On October 20, 2017, the Federal Trade Commission issued an Enforcement Policy Statement regarding the applicability of the Children’s Online Privacy Protection Act (COPPA) to the collection and use of children’s voice recordings, such as those collected when a child uses an internet-enabled device to perform a search via voice commands.  The Enforcement Statement clarifies that verifiable parental consent is not required for certain such recordings.

The FTC’s COPPA rule requires, among other things, operators of commercial websites or online services directed to children to provide notice of their information practices to parents and to obtain verifiable parental consent before collecting a child’s personal information. As originally promulgated, the rule defined “personal information” to include data such as name, address, and social security number.  In 2013, the FTC amended its COPPA rule to add audio files containing a child’s voice to the definition of personal information.  Thus, covered operators must provide notice and obtain verifiable parental consent before “collecting” a child’s voice recording.  (A covered operator is deemed to have “collected” personal information when it requests, prompts, or encourages a child to submit such information online.)

Since the 2013 amendment, the FTC received inquiries from a number of companies about the applicability of COPPA to an app or internet-enabled device that allows children to perform a search via voice commands or give verbal instructions to a device. Specifically, companies asked whether the practice of collecting audio files that contain a child’s voice, immediately converting the audio to text, and deleting the file containing the voice recording triggers COPPA’s requirements.  In the Enforcement Statement, the Commission clarified that it does not.

The agency explained that, although the COPPA rule does not provide a mechanism for the operator to avoid being deemed to have collected the personal information by deleting it, the Commission nonetheless “recognizes the value of using voice as a replacement for written words in performing search and other functions on internet-connected devices.”  Moreover, when the operator “only maintains the file long enough to [effectuate an instruction or request] and then immediately deletes it, there is little risk the audio file will be used to contact an individual child.” Accordingly:

when a covered operator collects an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, but only maintains the file for the brief time necessary for that purpose, the FTC would not take an enforcement action against the operator on the basis that the operator collected the audio file without first obtaining verifiable parental consent.

There are four important limitations on this non-enforcement policy. First, the non-enforcement policy is not applicable when the operator requests information via voice that otherwise would be considered personal information under the COPPA rule, such as a child’s name. Second, an operator must provide clear notice of its collection and use of the audio files and its deletion policy in its privacy policy. Third, the operator may not make any other use of the audio file in the brief period before the file is destroyed — for example, for profiling purposes or for posting, selling, or otherwise sharing the file with third parties.  Finally, the enforcement policy does not affect the operator’s COPPA compliance requirements in any other respect.  Thus, the operator must continue to provide notice and obtain verifiable parental consent if types of personal information other than audio files are collected.