FTC recently approved a new COPPA safe harbor program and a new method for obtaining parental consent, providing flexibility to companies striving to comply with COPPA obligations.
The revisions to the COPPA rule that took effect July 2013 expanded COPPA provisions in several ways, including by expanding the definition of “personal information” and clarifying that third party operators are also subject to COPPA compliance obligations. The revised rules also imposed stricter requirements for companies wishing to provide COPPA safe harbor certification and created a mechanism through which companies could submit approval for new methods of obtaining parental consent.
Safe Harbor. Websites that participate in an FTC-approved COPPA safe harbor program will generally be subject to review and disciplinary actions under the program guidelines rather than be subject to a formal FTC investigation and enforcement action. In the amended Rule, the FTC imposed stricter requirements for companies wishing to provide safe harbor certification programs. A potential safe harbor program provider must now provide extensive documentation about the program’s requirements and the organization’s capability to oversee the program during the approval process and, after approval, the program must submit annual reports to the FTC.
On February 12, the FTC announced its approval of the kidSAFE Seal Safe Harbor program, which is designed for child-friendly websites and applications, including kid-targeted games, educational sites, virtual worlds, social networks, mobile apps, tablet devices and other similar interactive services and technologies.
The FTC approved the kidSAFE seal safe harbor program after determining that it had (1) a requirement that participants in the safe harbor program implement substantially similar requirements that provide the same or greater protection for children as those contained in the COPPA Rule; (2) an effective, mandatory mechanism for independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.
The kidSAFE Seal program as the first safe harbor program approved under the amended version of the rule. The program joins five other safe harbor certifications previously approved by the FTC: the Children’s Advertising Review Unit of the BBB, the Entertainment Software Rating Board, TRUSTe, Privo Inc. and Aristotle International, Inc.
Parental Verification Methods. The FTC recently approved a new authentication method proposed by Imperium, LLC for verifying the identity of parents who consent to the collection of their children’s data. Imperium proposed a “knowledge-based authentication system,” for its identify verification system ChildGuardOnline, which verifies a user’s identity by asking a series of out-of-wallet challenge questions (e.g., questions which cannot be determined merely by looking in a person’s wallet). Knowledge-based authentication systems are already used by entities that handle sensitive information like financial institutions and credit bureaus. The FTC found this was a reliable method of verification because the questions were sufficiently difficult that a child age 12 and under in the parent’s household could not reasonably ascertain the answers and noted that knowledge-based authentication has already proven reliable in the market place in other contexts.
Previously, the FTC had rejected an application by AssertID Inc. for its ConsentID product, which proposed to verify parental identify by asking that “friends” on the parent’s social media sites vouch for the parental-child relationship. The FTC found that this method was not “reasonably calculated in light of available technology” to ensure the person providing consent was the child’s parent and that the process could easily be circumvented by children who create fake social media accounts. To date, the Imperium methodology of parental consent verification is the only method approved by the FTC that was not in the text of the Rule itself. The other methods for verifying parental consent as provided in the text of the Rule are (a) requesting such consent be provided by written form returned by mail, fax or scanned email; (b) requesting a credit or debit card in connection with a monetary transaction; (c) requesting parent call a toll-free phone number, (d) connect with parent via video-conference, or (e) check a form of ID against a government database.
The FTC recently closed its public comment period for another proposed verification system submitted by iVeriFly. The iVeriFly methodology combines a knowledge-based authentication system similar to the method imposed by Imperium, wherein the program scans non-FCRA consumer databases to generate out-of-wallet questions for the parent to answer. If the parent answers the questions correctly, the iVeryFly system then places a call to the parent requesting that consent be provided through a series of telephone key presses.