The Federal Trade Commission announced that it has approved a new method for companies to obtain parents’ verifiable consent for online collection and use of children’s personal information under the Children’s Online Privacy Protection Act (COPPA) Rule. The FTC’s letter issued to Imperium LLC approves knowledge-based authentication – which relies on a series of “challenge” questions requiring information not commonly available or typically found in a person’s wallet – as a method for verifying that the person providing consent is in fact a parent. The approval comes just over a month after the FTC rejected AssertID’s request for approval of “social-graph verification” as a method for securing verifiable COPPA consent.
Under COPPA and the COPPA Rule, operators of websites or online services directed to children under 13 must provide notice to parents and obtain verifiable parental consent prior to the online collection and use of personal information from such children. The Rule provides a variety of methods for doing so, including provision of a consent form to be signed by a parent and returned by mail or fax, requiring parents to use a credit card in a transaction, having parents call a toll-free number, digital certificates using public key technology, and email accompanied by a PIN or password. In its rule review concluded at the beginning of this year, the FTC also adopted a streamlined process for those who want to propose new methods.
Imperium sought approval for its ChildGuardOnline system, which in addition to verifying identity via social security number as the COPPA Rule already allows, can alternatively rely on challenge questions to verify a parent’s identity. Approval of Imperium’s knowledge-based authentication method was conditioned upon use of a reasonable number of dynamic multiple-choice questions having an adequate number of possible answers that, in turn, have a low probability of being simply guessed correctly. In addition, the questions are sufficiently difficult such that a child under 13 in the household could not reasonably ascertain the answers. Challenge questions can include, for example, previous addresses, phone numbers, etc.
The key was that the knowledge-based information is of a type that that cannot be determined by looking at an individual’s wallet, and is difficult for someone other than the individual to whom the information pertains to answer correctly. In granting approval, the FTC noted that such an approach is used by financial institutions and credit bureaus, and has been acknowledged by the FTC and other agencies as effective for its intended purpose.
Comparing AssertID’s rejected social-graph verification method with Imperium’s approved knowledge-based authentication method suggests that, to be approved by the FTC under COPPA, an authentication method may need to show an adequate track record in other contexts, be it in the marketplace or in another regulatory framework. Close observation as the FTC builds a body of approvals and denials of new COPPA verifiable consent mechanisms should thus be instructive for those with a potential interest in having their consent methods successfully make it through the streamlined approval process.