Keeping with its promise to periodically revise and revisit its published guidance to the Children’s Online Privacy Protection Act (COPPA) and its associated Rule, the Federal Trade Commission (FTC or Commission) expanded its guidance on verifiable parental consent methods acceptable under the Rule by providing two revised and one new FAQ on its webpage.8
While a list of acceptable verifiable parental consent mechanisms appears in the Rule, the Commission has always stated that the list is not exhaustive and that companies can implement other methods provided that they meet statutory standards of ensuring that a parent receives notice of information collection practices and authorizes the collection, use, and disclosure of their child’s personal information. The new FAQs further clarify this point.
Updated FAQ H.5 confirmed the FTC’s previously informal policy regarding use of a credit or debit card as a verifiable consent mechanism. Specifically, while FAQ H.5 does not change the FTC’s longstanding position that entering a credit or debit card number by itself is not sufficient under the Rule, it also makes clear it is not necessary to charge the card. Instead, parents can be asked to supplement the request for credit card information, such as by asking parents to answer special questions that only the parents would know, or finding supplemental ways to contact the parent.
Updated FAQ H. 10 and new FAQ H. 16 discuss verifiable parental consent in a mobile app store environment. FAQ H. 10 makes clear that entry of a parent’s app store password is not sufficient in and of itself to meet the standard for verifiable parental consent, but the app store account plus other indicia of reliability is sufficient. It also notes that the app developer can rely on the app store’s provisioning of consent, provided the developer ensures that COPPA’s requirements are being met. New FAQ H. 16 views the same issue from the app market’s perspective. It now makes clear that platforms such as app markets do not become subject to COPPA simply by allowing child-directed apps (which may be covered) on their platform. However, the third-party app store should evaluate any potential liability under Sec. 5 of the FTC Act, as it could be a potentially deceptive practice to misrepresent the level of oversight provided over apps directed to children.
The COPPA FAQs also have started including “last revised” information at the top of the FAQs, to more easily track changes.