IN THIS ARTICLE:
- Allowable COPPA parental consent methods
- The FTC approved a new consent option for the Children’s Online Privacy Protection Act
- New COPPA parental consent method is based on knowledge-based authentication
- KBA method beat out new “social-graphing” authentication method
Attention companies covered under the Children’s Online Privacy Protection Act: The FTC approved a new COPPA parental consent method. The nation’s consumer watchdog agency green lit Imperium LLC’s dynamic knowledge-based authentication system, ChildGuardOnline.
Quickly, What Is COPPA?
The Children’s Online Privacy Protection Act is one of the few Internet privacy laws in the United States. In short, it established a set of governing rules for online data collection and digital storage of people aged 13 and younger. One of the main COPPA components is parental consent. In the simplest terms, websites and apps must obtain parental consent before collecting, using or storing kid’s information. What are acceptable COPPA parental consent methods? Keep reading.
The Old (& Still Usable) COPPA Parental Consent Methods
Until now, the only FTC-approved “verifiable parental consent” options were:
- Providing a downloadable consent form that the parent could sign and return — via U.S. mail, fax, or electronic scan;
- Requiring parents to use a credit card, debit card or online payment system that notifies the cardholder of every transaction;
- Providing a toll-free number to call;
- Providing a video confirmation service;
- Checking government ID against an FTC-approved database. (This method can only be used if you immediately delete the parent’s information after verification.)
The New Rules For COPPA Parental Consent
In 2013, the FTC updated COPPA regulations. Part of the “upgrade” involved expanding the list of allowable parental consent methods. According to the new rules, companies can “apply” to get an FTC “COPPA-validation stamp of approval” for their digital authentication platforms. Here’s how it works:
- First, a company submits a proposal to the FTC explaining their digital authentication system and why it would be an effective COPPA parental consent-friendly platform.
- Then, the FTC publishes the proposal and invites the public to submit any feedback about the application.
- When the comment period ends, the FTC reviews the proposal and public feedback; then the agency decides if the applicant’s platform is an acceptable COPPA parental consent product. After review, findings and a decision are posted online.
Has The FTC Rejected Any Other COPPA Parental Consent Applications?
Imperium is not the first company to apply for COPPA parental consent status. AssertID, another authentication company, also submitted their social media verification process for FTC review. Dubbed a “social-graph verification” scheme by the FTC, AssertID is a system wherein a parent’s social media “friend” verifies a parent’s identity. Unfortunately for AssertID, the commission rejected its proposal because it could not be “reasonably calculated” that the person giving consent was an actual parent or friend of the proper parental consent holder.
[Interesting business competition side note: AssertID’s proposal garnered 6 public responses – none of which were from Imperium. AssertID, however, did submit a comment for Imperium’s COPPA parental consent proposal and argued that their competitors program failed “to establish an adequate link between parent and child.” Additionally, AssertID argued, “The only link between the child and the parent is that implied by what is presumed to be the parent’s email address — there is no verification that this is in fact true. Although this weak implied link has been overlooked in the past, we feel that any new [consent] methods should be held to the requirement.”]
What Is Knowledge-Based Authentication?
We’ve become accustomed to online verification methods, like captchas. A typical verification method is called “knowledge-based authentication,” which requires respondents to either provide or verify personal information items in order to gain access to a private part of a website or application. There are two main types of knowledge-based authentication models, static KBAs and dynamic KBAs.
- Static KBAs are based on “shared secrets”. When registering for an online service, a user will be asked to provide the answers to various security questions. In order to retrieve credentials, he or she is asked to provide answers to those questions. Oftentimes static KBA systems are used for online banking logins (i.e., what is your mother’s maiden name?).
- Dynamic KBAs don’t require the user to have previous contact with a given site. Instead, the system automatically generates questions it culls in real time from public records. (Say What!? Yep.) Typically, the questions asked are considered “out of wallet” questions, meaning they aren’t queries someone could glean from either stealing or finding your wallet. Information is gathered from credit reports, marketing data and sometimes even social media.
What Stipulations Did the FTC Make About Acceptable COPPA parental consent options?
To thwart any budding Al Capones, the FTC demands that any new COPPA parental consent systems are “dynamic, multiple-choice questions with enough options to ensure that the chances of a child guessing the correct answers are low.” In addition, the commission will only consider systems wherein “the questions used are of sufficient difficulty that it would be difficult for a child in the household to figure out the answers.” If you have a website that could be used by a child aged 13 or younger, you must comply with all COPPA consent rules.
If you have a website that could be used by a child aged 13 or younger, you must comply with all COPPA parental consent rules. It is no longer good enough to include a disclaimer like, “You must be older than 13 to use this site,” in your terms of service policy. Speak with a qualified COPPA lawyer to ensure compliance. The few hundred dollars it will cost for counsel is far better than the boat loads you may have to pay if the FTC comes a’knocking. A COPPA compliance audit is quick, painless and affordable. Get in touch today to get started on your COPPA legal compliance review.