FTC creates comprehensive six-step compliance plan

Changing Topography

The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, created guidelines limiting the collection of personal information from children online. But 1998 was eons ago in Internet time; the online landscape has evolved and matured in ways that the authors of COPPA could never have anticipated. Because more users than ever, including children, provide information online in new and unanticipated ways, the FTC updated COPPA in July 2013.

To help businesses comply with COPPA in this ever-changing technological landscape, the Commission recently unveiled a new step-by-step plan to help businesses determine whether they are subject to COPPA and, if so, how to comply. The new guidance makes clear that the “website and online services” covered by COPPA are broadly defined to include mobile apps that send or receive information online, Internet-enabled location-based services, voice over Internet protocol devices, and connected toys or other Internet of Things devices.


The new guidance also introduces into the COPPA fold two relatively new methods for obtaining parental consent. Knowledge-Based Authentication (KBA) is a method that generates multiple-choice questions that significantly lower the chances that a child less than 12 years of age would be able to guess the answers and bypass parental consent. The second method, Face Match to Verified Photo Identification (FMVPI), compares a verified snapshot of the parent’s photo ID with a photo taken by the would-be user of their own face. A mismatch denies access to the user. Both KBA and FMVPI are now accepted by the FTC as COPPA-compliant consent technologies.

The Takeaway

The FTC’s new six-step compliance plan provides valuable advice to the business community regarding whether COPPA applies, and how to ensure compliance. Any business can use the plan to determine whether their company is subject to COPPA, to create a compliant privacy policy and to secure parental consent before gathering a child’s personal data. Exceptions to the guidelines are also covered. Businesses that collect personal information online should take advantage of this valuable resource.