UNITED STATES OF AMERICA

Federal Trade Commission

WASHINGTON, D.C. 20580

Acting Chairman Maureen K. Ohlhausen

Office of the Chairman

June 22, 2017

The Honorable Mark R. Warner

United States Senate
Washington D.C. 20510

Dear Senator Warner:

Thank you for your May 22, 2017 letter expressing your concerns regarding childrens
privacy as it relates to Internet-connected products. I fully share your concern about the need to
protect sensitive personal information collected from children, and appreciate the opportunity to
discuss our work in this area. In particular, I agree with you that, when companies
surreptitiously collect and share childrens information, the risk of harm is very real, and not
merely speculative.
The Federal Trade Commission (FTC or Commission) is committed to vigorously
enforcing the Childrens Online Privacy Protection Act (COPPA) through its COPPA Rule.1
The COPPA Rule applies not only to websites, but also to other online services, including
connected toys and associated mobile apps. Indeed, given the growing popularity of connected
toys, the Commission recently updated its COPPA business guidance The Childrens Online
Privacy Protection Rule: A Six-Step Compliance Plan for Your Business to explicitly state that
COPPA covers connected toys.2 Additionally, Commission staff engages in extensive outreach
on COPPA compliance and has engaged with industry and other stakeholders on the applicability
of COPPA to connected toys as well as other Internet of Things (IoT) devices. Below are
responses to your specific questions.

1. While the Childrens Online Privacy Protection Act (COPPA) has requirements
regarding the security of childrens data, hacks of companies like CloudPets and
VTech have shown that childrens data is still vulnerable. Do COPPAs data
security including retention and data minimization standards need to be
updated? Are companies ignoring COPPA requirements, or are COPPA
requirements not keeping pace with developments in data security and cyber
security best practices?

1
Childrens Online Privacy Protection Act of 1998, 15 U.S.C. 6501-6506; Childrens Online Privacy Protection
Act Rule, 16 C.F.R. Part 312.
2
FEDERAL TRADE COMMISSION, THE CHILDRENS ONLINE PRIVACY PROTECTION RULE: A SIX-STEP COMPLIANCE
PLAN FOR YOUR BUSINESS, https://www.ftc.gov/system/files/documents/plain-language/BUS84-coppa-6-steps.pdf
(last visited June 20, 2017) (In addition to standard websites, examples of others covered by the Rule include: . . .
connected toys or other Internet of Things devices.).
The Honorable Mark R. Warner Page 2

The FTC has long recognized the need for companies to have strong data security
practices in place to protect childrens personal information. Indeed, since 2000, the FTC has
brought over 20 COPPA cases and collected millions of dollars in civil penalties.3 In order to
ensure that its COPPA Rule was keeping pace with changing technology and new threats, in
2013 the Commission updated and strengthened the Rules security requirements. In addition to
requiring operators to establish their own data security procedures, the Rule now requires
operators to take reasonable steps to release childrens personal information only to service
providers and third parties who are capable of maintaining the confidentiality, security, and
integrity of such information.4 As an additional protection, the Rule also now imposes data
retention and deletion requirements on covered operators.5 These new requirements are intended
to protect against unauthorized access of childrens information.
I believe these changes to the COPPA Rule adequately protect the security of childrens
personal information, and, where companies ignore these data security requirements, the
Commission is committed to using its existing enforcement tools. The Commission has entered
into approximately 60 data security settlements related to companies failure to protect
consumers personal information.6 The FTC will continue to monitor this area to determine
whether any Rule changes become necessary.

2. Does the FTC need additional authority from Congress to regulate the remote
storage of data by operators or by third parties who store and handle childrens
personal information?

