The Federal Trade Commission’s (FTC) amended Children’s Online Privacy Protection Act (COPPA) Rule (16 CFR § 312 et seq.), effective July 1, 2013, allows industry groups and companies to apply for FTC approval of new parental consent methods that aim to provide substantially the same or greater protections for children’s online privacy than the parental consent methods described in COPPA. COPPA requires parental consent to be “verifiable.” Thus, the key to establishing a new parental consent verification method under COPPA is to demonstrate that the authentication process is sufficiently reliable to ensure that the person providing consent is the child’s parent.
To date, three companies have applied to the FTC proposing new consent methods. The first application, filed in June 2013, proposed a social network-based verification method whereby the system would ask a parent’s “friends” on a social network to verify whether the person providing consent is the child’s parent. The FTC rejected the proposal as lacking sufficient proof of reliability. The FTC noted that, although the proposed method requires a minimum number of verifiers and a minimum “trust score,” the proposal failed to establish a particular “trust score” or a particular number of verifiers as adequate for authentication purposes. The FTC viewed the proposed method as involving an emerging technology and requiring further efficacy studies.
Unlike the first application, the other two applications both proposed more conventional knowledge-based authentication (KBA) methods similar to those used by financial institutions and credit bureaus. According to the FTC, these types of KBA methods, when implemented properly, are sufficiently reliable for identity authentication.
The second application, filed in August 2013, proposed a system that requires a child signing up on a website or mobile app to provide the name and email address of a parent. The system would send an email notification to the email address provided by the child that contained a link for the parent to grant consent and provide name, address, birthdate and the last four digits of his/her Social Security number (SSN). Then, the system would verify the parent’s identity by cross-checking the information provided against various consumer databases. If the parent’s identity cannot be verified by the cross-checking process, the system, as the fallback option, would ask the parent to answer a series of knowledge-based personal questions (previous addresses, phone numbers, etc.).
The third application, filed in October 2013, adopted a similar but more rigorous process than the process described in the second application. The third proposed method would use the name, address and last four digits of SSN provided by the parent to locate the parent’s “unique data record” from consumer databases and to generate up to six random questions that the parent must correctly answer for verification to be successful. The parent also would be required to provide a telephone number for the system to call to complete the process. This third application is open to public comment until late January 2014.
On December 23, 2013, the FTC approved the method described in the second application [...]