The Federal Trade Commission (FTC) recently approved a new method for obtaining verifiable parental consent that could make it easier for companies to comply with the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to websites that are “targeted” at children under the age of 13 and websites that have “actual knowledge” that they are collecting personal information directly from users of another website or online service directed to children (covered websites). Primarily, the Rule requires a covered website to provide notice to parents about its information collection practices, as well as obtain verifiable parental consent prior to collecting personal information from children. To assist companies in complying with the verifiable parental consent requirement of the COPPA Rule, a technology services company called Imperium LLC developed the new method, which it hopes will streamline the consent process for parents and website operators.
The COPPA Rule defines “verifiable parental consent” as making “any reasonable effort [taking into consideration available technology]” to ensure that a parent receives notice of a covered website’s data practices and authorizes the collection, use, and/or disclosure of their child’s information. The Rule, which was recently revised to provide additional consent methods and to encourage the creation of additional consent methods, also provides a list of approved methods of obtaining verifiable consent. For example, the Rule indicates that website operators may provide a consent form to be signed by the parent and mailed back to the website operator or have a parent call a toll-free phone number. The list offered in the Rule, however, is not exclusive and the FTC offers a safe harbor program in which interested parties can request pre-approval of new methods for obtaining consent.
Imperium submitted its new method for approval under this safe harbor program. Under Imperium’s method, when a child visits a website and wishes to establish a user name and password, he or she will be presented with a page that asks for the name and email address of a parent or guardian. After the child enters the information, the parent will receive an email asking whether or not they consent to the child’s participation on the website. If the parent’s identity cannot be verified using traditional methods such as confirming the last four digits of a Social Security number or date of birth, Imperium’s system will allow parents the opportunity to verify their identity through a knowledge-based identification method in which parents are asked a number of “out of wallet” questions that are difficult for anyone other than the specific person to know, such as previous addresses or telephone numbers. The method was submitted for public comment and was eventually approved. Due to the FTC’s approval, Imperium’s knowledge-based method is now considered a verifiable consent method under the COPPA Rule.
As noted by the FTC, the new method should “provide businesses with more flexibility, while ensuring parents are providing consent for the collection of their children’s information,” as required by the COPPA Rule. It also likely provides a welcome alternative to website operators struggling to comply with the revised COPPA Rule.
All website operators that knowingly collect information from children should be aware of Imperium’s new consent method because it could provide a less burdensome way of complying with the COPPA Rule’s verifiable consent requirement. For additional information regarding the revised COPPA Rule, please see our previous alert on the revised Rule here.