Recent action by the Federal Trade Commission (FTC) provides some welcome flexibility to operators of websites and online services that are directed to children, or that have actual knowledge that a user is under the age of 13, in implementing verifiable parental consent mechanisms under the Children's Online Privacy Protection Act (COPPA). To date, three companies have applied to the FTC for approval of new methods to verify parental consent under COPPA. In turn, the FTC has approved the use of knowledge-based verification, but rejected methods that rely on social networks to verify whether the person providing consent is, in fact, the child’s parent. Most recently, on February 25, 2014, the FTC permitted iVeriFly to proceed with its proposed parental consent mechanism, which the FTC determined was a variation of consent methods already recognized under COPPA or previously approved by the FTC.
The COPPA generally prohibits operators of commercial websites and online services, such as mobile apps, from electronically collecting or disclosing “personally identifiable information” (PII) from children under 13 without obtaining prior, “verifiable” parental consent. The COPPA rules were revised and expanded in July 2013. Under the new rules, a child’s PII could include a broad array of information that would allow someone to identify or contact the child, such as his or her full name, home address, email address, telephone number, geolocation information, a photograph, video, or audio file containing the child’s image or voice, or even a persistent identifier that could be used to recognize the child over time and across different websites or online services (such as a customer number held in a cookie, an IP address, a processor or device serial number, or unique device identifier). COPPA and its implementing regulations also cover other types of information—for example, hobbies, interests, and information collected through cookies or other types of tracking mechanisms—when they are tied to individually identifiable information.
COPPA clearly targets websites and services aimed at children, and the July 2013 amendments cast an even wider net. COPPA rules may also apply to websites aimed at general audiences when they have “actual knowledge” that they are collecting information from children under 13 or from users of another website or online service directed at children under 13. This means that under certain circumstances, COPPA may apply to advertising networks, plug-ins, and other third parties.
The FTC has authority to enforce COPPA and has settled enforcement actions for penalties up to $1 million. COPPA also authorizes states and other federal agencies, such as the Office of the Comptroller of the Currency and the Department of Transportation, to enforce COPPA compliance in the specific industries they regulate.
In light of COPPA’s broad applicability and the potential for significant enforcement liability, operators and online service providers subject to the Rule should take seriously the verifiable parental consent requirement. But how can operators and online service providers ensure that the person providing the required consent under COPPA is, in fact, the child’s parent? The Rule itself provides limited guidance. In general, COPPA permits “any method . . . reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” The Rule then lists a variety of methods that meet this requirement, including: (1) providing a consent form to be signed by a parent and returned by mail or fax; (2) requiring parents to use a credit card in a transaction; (3) having parents call a toll-free number staffed by trained personnel; (4) having parents connect to trained personnel via video-conference; or (5) verifying parents’ identity by checking a form of government-issued identification, such as a Social Security number, against databases of such information.
The above list is not exhaustive, however, and, in the July 2013 amendments, the FTC invited proposals for new and innovative mechanisms for obtaining verifiable parental consent. Any application for approval of a new method must show how the proposed method is reasonably calculated to ensure it is the child’s parent providing consent. All applications are subject to public comment, and the FTC is required to issue its decision on the application within 120 days.
New Methods Evaluated
To date, the FTC has reviewed three applications proposing new parental consent methods. In July 2013, the FTC denied an application filed by AssertID seeking approval of a social-network based verification method. The proposed system would ask a parent’s “friends” on a social network to verify whether the person providing consent is the child’s parent. In rejecting the proposal, the FTC cited the lack of relevant research or marketplace evidence demonstrating the efficacy of social-graph verification. The FTC also considered opposition to the application, which argued that users—including children—can easily fabricate profiles on social networking sites or inflate their ages. Although AssertID proposed techniques in its application to improve the efficacy of social-graph verification, the FTC noted the lack of adequate evidence that the proposed techniques would work in the open market and found that the limited beta testing did not demonstrate that the method would work in a live environment.
The remaining two applications reviewed by the FTC proposed more conventional knowledge-based authentication methods similar to those already used by financial institutions and credit bureaus. The FTC agreed that these types of methods are sufficiently reliable for obtaining verifiable parental consent.
On December 23, 2013, the FTC accepted a proposed mechanism submitted by Imperium, LLC, which utilizes knowledge-based authentication. The proposed ChildGuardOnline system, in addition to verifying identity via Social Security number, relies on a series of “challenge” questions requiring information not commonly available or typically found in a person’s wallet. The system verifies the parent’s identity by cross-checking the information provided against various consumer databases. The FTC conditioned its approval of Imperium’s knowledge-based authentication method, however, on the use of a reasonable number of dynamic multiple-choice questions having an adequate number of possible answers that, in turn, have a low probability of being guessed correctly. In addition, the questions must be sufficiently difficult such that a child under 13 could not reasonably ascertain the answers.
Most recently, on February 25, 2014, the FTC found that a proposed parental consent mechanism submitted by iVeriFly was a variation of methods already recognized under COPPA or previously approved by the FTC, rendering FTC action on the application unnecessary. The iVeriFly system uses Social Security number verification as an initial step in confirming the parent’s identity. As explained above, Social Security number verification already is approved under COPPA. Like the Imperium system approved by the FTC, the iVeriFly system also relies on knowledge-based authentication questions. Once a parent’s COPPA account is created, iVeriFly uses verification codes to confirm the parent’s identity for future contacts—an approach similar to one accepted by the FTC that allows the use of passwords or PIN numbers for previously authenticated parents.
The FTC’s recent actions provide operators and online service providers flexibility in implementing COPPA-compliant verifiable parental consent mechanisms that may be less burdensome than those outlined in the Rule. They also demonstrate that the FTC will give serious consideration to proposed mechanisms before approving them. Comparing AssertID’s rejected social-graph verification method with Imperium’s approved knowledge-based authentication method suggests that an authentication method may need to show an adequate track record in other contexts before it will be approved by the FTC under COPPA. In addition, companies like iVeriFly that propose variations on previously-approved COPPA consent mechanisms may benefit from seeking a letter from the FTC that confirms their proposed approach is already approved in order to minimize exposure to enforcement liability.