FTC Denies Application by AssertID For COPPA Parental Consent

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson  

Nov. 14 --The Federal Trade Commission announced Nov. 13 that it has denied an application by AssertID Inc. for approval of a proposed method of verifying parental consent for the collection of children's personal information under the Children's Online Privacy Protection Rule.

In a Nov. 12 letter to the company, the FTC said AssertID's proposed verifiable consent (VPC) method, which uses “social-graph verification,” does not meet the approval criteria in the COPPA Rule, which implements the Children's Online Privacy Protection Act.

“We remain confident that our social-verification method is superior to the currently approved methods which do NOT verify the parent-child relationship,” Keith Dennis, president of Mill Valley, Calif.-based AssertID, told Bloomberg BNA in a Nov. 14 e-mail.

“We will continue to work with the FTC to demonstrate the strength of our verification method,” Dennis said. “In the interim, we will launch our industry-first, fully-automated, shared VPC service using the other approved FTC methods we have already incorporated.”

Groups Raise Concerns

The FTC's final amendments to the COPPA Rule took effect July 1 . The rule imposes parental notice and consent requirements on websites and online services collecting information from children younger than 13.

Although the rule sets out several methods for obtaining verifiable parental consent, it also permits an “interested party” to request that the FTC review and approve a different consent method. In August, the commission sought public input on AssertID's proposed consent method .

AssertID has developed a technology called “ConsentID” that verifies a parent's identity on the basis of a “trust score,” which is based on peer verifications through the parent's social network, according to its application.

Two FTC-approved COPPA safe harbor programs, Aristotle International Inc. and Privacy Vaults Online Inc. or PRIVO, as well as several consumer advocacy groups called on the FTC to carefully consider AssertID Inc.'s proposal. Among the concerns raised by the groups were the possibility that the consent method would collect and share parents' personal information and the developing nature of social verification technology.

In a blog post responding to comments by the Center for Digital Democracy, AssertID said “the information we collect from the parent is only shared with friends who already have access to that information” and “is never shared with any third-party.”

FTC: Rule Criteria Not Satisfied

The FTC said that AssertID's analysis does not meet the criteria in the COPPA Rule, at 16 C.F.R. § 312.5(b), for applicants requesting approval of a proposed parental consent method.

AssertID “failed to provide sufficient evidence” demonstrating that its proposed parental consent method is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent,” the FTC said.

“Without relevant research or marketplace evidence demonstrating the efficacy of social-graph verification and that such a method is reasonably calculated to ensure the person providing consent is the child's parent, the Commission believes approval of such a VPC method under the Rule would be premature,” the letter said.

In addition, there is insufficient evidence indicating that AssertID's proposed techniques to improve the effectiveness of social-graph verification will function in the marketplace, the FTC said, noting the company's “limited beta testing of its product.” The commission highlighted several comments indicating that Facebook profiles can be readily fabricated and that children younger than 13 can falsify their information on social media accounts.

Dennis told Bloomberg BNA that his company's service does not rely on Facebook to verify user profiles. “Not only are we aware of the high incidence of fake Facebook profiles, but our solution assumes EVERY Facebook profile is fake until WE verify it is real,” he said.

“In short, identity verification via social-graph is an emerging technology and further research, development, and implementation is necessary to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children's personal information,” the FTC said.

 

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com


The FTC's letter to AssertID is available at http://www.ftc.gov/os/2013/11/131113assertid.pdf.