The Federal Trade Commission (FTC) has recently responded to three applications seeking approval for new methods for obtaining parental consent under the Children's Online Privacy Protection Rule.
In November, the Commission denied an application seeking approval to use "social-graph verification" to verify a parent's identity; "social-graph verification" attempts to verify the identity of a parent by relying on a parent's "friends" on a social network to verify a parent's identity. Then in December, the Commission unanimously voted to approve using "knowledge-based authentication" to obtain parental consent, which verifies the parent's identity through asking a series of "challenge questions" that only the parent is capable of answering. The third response, from late February, provides further details on the scope and operation of the approved "knowledge-based authentication" method.
The Updated COPPA Rule
The FTC's Children's Online Privacy Protection (COPPA) Rule requires that online sites and services that are directed at children under age 13 must obtain "verifiable parental consent" (VPC) before collecting personal information from a child. While the Rule enumerates several permissible methods for obtaining parental consent, the regulation also allows interested parties to submit new VPC methods to the Commission for approval.
Congress enacted the Children's Online Privacy Protection Act in 1998. The statute requires the FTC to promulgate the COPPA Rule, and the Commission initiated a review of the Rule in 2010. The Commission approved amendments in December 2012, and the updated COPPA Rule went into effect on July 1, 2013.
The updated COPPA Rule requires that an application for a new method to obtain VPC must provide a detailed description of the proposed VPC method and an analysis of how the proposed VPC method is "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."1 Any party may utilize VPC methods that the Commission has previously approved.2 The FTC only considers applications for new proposed VPC methods—and not an individual party's specific implementation of a previously approved method.3
FTC Rejects "Social-Graph Verification"
On November 12, 2013, in response to an application filed by AssertID, Inc. (AssertID), the FTC voted to deny "social-graph verification" (SGV) as a new method for obtaining verified parental consent.4
In its application, AssertID explained that SGV asks a parent's "friends" on a social network (e.g., Facebook) to verify the identity of a parent and the existence of the parent-child relationship.5
In rejecting the proposed method, the FTC explained, "AssertID has failed to provide sufficient evidence that its proposed VPC method is ‘reasonably calculated, in light of available technology to ensure that the person providing consent is the parent's child' as required by the Rule."6
The Commission further elaborated on its reasons for denying the application—all of which questioned the method's efficacy. The FTC argued that although AssertID "identified several articles that discuss the general topic of the influence of social networks on trust among their members, none appear to support a claim that AssertID's social-graph verification is an effective method of verification."7The Commission noted that "most of the articles predate the public availability of the social network AssertID wishes to use in its service."8
The Commission highlighted two arguments—made by parties who commented on AssertID's application,9 urging its rejection—that it found particularly persuasive. The FTC asserted that "users can easily fabricate Facebook profiles, and in fact, Facebook's own 10-Q filing with the Securities and Exchange Commission indicates it has approximately 83 million fake accounts, which represents about 8.7% of its users."10 Second, the Commission agreed that "children under 13 have falsified their age information to establish social media accounts, including very active accounts with significant age-inflation that could appear to be credible."11
The Commission concluded its denial noting that "identity verification via social-graph is an emerging technology and further research, development, and implementation is necessary to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children's personal information."12
FTC Approves "Knowledge-Based Authentication"
On December 23, 2013, the FTC unanimously voted to approve "knowledge-based authentication" (KBA) as a new method to obtain VPC, which came in response to an application filed by Imperium, LLC (Imperium) on August 13, 2013.13
KBA is a method to verify the identity of a user by asking a series of "challenge questions." In its application, Imperium said that it generates a series of "dynamic, ‘out-of-wallet,' multiple-choice questions."14 The FTC explained that the questions call for "information that cannot be determined by looking at an individual's wallet and are difficult for someone other than the individual to answer."15 If the individual answers these questions correctly, then the child is approved to use the site or service.
The FTC approved Imperium's application to use KBA after noting that many entities that handle sensitive information—including financial institutions and credit bureaus—have used KBA to authenticate users for many years.16 In its response to Imperium's application, the Commission asserted: "Evidence shows that incorporating certain techniques into the implementation of KBA—such as using multiple and dynamic questions and ensuring the answers are not reasonably knowable by someone other than the individual to be authenticated (in this case, by the child)—improves the efficacy of the method."17
Accordingly, the Commission approved the use of KBA as a VPC method as long as the method is appropriately implemented. Factors that determine whether a specific implementation of KBA is permissible include: (1) "the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low"; and (2) "the use of questions of sufficient difficulty that a child age 12 or under in the parent's household could not reasonably ascertain the answers."18
Then on February 25, 2014, the FTC responded to a second application that sought approval of KBA.19 iVeriFly, Inc. (iVeriFly) submitted a proposed VPC method on October 28, 2013—prior to the Commission's December 2013 response to Imperium that approved KBA as a method to obtain VPC.20
The FTC explained that iVeriFly's VPC system conducts identity verification in several ways. Initially, iVeriFly uses Social Security number verification, which is among the enumerated approved VPC methods in the COPPA Rule.21
But iVeriFly also uses "knowledge-based authentication questions," which the Commission noted was "recently approved as a new VPC method."22
The FTC determined that iVeriFly's principal methods for obtaining VPC "are either already recognized as a valid means of obtaining verifiable parental consent in the Rule or were recently approved by the Commission."23 Because iVeriFly's VPC methods were previously approved, the Commission determined that it was "unnecessary to approve [iVeriFly's] specific implementation of these methods."24