The Federal Trade Commission has denied an application from AssertID seeking the agency's approval of a proposed method of verifiable parental consent pursuant to the Children's Online Privacy Protection Act.
AssertID proposed a "social-graph verification" method that would essentially rely upon social networking. Specifically, a company would ask a parent's "friends" on a social network like Facebook to verify the person's identity and the existence of the parent-child relationship.
The agency's COPPA Rule mandates that parental consent must be obtained before a covered entity can collect personal information from children under the age of 13. While the Rule permits different methods of obtaining parental consent, the FTC also has the power to grant approval of new methods that it deems compliant.
Unfortunately for AssertID, the commissioners unanimously determined that the proposal did not meet the criteria for approval. The company failed to provide sufficient evidence that its social-graph method is "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent" as required by the Rule.
"Without relevant research or marketplace evidence demonstrating the efficacy of social-graph verification and that such a method is reasonably calculated to ensure the person providing consent is the child's parent, the Commission believes approval of such a [verifiable parental consent] method under the Rule would be premature," Commission Secretary Donald S. Clark wrote in a letter to AssertID.
AssertID pointed to research demonstrating that social networks are built on trust among members, but the articles were insufficient, the FTC said. "Moreover, while AssertID's method is premised on verification by a minimum number of verifiers and requires that a minimum 'trust score' be met, the cited studies do not establish that a particular 'trust score' or a particular number of verifiers is adequate to verify an individual's identity."
Limited beta testing conducted by AssertID did not demonstrate that the verification method would work in an open marketplace, Clark wrote. Additional market research might also help assuage concerns that users can easily fabricate Facebook profiles. Commenters on AssertID's proposal cautioned that children under age 13 can falsify their age information to establish a social media account and that Facebook itself estimates 8.7 percent of its users have fake profiles.
"In short, identity verification via social-graph is an emerging technology and further research, development, and implementation is necessary to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children's personal information," the commissioners concluded.
To read the FTC's letter to AssertID, click here.
Why it matters: Entities are still struggling with the updated COPPA Rules, which took effect July 1. While AssertID attempted to establish a new method of verifiable parental compliance, some companies have tried to adjust their policies accordingly; others have changed course completely, trying to avoid coverage of the statute because of compliance concerns.