Yesterday, the FTC published a Federal Register notice requesting public comment on the first new method for obtaining verifiable parental consent submitted for FTC approval by AssertID, Inc under the Voluntary Commission Approval Process provision of the COPPA Rule. The FTC is particularly interested in receiving comments on the questions of whether the AssertID, Inc. method (“AssertID VPC Method”): (1) is already covered by existing methods in Section 312.(b)(1) of the COPPA Rule, (2) meets the requirements for parental consent in 16 CFR § 312.5(b)(1), and (3) poses a risk to consumers’ personal information, and if so, whether the benefit to consumers and businesses of using this method outweigh those risks. As noted by the FTC, the mere publication of the Federal Register notice does not indicate approval of the AssertID VPC Method and the FTC has 120 days to review and approve or reject the method.
As way of background, the Voluntary Commission Approval Process provision of the COPPA Rule permits interested parties to submit written applications to the FTC requesting approval of verifiable parental consent methods that are not currently enumerated in the COPPA Rule. The COPPA Rule enumerates the following methods for obtaining verifiable parental consent: (1) sending a consent form to the parent that must be signed by the parent and returned via U.S. mail, fax, or electronic scan; (2) requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each transaction to the primary account holder; (3) requiring the parent to connect to trained personnel via telephone or video-conference; or (4) verifying a parent’s identity by checking a form of government-issued identification against databases of such information. Further, if a child’s information is used solely for internal purposes and not made publicly available or provided to third-parties, parental consent may also be obtained by using the “e-mail plus” method which consists of sending an email message to the parent, requesting that the parent indicate consent in a return message, and taking certain additional steps prescribed by the COPPA Rule to confirm the consent. The FTC made it clear in the COPPA FAQ updated last month that this is a non-exhaustive list and that the use of other methods is permitted as long as the selected method is reasonably calculated in light of the available technology to ensure that the person providing the consent is the child’s parent. To see our previous blog posts on the COPPA Rule here.
The AssertID VPC Method consists of the following six processes which are intended to collectively ensure compliance with the COPPA Rule:
- A process for parental notification of a consent request;
- A process for presenting the consent-request to parents;
- A process for recording and reporting a parent’s response to a consent request;
- A process for recording and reporting a parent’s request to revoke consent(s) and to request the deletion of their child’s personal information;
- A process for verification of the parent-child relationship; and
- A process to ensure that only the parent of the child for whom consent is being requested accesses and responds to consent requests.
The AssertID VPC Method is incorporated into a web service called ConsentID, designed to be used by COPPA-covered entities. Once an entity completes the ConsentID self-registration process, the entity can initiate the verifiable parental consent process via an API. Consent requests are then sent to parents through a password-protected parent portal where parents can access and respond to consent requests from multiple entities, review consents previously granted, revoke consents and requests that his/her child’s information be deleted. Parents are directed to the parent portal via email or other optional notification methods. To verify that the individual providing the consent is in fact the parent of the child for whom consent is being requested, ConsentID creates a unique digital credential for each parent-child pair which is then assigned a trust score that can be increased as the parent-child relationship is verified by friends and family. A minimum trust score is required before a parent is permitted to grant or revoke consent for his/her child.
To learn more about the AssertID VPC Method, you can read AssertID’s 85 page application filed with the FTC on June 28th.. Comments on the AssertID VPC Method may be filed with the FTC online or on paper until September 20, 2013.