Former Prima Games General Counsel Says Internet-Connected Toys May See More Regulatory Update

Scott W. Pink, special counsel with O'Melveny & Myers.

As household items become increasingly connected to the internet, children's toys are no exception. Scott Pink, special counsel at O’Melveny & Myers in the Silicon Valley office, was formerly the general counsel of Prima Games and sees the data and privacy concerns elevating among families with more toys being hooked to the internet.

Pink spoke to The Recorder affiliate Corporate Counsel about internet-connected toys, the information these toys collect and the laws that govern the space. This conversation has been edited for length and clarity.

Corporate Counsel: What are some of the regulations companies who manufacture and sell internet-connected toys need to be aware of?

Pink: The primary regulation is a federal law called the Children’s Online Privacy Protection Act, which regulates the collection of personal data from a child under 13 years old. That would be the primary federal law that governs children’s privacy. In addition to that, there are sort of general privacy laws that would apply to the collection of data in general such as California’s Online Privacy Protection Act; there is the new privacy law that is coming into effect in 2020. There are elements of those kinds of state laws that could also apply if you’re collecting data from someone between 13 and 19.

CC: What kind of data is being collected from these internet-connected toys?

Pink: The definition of personal data was expanded in 2013 to the COPPA rule by the Federal Trade Commission. It’s pretty broad. There are some obvious things like first and last name or contact information. It could also include things like if it’s an app or a toy that might require you to enter a username or a screen name. It includes specific identifiers. There are also things like photographs and video or audio files that contain a child’s image or voice. The toys sometimes collect geolocation information.

CC: Would the best advice for these manufacturers be to not retain that information? Or is there a way to retain this information and still be in compliance with these data privacy laws that govern children’s personal information?

Pink: There a couple of considerations. First of all you need to determine what type of information you need to make the device. If there is information you need to make the device usable, that’s information you need to collect and perhaps retain for as long as the person uses the device. Typically my advice would be to collect what you need, and if you determine that the device is targeted at children, you need to provide notice to get their consent to the data collection. I wouldn’t say not to collect any data. I would say that if you do have to collect data and if you do want to collect data for something like marketing, then you need to make sure you follow the COPPA rules, which are to provide notice and get parental consent.

CC: Are companies, in your opinion, paying attention to the COPPA rules and making sure notices are going out with the internet-connected toys?

Pink: I think the more sophisticated and mature toy companies are very well aware of COPPA. In particular because there are a number of consumer watchdogs that are very focused on children’s privacy. I think the more responsible companies understand the requirements of COPPA and try to make sure that they’re getting consent. But there are companies that have not done that, and it could be inadvertent or intentional, but in either case you can end up on the wrong side of a regulatory action by the FTC. I think the responsibe companies are aware of this and try to make sure that they’re following the rules.

CC: Does COPPA include any specifications over how a company should be handling its cybersecurity?

Pink: COPPA does not have any security standard. I think California has a law that’s coming into effect in 2020, which requires any kind of “internet of things” device has to have reasonable security. That law would theoretically apply to these kinds of toys. I would say the general principal that has evolved based on regulatory action from the FTC and the evolution of the California law is that your security is supposed to be designed in a way to protect information in accordance to sensitivity. For example, children’s information might be deserving of greater protection than perhaps email addresses in general of adults. This kind of information would warrant a more rigorous type of security just because of the risks to the individual.

California is sort of leading the trend toward more robust data security requirements, so I would suggest that anybody operating in the field of the internet of things or internet-connected toys keep an eye on what’s going on in California and whether other states might follow their lead.