One benefit of COPPA is that it allows the Commission to conduct rulemaking under the
Administrative Procedures Act to promulgate and update rules.7 This allows us to keep pace
with technological developments, as we did in our COPPA rule update in 2013.8 At that time,
the FTC took several steps to address third parties collection and handling of personal
information on child-directed sites and online services. First, as discussed above, the
Commission amended the Rule to require operators take reasonable steps to release childrens
personal information only to service providers and third parties who are capable of maintaining
the confidentiality, security, and integrity of the information, and who provide assurances that
they will maintain the information in such a manner.9 Second, the Rule now states that entities
that have actual knowledge they are collecting personal information from another website or

3
FEDERAL TRADE COMMISSION, Privacy & Data Security Update (2016), https://www.ftc.gov/reports/privacy-data-
security-update-2016#children (last visited June 19, 2017).
4
16 C.F.R. 312.8.
5
16 C.F.R. 312.10.
6
See FEDERAL TRADE COMMISSION, List of FTC Data Security Cases, https://www.ftc.gov/datasecurity (last visited
May 31, 2017); see also Commission Statement Marking the FTCs 50th Data Security Settlement,
https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf (January 31, 2014).
7
15 U.S.C. 6502(b).
8
78 Fed. Reg. 3972 (January 17, 2013).
9
16 C.F.R. 312.8.
The Honorable Mark R. Warner Page 3

online service directed to children will be subject to the COPPA Rule.10 Third, the Commission
can hold operators of child directed sites or services liable for personal information collected on
their site or service by third parties.11
The FTC is committed to enforcing these new provisions. For example, the FTC brought
cases against two app developers, Retro Dreamer and LAI Systems, for allegedly allowing third
parties to collect personal information from the users of their child-directed apps without first
obtaining verifiable parental consent.12 The companies settled with the FTC. More recently, the
FTC brought a case against InMobi, a mobile advertising network that the FTC alleged had
actual knowledge it was collecting personal information from users of child-directed apps
without first getting parental consent.13 InMobi settled these allegations.

3. In the case of a civil enforcement action related to a violation of either Section 5

or COPPA, does the FTCs injunctive authority extend to requiring defendants
to recall insecure products designed for, marketed, and sold to U.S.-based
consumers? Under what circumstances might the FTC require a buy back for
insecure products, as it did in a recent Section 5 case involving an automakers
deceptive marketing?

Section 13(b) of the FTC Act, 15 U.S.C. 53(b), provides that the Commission may seek
preliminary and/or permanent injunctive relief to remedy any provision of law enforced by the
FTC, including Section 5 and COPPA.14 In addition to permanently enjoining specific conduct,
the Commission may also obtain various kinds of equitable relief to compensate for past
violations. It was through this provision of law that the FTCs order against Volkswagen Group
of America, Inc. required the company to buy back certain vehicles that consumers purchased as
a result of the automakers deceptive marketing.15
Although the Commission has not yet required companies to buy back IoT devices that
we alleged were not reasonably secure, the Commission has required companies to provide other
relief to make consumers whole. For example, in the consent order against HTC, the
Commission required the company to develop and deliver patches for millions of smartphones in
order to address security vulnerabilities in the devices.16 And, in a settlement with wi-fi router

10
16 C.F.R. 312.2 (see definition of Website or online service directed to children).
11
16 C.F.R. 312.2 (see definition of operator).
12
United States v. Retro Dreamer, Case No. 5:15-CV-2529 (C.D. Ca. Dec. 17, 2015) (COPPA Consent Decree);
United States v. LAI Systems, Case No. 2:15-CV-9691 (C.D. Ca. Dec. 17, 2015) (COPPA Consent Decree).
13
United States v. InMobi Pte. Ltd., Case No. 3:16-CV-3474 (N.D. Ca. June 22, 2016) (COPPA Consent Decree).
14
The FTC enforces COPPA and the COPPA Rule through the FTC Act. COPPA provides, [T]his title shall be
enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). See 15 U.S.C.
6505(a).
15
FTC v. Volkswagen Group of America, Inc., Case No. 3:16-CV-1534 (N.D. Ca. filed March 29, 2016).
16
In the Matter of HTC America, Inc., FTC File No. 122 3049 (June 25, 2013).
The Honorable Mark R. Warner Page 4

manufacturer ASUSTeK, the FTC required the company to notify consumers about software
updates or other steps they can take to protect themselves from security flaws.17

4. Has the FTC been in contact with CloudPets or its parent company Spiral Toys?
If not, why has the FTC not been in contact?

