The FTC’s recently revised guidance document for compliance with the Children’s Online Privacy Protection Act (COPPA) now includes references to the Internet of Things and connected toys.

Notably, websites or services appealing to children must now comply with COPPA if third parties are involved in the collection of personal information, for example via ad networks or plug-ins. This is of great relevance to the IoT sphere, where manufacturers habitually rely on third party software and components to increase functionality, with the flows of data quickly becoming murky.

The FTC has also updated the guidance with newly-approved means of obtaining verifiable parental consent for the collection of children’s personal information. As well as more traditional methods, facial recognition is now accepted for cross-checking photos on ID cards, while knowledge-based authentication is also valid.

Notable the COPPA guidance includes “Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids” which states:

“Even if parents have agreed that you may collect information from their kids, parents have ongoing rights — and you have continuing obligations.

If a parent asks, you must:

  • give them a way to review the personal information collected from their child;
  • give them a way to revoke their consent and refuse the further use or collection of personal information from their child; and
  • delete their child’s personal information.”

COPPA is the only law in the US that mandates a right to delete. The forthcoming European General Data Protection Directive (GDPR) requires a Right to Erasure, which is a more reasonable heading for what has otherwise been known as the ‘right to be forgotten,’ a far more polarizing description. The case for deletion rights is fairly clear with regard to children: parents should ultimately be able to exercise all informational control over data that comes from their child, ergo anyone holding such data must give the ability to delete it. Moving up one level of analysis, children expose things about themselves that may be quite sensitive or vulnerable in a way that the ‘filters’ of adulthood might otherwise restrain. This, too, is a good reason for deletion rights for children.

However, these same ideas are easily applied to adults as they are to minors. The information control paradigm that dominates how privacy and data protection law manifest have notably lacked this one aspect of control: the right to destroy. And yet, like with children, adults can expose aspects of their life that they would sooner retract in more sober moments. Or, perhaps someone signed up for a service and no longer want them to hold or use their data after they’ve deactivated their account (think dating sites). Or, as Meg Leta Jones discusses, the value, context and nature of information is affected by the passage of time – should we not have policy that reflects our wishes to control and delete information?

Like many elements of the GDPR it remains to be seen how the right to erasure will manifest in practice, but it’s clearly a step in the right direction, especially as one considers the intimacies that the Internet of Things may be privvy to. As devices move closer and closer to our bodies and into our homes, enhancements of our ability to control personal data become further important. Architecting systems to be able to forget, to delete, is an essential way to improve individual control over the data gathered about us. Europe is taking the lead in this by requiring an ability to delete (admittedly, under certain constrained conditions). If America affords this right to parents for their children, why not for everyone?