The regulations restricting data collection from children under the federal Children’s Online Privacy Protection Act (“COPPA”) were greatly expanded in July 2013, casting a wider net and making life more difficult for publishers of both children’s sites and apps as well as those intended for a general audience. However, the Federal Trade Commission (FTC) provided in the new rule for approval of new and innovative ways to obtain parental consent to such data collection, and has recently approved one such method.
In late 2013, the FTC tentatively approved a new method proposed by Imperium, LLC for obtaining Verifiable Parental Consent (VPC) under COPPA, and that decision became final this week. The FTC has given the green light to the use of knowledge-based questions that draw from a person’s personal history as reflected in data bases (e.g., which of the following streets have you not lived on). The financial services industry has been using such methods to verify identity for years. This approval provides welcome relief for publishers that previously were required to verify a parent through a credit card transaction or other burdensome method.
COPPA prohibits websites and online services directed to children, or that have actual knowledge that a user is under 13 years old (Children), from collecting personal information (broadly defined, including IP address and device identifier absent narrow exceptions) from Children without first obtaining Verifiable Parental Consent (VPC), subject to several exceptions. Those exceptions, and the type of notice and consent required in each case, depend on what information is to be collected and how that information will be used. For more information on the details of the new COPPA Rule, click here and here.
In general, the COPPA Rules permit obtaining VPC using “any method… reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” The rules then go on to specify five particular methods that meet this requirement:
- Providing a consent form to be signed by the parent and returned to the operator by postal mail, fax, or electronic scan;
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent call a toll-free telephone number staffed by trained personnel;
- Having a parent connect to trained personnel via video-conference; and
- Verifying a parent's identity by checking a form of government-issued identification against databases of such information, where the parent's identification is deleted by the operator from its records promptly after such verification is complete.
The FTC revised the COPPA Rules last summer to make clear that this list is not exhaustive, and operators may petition for FTC approval of other methods. An application for approval of a new method for obtaining VPC must show how the new method is reasonably calculated to ensure it is the child’s parent providing consent. After filing such an application, the FTC will seek public comment and issue a decision within 120 days.
Since last summer, the FTC has both rejected one such application and approved one. The rejected application, by AssertID, proposed to use feedback from connections on social networks to confirm that the person providing consent was the parent. The FTC rejected this proposal on the grounds that AssertID had not provided sufficient evidence that the system could reliably ensure consent was coming from the child’s parent.
By contrast, the FTC concluded that Imperium’s recently approved knowledge-based authentication has been shown to be reliable at authenticating individuals in the banking industry where it is used widely, and is approved for use in the financial sector by banking regulators and the FTC. Knowledge-based authentication consists of asking a set of personalized questions, such as past addresses, phone numbers, vehicles owned, and the like, to verify the parent’s identity. These would all be questions that a child, or some other individual, would be unable or unlikely to answer successfully.
Other VPC innovations are likely to emerge. Operators seeking to implement new methods, can petition either the FTC or any one of a number of FTC-approved safe harbor providers for approval of the method. While a safe harbor’s approval might ultimately be undone were the FTC to disagree, the operator would be subject to penalty and would merely have to make prospective changes. FTC approval, which requires public notice and comment, on the other hand, provides certainty.