Some clarification and a bit more flexibility was forthcoming late last week from the Federal Trade Commission to help ease compliance with the “new” COPPA.
In its recent update to three FAQs in Section H (Verifiable Parental Consent) of the COPPA FAQs , the FTC provided important information on the topic of verifiable parental consent. The revisions are particularly important for the mobile application market since it is now very clear that developers of mobile applications directed to children under 13 can use an app store to obtain verifiable parental consent and that the app stores providing the verifiable parental consent mechanism “will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent.”
While keeping consistent with its prior position that the collection of a parent’s credit or debit card alone is insufficient to constitute verifiable parental consent, the revisions to FAQ H.5 indicate that, under certain circumstances, the FTC would consider the collection of a parent’s credit or debit card number “in conjunction with implementing other safeguards” such as, but not limited to, supplementing the request for the card information with special questions to which only the parent would know the answer and finding supplemental ways to contact the parent, verifiable parental consent under COPPA. This is a change from the FTC’s previous FAQ H.5, which required all credit or debit card numbers to be coupled with a monetary transaction.
The revisions to FAQ H.10, clarify that developers of mobile applications directed to children under 13 may use an app store like Google Play or the App Store to obtain verifiable parental consent on the developer’s behalf, subject to certain requirements. The FTC made it very clear that the developer remains responsible for (1) providing parents with direct notice of its information collection practices before consent is provided and (2) ensuring that the third party obtains consent in accordance with COPPA requirements, specifically, parental consent must be obtained “in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” The Commission reiterated that simply entering a parent’s app store account number or password “without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child.”
The last update to the COPPA FAQs is in the form of brand new FAQ H. 16 which addresses the liability of app stores providing a verifiable parental consent method for app developers. The FTC took the position that an app store that provides a verifiable parental consent mechanism for developers of mobile applications directed to children is not an “operator” under COPPA and will not be exposed to liability under COPPA for failure to investigate the privacy practices of the app developers for whom the app store obtains parental consent. However, the Commission cautioned app stores providing this service that misrepresent the level of oversight the app store provides for a mobile application directed to children under 13 could be a deceptive practice which could expose the app store to liability under Section 5 of the FTC Act.
These updates are just another in the series of updates to COPPA FAQs (see here, here and here) to help operators of websites directed at children comply with COPPA.