MARK R. WARNER, commas Waited States Senate | RULES AND ADMINISTRATION July 6, 2016 ‘The Honorable Edith Ramirez Chairwoman Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, D.C. 20530 Dear Chairwoman Ramirez, Tam writing to express my concern regarding the increased collection and storage of children’s personal information by mobile apps and Internet-connected toys. Iam grateful for the work the Federal Trade Commission (hereafter “FTC” or “Commission”) has already done on this issue, and I look forward to working with the Commission to determine what additional steps can be taken to ensure the safety and security of our children’s personal information, With the inereasing prevalence of connectivity and data processing abilities in children’s toys and other household products, consumers must now evaluate and weigh new —and complex ~ risks to their children’s safety and privacy. As you know, the Children’s Online Privacy Protection Act of 1998, or COPPA, was enacted by Congress to protect the privacy and safety of children online by prohibiting the unauthorized collection, storage, and use of children’s personal information. The COPPA Rule, promulgated by the Commission in November 1999, required that parents give consent before an operator of a child-directed commercial website or online service can collect children’s personal information. In its most recent update, the FTC made clear that personal information includes a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.” While Congress may have had an inkling of the future growth of web-services in 1998, it certainly did not envision the array of conventional household products that now possess data- gathering and processing capabilities. The ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet, These trends unleash enormous innovation, productivity gains, and consumer benefits. They also, however, increase the scope and duration of data collection, potentially straining the ability of parents to both understand and supervise connected activities. As the Internet of Things expands to include millions of additional devices each day, more and more Internet-connected devices are making their way into children’s hands. This steady increase makes our efforts to protect children’s data even more imperative. Over the past few years, security researchers have uncovered some startling vulnerabilities in a wide variety of connected toys. For instance, researchers have been able to gain control of dollsthat respond to children’s questions and alter the doll’s responses. Security analysts have also shown that conversations recorded by toys and uploaded to the cloud are easily accessible to hackers, Meanwhile, the data breach at Hong Kong-based toymaker VTech exposed the personal information of 6.4 million children, including details like their names, genders, and birthdays, and demonstrated that even children are at risk of data theft. Finally, these connected devices present a risk to parents” data and security as well, as hackers may begin to see connected toys as the weak-link in a family’s home network. FIC Commissioners are already leading the way, studying these issues carefully and participating in Internet of Things events across the country. On December 17, 2015, the Commission announced settlements with LAI Systems, LLC and Retro Dreamer, two app developers who, according to the FTC’s complaint, allowed third party advertisers to collect personal information from children through their apps. These enforcement actions followed the Commission's efforts to revise its COPPA rule to better reflect “the way children use and access the internet, including the increased use of mobile devices and social networking.”" I am grateful for the Commission’s attention to these matters, as the mobile revolution, driven by smartphone adoption and mobile broadband, has profoundly changed internet use and access. At the same time, I am eager to understand how the Commission interprets COPPA in light of these new consumer and technological trends. Turge the FTC to work with members of Congress to identify ways that we can better protect our children as technology changes the way they access and use the Internet. Additionally, | ask that ‘you provide responses to the following questions about current policies and enforcement of the COPPA Rule. Please respond within four weeks of receipt. sufficient regulatory authority to protect 1. Does current law provide the Commission children in the age of the Internet of Things? 2. In the Commission’s January 2015 report on the Internet of Things, Commission staff stated that they thought IoT-specific legislation would be premature. Have any recent developments prompted the Commission to revisit that opinion? 3. How is the Commission ensuring that parents are able to approve or deny the collection of their children’s personal information from Internet-connected toys like dolls and toy cars? 4, How does the Commission determine whether a device, website, or app is directed to children? 5. Are current mechanisms for parental consent sufficiently granular and clear? Do connected products lacking electronic visual displays undermine the process by which companies provide effective notice ~ and parents give meaningful consent — to online collection? Additionally, are current mechanisms for parental notification that a toy is, connected sufficient, especially as relates to online purchasing? Do parents have effective means by which to revoke consent? Do adequate market incentives exist that will encourage the adoption of better privacy and security measures as the Internet of Things expands? " press Release, Federal Trade Commission, Revised Children's Online Privacy Protection Rule Goes Into Effect ‘Today (July 1, 2013),8. Do these market incentives apply with equal force to Intemet of Things devices below a certain price point, or with shorter anticipated lifecycles? I thank you for your continuing cooperation in protecting the privacy and safety of children actoss the United States, T hope that we can work together to ensure proper oversight of this, issue. Sincerely, Mok. © Mnez MARK R. WARNER United States Senator