Advances in technology have created all kinds of internet-connected toys for children that hold the promise of machine learning, interaction, and access to personal data for both kids and parents. But with these devices also risk the exposure of children’s voices, images, and data to anyone.

At the recent ABA Antitrust Spring meeting, Phyllis Marcus of Hunton & Williams moderated a panel, “Kids Connected: IoT and Children’s Privacy,” featuring Maneesha Mithal, associate director of the Privacy and Identity Protection division of the Federal Trade Commission, Brian Huseman, vice president of public policy at Amazon, and Dona Fraser, director of Children’s Advertising Unit (CARU).

The panel agreed that most devices considered under the umbrella of the internet of things (IoT) fit squarely into the definition of “online services” directed to children covered by the Children’s Online Privacy Protection Act (COPPA), even though some of these devices may not been designed for direct use by or targeted to children. The panel only tangentially discussed specific technologies such as tracking devices, baby monitors, and devices designed for others which tend to collect information from children – think digital assistants or smart refrigerators.

Although Marcus conceded that COPPA as a “slim” statute with a finite set of regulations promulgated to enforce it, she noted that COPPA’s broad definition of “online services” has allowed for continual application to emerging technology without constant need for amendment, and that has allowed for growth in the technology space.  Marcus postulated that should a “smart diaper” one day come out that might monitor more biometric data than parents might ever want, COPPA would still apply without amendment.

COPPA’s safe harbor provision is a unique statutory feature that provides for self-regulatory organizations adding additional oversight of children’s privacy but also benefits participating companies in many ways. Safe harbors can confirm for consumers, parents, and the overall market that a company has created transparent privacy policies and disclosure to protect children’s privacy. Additionally, safe harbors, like CARU, provide companies both intercession with the FTC, by contacting the regulators first with conversations about specific anonymous situations, or when regulators reach out to them first with questions about a company’s compliance.

As Fraser noted, “We are shielding companies from potential fines and liability,” through conversations with the FTC, including asking them to consider modification of guidelines. Furthermore, safe harbors can vet a list of third parties working with a company’s technology, to ensure their compliance and prevent first party liability. Safe harbors also strategically help companies think through what their end goals are and how to achieve the robust customer engagement they want while mitigating risk. Fraser suggested companies can save time and money when building new products by first looking at what they want to achieve and carefully consider their data collection and retention policies versus for the intended use of the product.

The panelists agreed that regulations must strike a careful balance between providing enough guidance to allow new technology to flourish without inhibiting innovation. This sentiment echoed some of the comments regulators shared recently at IAPP’s Global Privacy Summit in this same location just before this event. Huseman noted that companies and self-regulatory organizations should be creative in how they provide notice and obtain consent while looking to new, innovative ways to do that, and added that “A practical solution could encourage innovation in the marketplace while still promoting protection of child privacy.”

Naturally, the panel considered the effects of the EU’s looming General Data Protection Rules (GDPR) and how it might impact COPPA. As the IAPP panel noted, while GDPR was drafted to level the compliance “playing field” across Europe, country implementations may once again create a patchwork of laws regarding the impact of data privacy and children, parental consent and the movement of data.

“If I am a 13-year old who can create a Facebook account in the UK, because the age of privacy consent is 13, but I travel to France where the age is 16, can I log into it there?” questioned Fraser. Marcus agreed noting that verifiable parental consent will pose a much broader challenge under GDPR, and suggested watching closely how companies in both the US and EU comply with GDPR and COPPA regulations.

This post was written by Sameena Kluck, strategic account executive with Thomson Reuters.