPS receiver without prior parental consent (yes, location of a child is protected by COPPA as well). These warnings also indicate FTC's determination to exercise jurisdiction even over non-US companies.

Furthermore, in a 2014 incident, Mattel was fined $250,000 for embedding YouTube videos in their websites that enabled Google to track the demographics of the user. While Mattel was careful with most of their sites, this oversight allowing for third-party tracking was still sufficient for the FTC to levy a fine. See, http://bit.ly/2Htms3L. Situations such as Mattel are easily repeatable across any IoT device or website that could have third party data tracking, if the manufacturer of the device either markets to children, or knows children are using their devices.

The IoT complicates companies' duties and requirements under COPPA by putting devices in the hands of children everywhere. For example, in the VTech case, VTech's software was designed to work across various devices, some of which were portable. This highlights the threat of IoT children's devices and toys when data breaches occur. However, given the soon to be ubiquity of sophisticated IoT devices, there is a real danger that children could be entering personal information in devices that were not designed as children's toys and lack the appropriate COPPA disclosures.

For a more interesting hypothetical, let's say that an ambitious engineer decides it would be a fun feature to have a smart toaster sing “Happy Birthday” to you every year and congratulate you on your age (I'm sure we'd all love to hear our toaster remind us of our age every year). Without realizing it, that company may have just produced a non-COPPA compliant smart toaster if the device recorded a name and birth date. While it seems like a ridiculous example, it highlights the possible risks that the IoT pose to unsuspecting and well-intentioned companies.

Audio and Visual Recordings

While our Smart-Toaster (patent pending) is certainly a threat under COPPA and totally fabricated, the most realistic, novel risk under COPPA comes from the changes in the data that is protected by the Act. COPPA protects the usual “personal information” such as Social Security numbers and names, but it was extended in 2013 to have a significant IoT impact. In 2013, the FTC added any “photograph, video, or audio file that contains a child's voice or image” to its list of protected information. See, http://bit.ly/2HptMNC. The FTC clarified their position in October 2017, in the eloquently named “Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings.”

In the FTC's Policy Statement, the Commission delivers good news and bad news. On a positive note, the FTC clarified that this rule is not intended to require each and every voice recording to need parental consent to be recorded. For voice-activated devices (a key feature of IoT devices), voices can be collected so long as they are “a replacement for written words” that is used to “perform a search or fulfill a verbal instruction.” However, these recording may be kept for only a limited time, and must be deleted almost immediately after use. Furthermore, the companies who record these voices are still required to give “notice provided by the COPPA Rule, including clear notice of its collection … and deletion policy.” Finally, these guidelines do not modify COPPA in any way, so if a child is asked to give his or her name verbally or the device saves a recording online, and the company knows the speaker is under 13, there is an immediate trigger of the full COPPA rule.

A very concerning aspect of IoT devices and COPPA stems from the risk of the audio and video recordings if there is a data breach. As we saw in VTech, a company may fall victim to COPPA violations if they fail to reasonably safeguard their data. If, for instance, a company is maintaining video or audio recordings of children, even with parental consent, and there is a breach of that data, the company will likely face COPPA and private actions. It is one thing to lose names of children, but when associated pictures and voice recordings get stolen, record breaking COPPA fines and class actions may ensue.

Insurance Concerns

Whether it is VTech purposely gathering information about children or a “Happy Birthday”-singing smart toaster gone rogue, the companies that produce IoT devices may be hit by numerous claims stemming from the same cyber incident. On one hand, the FTC and state governments may bring a COPPA action on behalf of the affected individuals; on the other hand, the consumers themselves (or their parents) may have a private right of action for the theft of their data and invasions of their privacy. Additionally, the recent trend is for consumers to also push for a “quasi-COPPA” claim on the basis of state laws before they experience any harm following a breach.

Currently, companies are fending off the recent quasi-COPPA classes. VTech managed to defeat two class action certification attempts using conventional cyber defenses, first on a lack of standing without actual harm, and second, by defeating an “implied promise of security” argument. The plaintiffs of these quasi-COPPAs have taken various approaches ranging from the breach of contract/implied promises in VTech to the more recent purported class against YouTube utilizing the California constitutional right to privacy as the cause of action. Regardless of the certification of any of these classes (which to date, we do not believe any court has certified a quasi-COPPA based action), the costs associated with defending a large class action can quickly escalate.

As troubling as it is to incur the costs of litigation, IoT manufacturers may also start to feel equal heartburn over how to pay for these fines and lawsuits. Traditionally, a refrigerator or a toaster was only a risk for product defects, which are covered through a casualty policy. However, as companies continue to integrate technology into their devices, there is an opening for cyber liabilities that traditional insurance policies may not cover.

For instance, suppose a smart device with a camera is hacked, revealing access into a consumers' home and capturing family videos. In this Big Brother-esque scenario, the average casualty policy would not likely be available to cover the loss that arises due to a software vulnerability. Furthermore, as insurers continue to tighten the wording of so-called “silent cover” (coverage for cyber events in property or casualty policies) the window is closing on companies' abilities to get coverage for cyber events through non-cyber policies.

Analysis

Given all of this, what should be taken away from this discussion of COPPA and IoT?

First is that COPPA is growing as a security and privacy risk for a variety of advertising companies, e-commerce platforms, and for manufacturing companies across the board looking to develop integrated or “smart” products. Violating COPPA does not come cheap, and it can be another kick when a company is still down from a data breach. While no court has found that a data breach creates a per se violation of COPPA's “reasonable security” standard, it seems like the two actions may occur hand-in-hand when children's information is lost or stolen.

Second, whether class actions succeed in certifying or not, private class actions will occur under quasi-COPPA theories, and that can create high defense costs regardless of the outcome.

Third, even if a company doesn't market to children, a COPPA claim can be a threat within the IoT if a child inputs their personal information and a company doesn't have parental permission to collect that information.

Fourth, insurance coverage should be re-evaluated with an eye to cyber risks.

Finally, if your child's toys start asking too many personal questions, disconnect them from Wi-Fi.

*****

Jeff Higel is a Vice President – Claims Expert at Swiss Re Corporate Solutions, handling Cyber, Aviation, and Technology claims. Jeff is a New York licensed attorney. Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council. Mike Nelson co-chairs the Eversheds Sutherland (US) Class Action Team where he represents publicly traded companies and privately held corporations in complex business litigation. This article is intended to be used for general informational purposes only and is not to be relied upon or used for any particular purpose. Swiss Re shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal, accounting or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.