While new technologies and data breaches continue to proliferate at a rapid pace, privacy issues remain a hot topic that many online marketers must properly manage. One of the strictest privacy laws is the Children’s Online Privacy Protection Act (COPPA), which generally prohibits websites and online services, such as mobile apps, from collecting personal information online from children under 13 without first obtaining “verifiable” parental consent (VPC) authorizing the collection, use and/or disclosure of a minor’s information.
“Personal information” has been broadly defined to include first and last names, a screen or user name, physical or e-mail addresses, geolocation information, telephone numbers, social security numbers, photographs, video or audio files containing a child’s image or voice and certain persistent identifiers. As COPPA has been aggressively enforced by the Federal Trade Commission (FTC) and can result in significant monetary penalties, website operators and online service providers, including a wide range of online marketers and third-party app providers, must take this process very seriously.
However, the tricky issue becomes not only obtaining the required consent, but also ensuring that the person providing the consent is, in fact, the child’s parent. While the FTC has prescribed several acceptable methods for obtaining verifiable parental consent in compliance with COPPA, some operators and online service providers have viewed them as too impractical or burdensome to implement. For example, while it’s acceptable for a parent to provide a signed consent form by mail, fax or electronic scan, the means of providing the form to the parent and the execution of its return can often be tricky and logistically difficult.
Recognizing that one size does not fit all, the COPPA Rule amendments which took effect in July 2013 provide a process by which parties can request the FTC’s approval of VPC methods not spelled out by COPPA. The goal of this provision was to encourage the development of new verification methods which could provide businesses with more options and flexibility. New methods are examined closely, however, and not just rubber-stamped.
The FTC has previously rejected proposed methods that included asking a parent’s social network “friends” to verify the parent’s identity and the existence of the parent-child relationship through a methodology known as “social-graph verification.” The FTC has also rejected the use of electronic or digital signatures on the grounds that they are not a reliable means of obtaining verifiable consent.
On the other hand, the FTC has approved “knowledge-based authentication,” which first requires that a parent provide the last four digits of their social security number, name, address and date of birth. If the supplied information cannot be verified against available data, the knowledge-based authentication mechanism presents the parent with an opportunity to respond to a number of “out of wallet” challenge questions to establish valid identification. Challenge questions can include, for example, prior phone numbers or previous addresses. Since the required knowledge to correctly answer the questions is difficult for anyone other than that specific person to know, it provides a secure method for validation.
Other proposed methods have been neither approved nor rejected. The FTC has ultimately concluded that they were simply a variation on VPC methods already recognized in COPPA or the approved knowledge-based authentication process. In so doing, the FTC has emphasized that COPPA only requires the FTC to approve a proposed method of verifiable consent, not the specific implementation of that method. That distinction, however, may not always be so clear.
The FTC approved one of the more interesting methods proposed, which entails a two-step facial recognition process. A parent would first provide an image of their government-issued photo identification, such as a passport or driver’s license. Using computer vision technology, algorithms and image forensics, the document would be analyzed to ensure its authenticity and legitimacy as a valid government-issued ID. Next, a parent would be prompted to provide a “selfie” taken with a smartphone or webcam, and the live image would be compared to the ID photo using facial recognition technology. The FTC’s approval was conditioned on adherence to the provider’s privacy policy, which pledges to use personal data only as directed by the operator and the requirement that the images be discarded within five minutes of completing the verification process. Notably, this method and the “knowledge-based authentication” are the only two methods that have thus far passed muster with the FTC as new VPC mechanisms.
Although the FTC has broadened (and will likely continue to broaden) the options and flexibility for obtaining the verifiable parental consent required under COPPA, the risks for noncompliance are real. Website operators and online service providers should continue to carefully monitor and assess their methods for COPPA compliance. Examining the proposed methods that have been accepted and rejected by the FTC provides a resourceful comparison guide. If in doubt, best to play it safe: Implement a clearly approved method, or consider seeking FTC approval if you decide to be more innovative.
Terese Arenth is a partner with Moritt Hock & Hamroff and serves as chair of the promotional marketing and advertising practice group within its intellectual property department.