In the wake of acknowledgments from major tech companies that they have either collected or reviewed some user audio for certain purposes, privacy attorneys said some large companies could face liability for possible violations of a federal law aimed at protecting the privacy of children.

Alphabet Inc.'s Google LLC, Microsoft Corp., Amazon.com Inc. and Apple Inc. have all disclosed that humans have reviewed certain user audio clips to improve products and services. Facebook Inc. also reportedly admitted that it did so as well.

It is not clear what ages the users are who have had their audio collected. However, according to a report from Vice's Motherboard, one former contractor who worked for Microsoft said most of the voices they heard were of children.

Under the Children's Online Privacy Protection Act, or COPPA, website operators must provide notice and obtain verifiable parental consent prior to collecting, using or disclosing personal information from children under 13. They must also make a reasonable effort to ensure that a parent receives notice of an operator's practices with regard to the collection of a child's personal information.

The law applies to operators of commercial websites or online services that either target content to children under 13 and collect or use their data, or operators of more general sites and online services with "actual knowledge" that they are collecting, using or disclosing personal information from children under 13.

Both the U.S. Federal Trade Commission and state attorneys general have the ability to pursue enforcement.

Apple and Facebook have reportedly halted the practices, for the time being, while Google has reportedly halted the practice in Europe. While some user audio transcription is still ongoing at Amazon, the company says it is an "industry-standard practice" for machine learning and that it gives users the ability to opt out of human review.

The practice is also still ongoing at Microsoft, but a company spokesperson said in a statement that Microsoft takes steps to de-identify the content provided to vendors who may review the content and requires nondisclosure agreements with all vendors and their employees to protect the privacy of customers. Julie Brill, corporate vice president and deputy general counsel at Microsoft, also said in a 2018 blog post that the company relies on COPPA standards to verify parental consent for children's accounts across its product platforms.

To address children's privacy, in part, Amazon offers a service called FreeTime, which helps parents manage the way kids use content. FreeTime is available on Alexa, which is the Amazon service used to transcribe certain user audio. Amazon also has a voice assistant smart speaker called Echo Dot Kids Edition, which the company said it developed in coordination with the Family Online Safety Institute, a nonprofit that aims to make the online world safer for children.

"Amazon has a longstanding commitment to preserve the trust of our customers and their families, we have strict measures and protocols in place to protect their security and privacy, and we adhere to the Children's Online Privacy Protection Act," the company wrote in a blog earlier this year.

When asked what steps companies were taking to ensure compliance with COPPA when transcribing user audio, Apple, Facebook and Google all did not respond to a request for comment. However, in its Family Privacy Disclosure for Children, Apple says that it takes steps to verify that users granting permissions for the creation of a child's Apple ID are their parents or legal guardian to comply with COPPA.

Michelle Cohen, member and chair of the privacy and data security practice at the law firm Ifrah Law PLLC, said the privacy claims from companies alone are not enough to eliminate all possible liability.

"A company can say anything they want … but, certainly the regulatory agency, whether it's the FTC or perhaps a state AG, can certainly probe further to see what's going on on the site and how they're collecting information," she said in an interview.

Cohen also notes that the FTC is actively considering changes to the law, which could cause companies to change current practices in order to be fully compliant in the future. Cohen believes the agency may seek to enforce the law "fairly broadly" against certain sites traditionally perceived to be targeted toward general audiences rather than just children. For example, the FTC and New York state settled with Google and its YouTube LLC unit for $170 million on Sept. 4 for violating COPPA after regulators said in a complaint that YouTube must comply with COPPA, despite claiming to be a general-audience site.

"In the complaint, the FTC and New York Attorney General allege that while YouTube claimed to be a general-audience site, some of YouTube's individual channels—such as those operated by toy companies—are child-directed and therefore must comply with COPPA," the FTC said in a Sept. 4 news release.

However, the FTC did put out specific guidance on COPPA and voice recordings in 2017 that suggests the agency may be lenient in certain cases when it comes to audio recordings of children's voices.

"The FTC will not take an enforcement action against an operator for not obtaining parental consent before collecting the audio file with a child's voice when it is collected solely as a replacement of written words, such as to perform a search or to fulfill a verbal instruction or request – as long as it is held for a brief time and only for that purpose," wrote the agency in its 2017 guidance.

Stacey Brandenburg, a shareholder at the law firm ZwillGen PLLC, who advises clients on privacy and data security, says she believes enforcement of COPPA against a company like Microsoft or Amazon for transcribing user audio would be difficult because services like that strike her as being targeted to a general audience. Brandenburg also said that the FTC guidance should reduce concerns about enforcement actions against companies where audio was recorded and transcribed solely for the purpose of capturing and translating voice communication to written communication.

However, Brandenburg notes that if an otherwise general audience platform has a channel that is arguably targeted to children and collects personal information, then the FTC may try to establish it as an operator under COPPA.

For her part, Cohen said liability could still remain for companies that collect audio clips of someone under 13 and maintain it beyond a brief time or use it for a practice such as behavioral targeting, which relies on data to target advertisements.

"Just having a statement there doesn't immunize you from investigation and possible enforcement," she said.