This post is based on the article Children’s Products and the “Internet of Things”: Data Privacy Beyond COPPA.
In this internet age, "smart" products—those that collect, transmit, or store electronic data—are everywhere, and children’s products are no exception. By some estimates, the smart toy market will reach $11.3 billion in sales by 2020. Manufacturers of smart products, including toys, baby monitors, and children’s wearable devices, are likely aware of the Children’s Online Privacy Protection Act (COPPA), which is specifically aimed at protecting the online privacy of children under the age of 13. But a number of other laws at the state and federal level could also apply depending on the type of information collected and shared.
Section 5 of the Federal Trade Commission Act (FTC Act) bars “unfair and deceptive acts” and practices in or affecting commerce. Its wording regarding prohibited conduct is far less specific than COPPA, and the FTC has issued several guidance documents related to the internet of things and mobile heath apps. Since 2002, the FTC has brought over 60 cases under this law alleging that companies’ data security practices put consumers’ personal data at risk. The courts have upheld the FTC’s authority to use Section 5 to address alleged cybersecurity issues.
While the text of the FTC Act is vague, its reach is much broader than COPPA because it isn’t restricted to companies collecting information on children under 13. Since the FTC is the federal agency responsible for enforcing COPPA, an enforcement action under the FTC Act could be brought in conjunction with an action under COPPA (if applicable) or as a stand-alone action in an instance where COPPA does not apply.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets standards for protecting certain health information held in electronic form. In most instances, children’s products such as a baby monitors or child’s wearable devices are considered personal use items and would not be governed by HIPAA, even if the product collects and stores health information. That is because “covered entities” that are governed by HIPAA are generally limited to health plans, health care clearinghouses, and health care providers. If the same device is obtained through a pediatrician or a hospital, however, HIPAA may apply to the information collected and shared by that device. Some manufacturers of wearable devices have decided to comply with HIPAA in order to facilitate the distribution or subsidization of their product through group health plans. In addition, some customers may feel more secure purchasing a product that complies with HIPAA standards.
Data privacy laws vary greatly among the states, creating a legal patchwork for manufacturers to analyze. Some states require only “reasonable safeguards” to protect personal information that is collected or maintained by companies. However, three states now prohibit the collection of biometric information used to identify an individual—such as fingerprints, voiceprints, or retina scans—without prior consent. Smart toys that have fingerprint locking capability or voice recognition capability would likely be subject to these biometric laws.
The Bottom Line
Because there are serious concerns when it comes to data privacy for children, each of these laws will likely be strictly enforced. The onus is on manufacturers and distributors of smart children’s products to familiarize themselves with each of these requirements.
Stericycle Expert Solutions focuses on helping customers by providing proven, customer-centric, scalable services that protect people and brands, promote health and safeguard the environment.find out more
Join us as we'll take a closer look at the latest data in the consumer product, medical device, pharmaceutical and… https://t.co/lSPdQwixwn
If you’re ready to get started with our extensive suite of services then contact us today. We have a team of experts ready to assist you!Contact Us today