Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC Denies Proposed Verifiable Consent Method Under COPPA

The FTC denied AgeCheq’s application for approval of a proposed verifiable parental consent (VPC) method under COPPA. Under COPPA, operators of online services that are directed to children are required, except for limited situations, to obtain VPC prior to collecting personal information from children. Specifically, COPPA requires operators to obtain verifiable parental consent, taking into consideration available technology and any method must be reasonable calculated in light of available technology, to ensure that the person providing consent is the child’s parent. COPPA further provides a non-exhaustive list of acceptable methods that include (i) obtaining a form signed by a parent; (ii) receiving a credit/debit card or certain other online payment mechanisms if associated with a monetary transaction; (iii) a parent calling a toll-free number; (iv) parental consent by videoconference; (v) verifying parental identity against a form of government-issued identification; and (vi) traditional “email plus” where children’s personal information will be used for internal purposes only.

Recognizing the importance of encouraging the development of new consent mechanisms and to provide transparency, COPPA allows parties to request that the FTC approve parental consent methods not enumerated in COPPA. The goal of this provision is to encourage the development of new verification methods that provide businesses with more flexibility. The process requires a detailed description of the proposed parental consent method and an analysis of how the method is reasonably calculated to ensure that the person providing consent is the child’s parent. The application is then published in the Federal Register for public comment.

The Commission has previously approved two methods through this process. First, in 2013, it approved Imperium Inc.’s knowledge-based authentication as a new verifiable parental consent method and in 2014, the Commission approved iVeriFly, Inc.’s application of a VPC that used Social Security number verification, which is already approved under COPPA, and knowledge-based authentication questions.

Under AgeCheq’s proposed VPC method, a parent would register or create an account with an operator or intermediary company that handles certification. This would include the parent entering his or her personal information including name, address, birth year, and mobile phone number on a parental identity declaration form. The operator or intermediary would then send a validation code to the mobile device listed on the form. The last step would involve the parent entering the validation code and digitally signing a certificate verifying ownership of the device and accuracy of the information.

Four comments were received and three raised concerns and recommended that the Commission not approve the application. One of the concerns was that a child could falsify information with the mobile device because the method fails to provide a means to verify the information.  The Commission denied AgeCheq’s application for two reasons:

  • First, the proposed method would violate COPPA because of the collection of the mobile phone number and home address in order to obtain parental consent. COPPA permits the collection of online contact information, but because a home address or mobile phone number is not online contact information (as set out in COPPA), a COPPA-covered operator cannot collect such information as part of the consent initiation process.
  • Second, consistent with the concerns expressed in the comments, the Commission determined that the proposed method is not “reasonably calculated to ensure that the person providing consent is the child’s parent” because a digital signature is not a reliable means of obtaining verifiable consent. The Commission referenced the 2013 Statement of Basis and Purpose for the final rule that excluded electronic or digital signatures from the non-exhaustive list of acceptable consent mechanisms.

The Commission had previously denied AssertID, which proposed VPC method that would ask a parent’s “friends” on a social network to verify the identity of the parent and the existence of the parent-child relationship (“social-graph verification”). The Commission concluded that AssertID failed to provide sufficient evidence that its proposed VPC method was “reasonably calculated, in light of available technology to ensure that the person providing consent is the child’s parent.”

The FTC’s rejection of AgeCheq’s and AssertID’s proposals demonstrates that the Commission will carefully examine each VPC proposal to ensure that it meets the requirements of the COPPA Rule, and will not just provide a rubber stamp.  Companies who use VPC mechanisms that are not pre-approved by the COPPA Rule should examine those mechanisms in light of the rejected proposals, and consider whether they employ similar features that the FTC might not consider to be adequately designed.

Katherine Armstrong, Counsel in our Washington, D.C. office, contributed to this post.