FTC Gives Stamp of Approval to COPPA Parental Consent Method by Imperium

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 23 -- The Federal Trade Commission Dec. 23 announced that it had approved a verifiable parental consent method under the Children's Online Privacy Protection Rule proposed by Imperium LLC.

The FTC's approval of the consent method proposed by Westport, Conn.-based Imperium follows the commission's rejection in November 2013 of a separate consent method proposed by AssertID Inc. (221 PRA, 11/15/13).

The commission had said AssertID's proposed method did not meet the approval criteria in the COPPA Rule, which implements the Children's Online Privacy Protection Act. AssertID's consent method was based on peer verifications through a parent's social network.

In its latest action, the FTC approved Imperium's proposed use of “knowledge-based authentication” (KBA), which verifies a user's identity “by asking a series of challenge questions,” according to a Dec. 23 statement by the FTC.

When a parental consent method is approved, it can be used by the applicant or any other party, according to the FTC's approval letter.

FTC Seeks Comment.

The FTC's amendments to the COPPA Rule took effect in July 2013 (128 PRA, 7/3/13). The rule imposes notice and parental consent requirements on websites and online services collecting information from children younger than 13.

Although the rule sets out several methods for obtaining verifiable parental consent, it also permits an “interested party” to request that the FTC review and approve a different consent method.

The FTC requested public comments on Imperium's proposal in September 2013 (175 PRA, 9/10/13). The comment period closed Nov. 4 after the commission extended the public comment period due to the partial government shutdown (206 PRA, 10/24/13).

The FTC Dec. 16 said that it is seeking public comments on a separate parental consent method proposed by iVeriFly Inc. (243 PRA, 12/18/13).

Knowledge-Based Authentication.

Imperium's proposed verifiable parental consent system, ChildGuardOnlineTM, verifies consent in two ways, the FTC explained in its approval letter.

The first method uses Social Security number verification, which is already an approved consent method under the COPPA Rule, the FTC said.

The alternative consent method proposed by Imperium is KBA, which involves asking a series of questions on “out-of-wallet” information, or “information that cannot be determined by looking at an individual's wallet” and that is “difficult for someone other than the individual to answer,” the FTC said in its statement.

KBA is commonly used by entities that handle sensitive information, such as financial institutions and credit bureaus, according to the commission's approval letter.

The FTC approved the proposed KBA method provided that it is implemented using several factors, such as “the use of dynamic, multiple-choice questions” and “the use of questions of sufficient difficulty that a child age 12 or under in the parent's household could not reasonably ascertain the answers.”

“In short, identity verification via KBA using these techniques is well-established and has been adequately utilized and refined in the marketplace to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children's personal information,” the FTC said.

The FTC's letter to Imperium is available at http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf.

Request Bloomberg Law Privacy and Data Security