FTC’s PrivacyCon Highlights Risks and Opportunities For Children’s Privacy
This post is the second of our series reviewing the Federal Trade Commission's (FTC) seventh annual “PrivacyCon." In yesterday’s overview, we summarized the discussions focused on consumer privacy and data security in areas such as “commercial surveillance,” Artificial Intelligence, and targeted advertising—all of which are consistent with the FTC’s current enforcement and regulatory priorities. Today, our focus is on the children’s privacy panel at PrivacyCon. Children’s privacy has been a hot topic at the FTC, including as the subject of enforcement actions and workshops, and as the focus of a potential rulemaking.
Below, we summarize the key takeaways from the children’s privacy panel, which focused mainly on child-directed apps and the interaction between children and smart home devices. The panel, as well as the FTC’s continued attention to children’s privacy, underscore the need for companies to consider children’s privacy when adapting privacy policies and compliance practices.
Children’s Privacy at PrivacyCon 2022
The children’s privacy panel featured presentations on two new research studies.
Study 1: “Child Safety in the Smart Home: Parents’ Perceptions, Needs, and Mitigation Strategies”
The first study, from a team associated with the University of Michigan, asked 23 parents about their perceptions, needs, and mitigation strategies for privacy and physical safety risks from smart devices in the home. The parents expressed concerns about both physical and online safety, telling researchers that smart devices do not have well-understood options for parents to protect their children’s privacy and safety. Parents complained about limited resources for implementing child-safe settings or parental controls, including the ability to access and control, limit, or delete data about their children from smart devices. The researchers suggested that the problems are more acute for small children and recommended that companies in the smart home device sector increase their accountability, transparency, and responsibility. The researchers further noted that parents said they were brand conscious when looking at devices and made purchasing decisions based, in part, on their awareness of past security and safety incidents. Thus, companies that have successfully integrated privacy compliance into their products may be well-positioned to market to parents.
Study 2: “Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps”
The second study discussed on the panel, from a team at the University of California, Berkeley, used a combination of technical and qualitative research techniques to look at how developers for children’s apps understand and adopt privacy laws. The researchers concluded that there were deficiencies in developer compliance with the federal Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and Europe’s General Data Protection Regulation (GDPR). In particular, the researchers noted that third-party software development “kits” were a source of confusion and non-compliance. (Software development kits are collections of software development tools that help developers build applications faster and more consistently.) For example, the researchers reported that many developers that use such kits did not know that they must be configured further for use in child-focused apps. The researchers also identified issues with how legal and privacy professionals work together with app developers. For examples, research pointed to instances where technical teams worked separately from legal and privacy teams and where developers did not get enough information about their compliance obligations.
To address these issues, the researchers recommended making privacy compliance easier for developers, including by automating compliance tools, better integrating legal and privacy professionals into the app development process, and having app stores take a more active role in ensuring compliance.
Taken together, the presentations by the children’s privacy panel at PrivacyCon 2022 highlight children’s privacy risks, especially with respect to mobile apps targeting children. These studies will likely help to inform the FTC as it continues to take enforcement action in the area of children’s privacy, and will also likely inform the FTC’s ongoing Privacy and Security Rulemaking, which asks a number of questions about children’s privacy.
Wiley’s Privacy, Cyber & Data Governance team has helped companies of all sizes from various sectors proactively address issues related to consumer privacy and data security, including through engagement with the FTC. Please reach out to any of the authors with questions.
*Not admitted to the District of Columbia Bar. Supervised by principals of the firm who are members of the District of Columbia Bar.