Former Prima Games General Counsel Says Internet-Connected Toys May See More Regulatory Update
"My advice would be to collect what you need, and if you determine that the device is targeted at children, you need to provide notice to get their consent to the data collection," says Scott Pink, special counsel at O'Melveny & Myers.
February 15, 2019 at 04:01 PM
5 minute read
The original version of this story was published on Corporate Counsel
As household items become increasingly connected to the internet, children's toys are no exception. Scott Pink, special counsel at O'Melveny & Myers in the Silicon Valley office, was formerly the general counsel of Prima Games and sees the data and privacy concerns elevating among families with more toys being hooked to the internet.
Pink spoke to The Recorder affiliate Corporate Counsel about internet-connected toys, the information these toys collect and the laws that govern the space. This conversation has been edited for length and clarity.
Corporate Counsel: What are some of the regulations companies who manufacture and sell internet-connected toys need to be aware of?
Pink: The primary regulation is a federal law called the Children's Online Privacy Protection Act, which regulates the collection of personal data from a child under 13 years old. That would be the primary federal law that governs children's privacy. In addition to that, there are sort of general privacy laws that would apply to the collection of data in general such as California's Online Privacy Protection Act; there is the new privacy law that is coming into effect in 2020. There are elements of those kinds of state laws that could also apply if you're collecting data from someone between 13 and 19.
CC: What kind of data is being collected from these internet-connected toys?
Pink: The definition of personal data was expanded in 2013 to the COPPA rule by the [Federal Trade Commission]. It's pretty broad. There are some obvious things like first and last name or contact information. It could also include things like if it's an app or a toy that might require you to enter a username or a screen name. It includes specific identifiers. There are also things like photographs and video or audio files that contain a child's image or voice. The toys sometimes collect geolocation information.
CC: Would the best advice for these manufacturers be to not retain that information? Or is there a way to retain this information and still be in compliance with these data privacy laws that govern children's personal information?
Pink: There a couple of considerations. First of all you need to determine what type of information you need to make the device. If there is information you need to make the device usable, that's information you need to collect and perhaps retain for as long as the person uses the device. Typically my advice would be to collect what you need, and if you determine that the device is targeted at children, you need to provide notice to get their consent to the data collection. I wouldn't say not to collect any data. I would say that if you do have to collect data and if you do want to collect data for something like marketing, then you need to make sure you follow the COPPA rules, which are to provide notice and get parental consent.
CC: Are companies, in your opinion, paying attention to the COPPA rules and making sure notices are going out with the internet-connected toys?
Pink: I think the more sophisticated and mature toy companies are very well aware of COPPA. In particular because there are a number of consumer watchdogs that are very focused on children's privacy. I think the more responsible companies understand the requirements of COPPA and try to make sure that they're getting consent. But there are companies that have not done that, and it could be inadvertent or intentional, but in either case you can end up on the wrong side of a regulatory action by the FTC. I think the responsibe companies are aware of this and try to make sure that they're following the rules.
CC: Does COPPA include any specifications over how a company should be handling its cybersecurity?
Pink: COPPA does not have any security standard. I think California has a law that's coming into effect in 2020, which requires any kind of “internet of things” device has to have reasonable security. That law would theoretically apply to these kinds of toys. I would say the general principal that has evolved based on regulatory action from the FTC and the evolution of the California law is that your security is supposed to be designed in a way to protect information in accordance to sensitivity. For example, children's information might be deserving of greater protection than perhaps email addresses in general of adults. This kind of information would warrant a more rigorous type of security just because of the risks to the individual.
California is sort of leading the trend toward more robust data security requirements, so I would suggest that anybody operating in the field of the internet of things or internet-connected toys keep an eye on what's going on in California and whether other states might follow their lead.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHow the Deal Got Done: Sidley Austin and NWSL Angel City Football Club/Iger
How Uncertainty in College Athletics Compensation Could Drive Lawsuits in 2025
How I Made Practice Group Chair: 'Think About Why You Want the Role, Because It Is Not an Easy Job,' Says Aaron Rubin of Morrison Foerster
Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
19 minute readTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250