Commission rules prevent me from revealing whether the FTC has opened an
investigation into CloudPets or Spiral Toys. I can say, however, that the Commission is
committed to using its enforcement tools to bring actions against companies that fail to maintain
reasonable security measures to protect childrens personal information. As mentioned above,
the FTC has entered into approximately 60 data security settlements related to the failure of
companies to protect consumers personal information, as well as a number of other settlements
against companies that failed to comply with the COPPA Rule.18

5. What guidance has the FTC given to Spiral Toys or CloudPets? Has the FTC
issued guidance or considered issuing guidance to consumers who bought
products from Spiral Toys or CloudPets whose data has been compromised?

The FTC believes strongly in providing guidance to businesses and consumers. As noted
above, we have updated our guidance The Childrens Online Privacy Protection Rule: A Six-Step
Compliance Plan for Your Business19 to explicitly state that COPPA covers connected toys and
other IoT devices. Moreover, the FTC has created a myriad of guidance for businesses on data
security best practices, including Start with Security: A Guide for Business20 and Careful
Connections: Building Security in the Internet of Things.21 Throughout 2015 and 2016, the FTC
spearheaded a business education conference series around the Start with Security business
education campaign, with events all over the country.22 We regularly participate in outreach
events on data security, including recently with Governor McAuliffes Small Business and
Cybersecurity Roundtable. We also work with local partners to distribute our business education
materials, including, for example, the Virginia Governors Office.

17
In the Matter of ASUSTeK Computer, Inc. FTC File No. 142 3156 (July 28, 2016) (requiring company to notify
consumers about software updates or other steps they can take to protect themselves from security flaws).
18
See supra, fn. 5; FEDERAL TRADE COMMISSION, List of FTC Childrens Privacy Cases, https://www.ftc.gov/tips-
advice/business-center/legal-resources?type=case&field_consumer_protection_topics_tid=246 (last visited May 31,
2017).
19
FEDERAL TRADE COMMISSION, THE CHILDRENS ONLINE PRIVACY PROTECTION RULE: A SIX-STEP COMPLIANCE
PLAN FOR YOUR BUSINESS, https://www.ftc.gov/system/files/documents/plain-language/BUS84-coppa-6-steps.pdf
(last visited June 20, 2017).
20
FEDERAL TRADE COMMISSION, START WITH SECURITY: A GUIDE FOR BUSINESS,
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf (last visited May 31,
2017).
21
FEDERAL TRADE COMMISSION, CAREFUL CONNECTIONS: BUILDING SECURITY IN THE INTERNET OF THINGS,
https://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-
buildingsecurityinternetofthings.pdf (last visited May 31, 2017).
22
The FTC held Start with Security events in Austin, Seattle, San Francisco, and Chicago.
The Honorable Mark R. Warner Page 5

On the consumer front, the FTC has issued numerous guidance pieces on online security,
kids data security, and identity theft.23 For example, we have a Child Identity Theft page
devoted to educating parents on how to prevent identity theft, and what to do if their childs
information is compromised.24 We have other consumer guidance available to help parents teach
their children about computer security.25

6. As mentioned above, privacy advocates filed a complaint with the FTC in

December 2016 regarding My Friend Cayla. Has the FTC taken any action
with respect to my Friend Cayla or other products manufactured by Genesis
Toys?

Commission rules prevent me from revealing whether the FTC has opened an
investigation into Genesis Toys. However, as discussed above, the Commission is committed to
using its enforcement tools, including Section 5 and the COPPA Rule, to bring actions against
companies that fail to maintain reasonable and appropriate security measures to protect
childrens personal information.
We will, of course, keep you apprised of any future public developments in this area. If
you have any additional questions or comments or wish to share additional information, please
feel free to contact me or have your staff call Jeanne Bumpus, the Director of our Office of
Congressional Relations, at (202) 326-2946.

Sincerely,

Maureen K. Ohlhausen
Acting Chairman

23
See FEDERAL TRADE COMMISSION, Privacy, Identity, and Online Security,
https://www.consumer.ftc.gov/topics/privacy-identity-online-security (last visited May 31, 2017).
24
FEDERAL TRADE COMMISSION, Child Identity Theft, https://www.consumer.ftc.gov/articles/0040-child-identity-
theft (last visited May 31, 2017).
25
FEDERAL TRADE COMMISSION, Kids and Computer Security, https://www.consumer.ftc.gov/articles/0017-kids-
and-computer-security (last visited May 31, 2017).