The FTC has issued three new FAQs clarifying the “verifiable parental consent” requirements under the COPPA Rule.
In one of the revised FAQs, the FTC reiterates that the COPPA Rule’s list of parental consent methods is not exhaustive and that operators are free to use other “reasonably calculated methods” to obtain consent. According the revised FAQ, another “reasonably calculated” form of consent, under certain circumstances, could include collection of a credit card number without an accompanying monetary transaction, if other steps are taken as well (such as asking questions that only parents would know the answers to and finding a “supplemental way”to contact the parent). The FTC also amended two other FAQs that address the interplay between app stores and app developers in the COPPA context , explaining when an app developer may rely on app stores and other third parties to get verifiable parental consent, and whether an app store may be liable for app developers’ COPPA violations.
The amended FAQs are included below, and can be found here:
H.5. I would like to get consent by collecting a credit card or debit card number from the parent, but I don’t want to engage in a monetary transaction. Is this ok?
It depends. The general rule is that any parental consent mechanism “must be reasonably calculated, in light of available technology, to ensure that the parent providing consent is the child’s parent.” The Rule lists several methods that automatically meet this standard, one of which is the use of a credit card, debit card, or other online payment system in connection with a monetary transaction. However, the listed methods aren’t exhaustive; you may use other methods as long as they are “reasonably calculated” to ensure that the consent is being provided by the parent. Although collecting a 16-digit credit or debit card number alone would not satisfy this standard, there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice. For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.
H.10. I am the developer of an app directed to kids. Can I use a third party, such as one of the app stores, to get parental consent on my behalf?
Yes, as long as you ensure that COPPA requirements are being met. For example, you must make sure that the third party is obtaining consent in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child. You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent.
H.16. I run an app store, and would like to help app developers that operate on my platform by providing a verifiable parental consent mechanism for them to use. Under what circumstances will this expose me to liability under COPPA?
Because you are not an “operator” under COPPA in this circumstance, you will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent. As the Commission stated in the Statement of Basis and Purpose accompanying the final COPPA Rule, the term “operator” is not intended to encompass platforms, “such as Google Play or the App Store, when such stores merely offer the public access to someone else’s child-directed content.” At the same time, you should also evaluate your potential liability under Section 5 of the FTC Act. For example, it could be a deceptive practice to misrepresent the level of oversight you provide for a child-directed app.