Don’t Let Those Pesky Data Protection Laws Ruin Your Billion Dollar Idea

By Gary Gonzalez

The Internet of Things (IoT) is transforming the everyday physical objects that surround us into an ecosystem of information that will enrich our lives. From refrigerators to parking spaces to houses, the IoT is bringing more and more things into the digital fold every day, which will likely make the IoT a multi-trillion dollar industry in the near future.[1]


The Internet of Things (“IOT”) generally refers to connected devices outside the norm, e.g., computers and smartphones.[2] Nowhere is this concept more prevalent than at the Consumer Electronics Show (“CES”) in Las Vegas, NV. CES 2017 was held at the beginning of January, and it is estimated more than 175,000 people attended to see the 3,800 exhibits.[3] Products demonstrated at CES ranged from 5G cellular service,[4] to smart cars, to smart hairbrushes, to drones, and gaming systems.[5]

According to Engadget, one of the “Best Digital Health and Fitness Products” at CES was the Fisher-Price Smart Cycle.[6] The Smart Cycle is a way for children to take an at-home spin class while participating in “games” via the front-mounted tablet stand.[7] The way I look at it, it’s the children’s version of Peloton’s at-home spin cycle,[8] but instead of live streaming a workout with high energy music, you get to learn about science and social studies from SpongeBob SquarePants. The Smart Cycle is targeted for children ages three to six, is Bluetooth compatible, and if your child needs a bigger screen, you can connect it to your big-screen TV and surround sound system through an Apple TV.

No one will argue the Smart Cycle has great potential. Keeping children active in an ever-stagnant society is important. And, if they can get their daily fix of electronics at the same time, it sounds like a win-win. However, manufacturers must be aware of what type data their devices will collect and what data privacy laws are applicable. If they fail to meet these laws, they could face liability domestically and internationally.

U.S. Law

In the United States, depending on what type of data the Smart Cycle collects, it may be subject to the Children’s Online Privacy Protection Act (“COPPA”). COPPA regulates how personal information may be collected from children under the age of thirteen.[9] Under COPPA, a website that attempts to collect personal information from a child under thirteen must state exactly what data will be collected, how that data will be used, and any disclosures of that personal information to third parties.[10] This is not enough, however. Before collection can begin, the website must obtain verifiable consent from the child’s parent.[11]

But, the website’s obligations do not end there. The website must also ensure that it never collects more data than is reasonably necessary for the child to participate, and provide measures for parents to review what data has been collected about their children.[12] Failure to comply with COPPA is considered an “an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act.”[13] This violation can result in a fine up to $40,000. Therefore, if your product targets children, such as the Smart Cycle, and collects their personal data, you need to ensure you follow the COPPA guidelines to avoid hefty fines by the government.

European Union Law

 Under European Law, the General Data Protection Regulation (“GDPR”), which replaced the EU Data Directive, provides the framework for data privacy.[14] Under the GDPR, children are considered “vulnerable individuals” who deserve “special protection.”[15] When online services are given to a child, consent must be given by their parent, or someone with parental responsibility, before data collection and processing can begin.[16] Additionally, and beneficial for the child, there is a requirement that any request to collect and process children’s data must be communicated in clear and plain language that children can understand.[17]

The difficulty arises when determining what age the child becomes an adult. The GDPR does not define the term “child.”[18] According to the UK firm Bird & Bird, parental consent is required for children’s online activities when they are sixteen or younger.[19] Unfortunately for companies, this age can be changed by EU member-states, so long as it does not drop below the age of 13.[20] Failure to comply with the GDPR can result in fines of 10M Euros, or 2% annual turnover, whichever is greater.[21]

When a company seeks to collect and process personal data of children in the EU, it should learn what age a person is considered a “child” in each EU member-state. This will determine how the company should tailor its consumer disclosures regarding the data collection. Or, the company can assume the age is sixteen, which will allow for one privacy policy to fit all EU member-states. Finally, it is important to remember, this section only applies to the collection of personal data of children in the EU and assumes the data stays within the EU. If the company transfers its data outside the EU, the GDPR provides additional requirements that must also be met.


As the IoT continues to grow, more and more products will be targeted towards children. Furthermore, as obesity continues to be a problem, particularly amongst US children, the products may focus on health-related issues. We can all agree this is a great way to get children interested in their personal health. However, it is important for manufacturers to ensure they understand the various regulations, both domestic and internationally, that will affect how they collect and process personal data. While neither the US nor the EU bans the collection of children’s personal data, what is required, and at what age those requirements ends, differs. Failure to comply with the US regulations can result in a fine of $40,000. But, failure to comply with the GDPR could have disastrous results for a small company with a potential fine of 10M euros.


* * * * *


[1] Sensing the Future of the Internet of Things, PricewaterhouseCoppers, (last visited Jan. 21, 2017).

[2] Andrew Meola, What is the Internet of Things (IoT)?, Business Insider (Dec. 19, 2016, 2:11 PM),

[3] CES 2017 Catapults a Connected World, Consumer Technology Association (Jan. 8, 2017),

[4] Id.

[5] Nicole Lee, Introducing the Best of CES 2017 Finalists!, Engadget (Jan. 6, 2017),

[6] Id.

[7] Jessica Conditt, Fisher-Price Takes Your Kid to Spin Class, Engadget (Jan. 4, 2017),

[8] Indoor Cycling: Reimagined for the Home, Peloton, (last visited Jan. 21, 2017).

[9] 16 C.F.R. § 312.1-2 (Lexis Advance through the January 18, 2017 issue of the Federal Register with the exception of 82 FR 5292, January 17, 2017, 82 FR 5790 and 82 FR 5844, January 18, 2017)

[10] Id. at §312.3.

[11] Id.

[12] Id.

[13] Id. at §312.9.

[14] See Bird & Bird & Guide to the General Data Protection Regulation, Bird & Bird, (last visited Jan. 22, 2017).

[15] Id. at 15.

[16] Id.

[17] Id. at 16.

[18] Id.

[19] Id.

[20] Id.

[21] Id. at 35.