The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
- Generates “dynamic, multiple choice questions”;
- Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
- Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.
Under COPPA, operators of online services–such as websites or mobile apps—that are directed to children under 13 or that have actual knowledge that their users are under the age of 13 (or operators doing such collection on other services)—must, subject to certain limited exceptions, obtain VPC prior to collecting personal information from such children. Operators can utilize any method that is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” With the addition of knowledge-based authentication, the FTC still only expressly recognizes seven such mechanisms as satisfying the COPPA Rule. Other methods the FTC has embraced include: (i) obtaining a form signed by a parent; (ii) receiving a credit/debit card or certain other online payment mechanisms if associated with a monetary transaction; (iii) a parent calling a toll-free number; (iv) parental consent by videoconference; (v) verifying parental identity against a form of government-issued identification; and (vi) traditional “e-mail plus” where children’s personal information will be used for internal purposes only (e.g., obtaining initial parental consent by e-mail with a later follow-up message). In addition, FTC-approved COPPA safe harbor programs may also approve VPC methods for members of its programs.
The FTC’s action follows its evaluation of a proposal made by Imperium, LLC seeking approval of its ChildGuardOnline VPC service, which utilizes knowledge-based authentication. Imperium’s actions were pursuant to amendments to the COPPA Rule that became effective in July of last year permitting the filing of a written request for FTC approval of VPC methods not expressly enumerated in the COPPA Rule (see our post here for more information on other COPPA amendments that took effect last year). Under this provision, the FTC shall seek public comment and issue written determinations within 120 days of filing the request. The FTC’s decision is reflected in its December 23, 2013 approval letter to Imperium.
With Imperium’s ChildGuardOnline service, a child who wishes to sign up for an account on a website or mobile app must first provide the name and e-mail address of a parent or guardian, who will then receive an e-mail from Imperium explaining that the child has requested to sign up for a particular online service and asking for consent. Imperium proposed using knowledge-based authentication as one way to verify the parent’s identity, asking the parent a set of personalized challenge questions to prove they are who they claim to be. These questions are based on “out-of-wallet” information, such as past addresses and phone numbers that Imperium will maintain about individuals.
In approving Imperium’s application, the FTC cited favorably to the widespread use of knowledge-based authentication as an authentication tool in the banking industry. The FTC also noted that various regulators, including banking regulators and the FTC itself, had supported knowledge-based authentication when sensitive financial user information is at issue.
It appears the FTC will conduct a careful review of proposals for new VPC mechanisms. Although it approved Imperium’s proposal, in November 2013, the FTC rejected a proposal submitted by AssertID that would have allowed the use of feedback from “friends” on social networks to verify that the person providing consent is actually the child’s parent. The latest FTC action facilitates the use of knowledge-based authentication for VPC, but companies should be careful to ensure that any such technology or service operate consistent with “knowledge-based authentication” parameters set forth above.