Last month, the Federal Trade Commission (FTC) approved a new method for companies to use when obtaining parents’ consent for their children to provide personal information through online services covered by the Children’s Online Privacy Protection Act (COPPA). The method, known as “knowledge-based authentication” can now be used to verify that the person providing consent for a child is in fact the child’s parent.
COPPA requires certain commercial website operators to obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under the age of 13. COPPA defines both “collection” and “personal information” broadly. “Collection” includes requesting, prompting, or encouraging a child to submit personal information online and enabling a child to make personal information publicly available in identifiable form. “Personal information” includes not only a child’s name and address (among other things), but also his or her image or voice, whether in a photograph, video, or audio file.
In order to collect personal information from children online, website operators must first obtain verifiable parental consent. COPPA lays out a number of acceptable methods through which companies can obtain such consent, including providing a consent form to be signed by a parent and returned via mail, fax, or electronic scan; having a parent call a toll-free telephone number; or verifying a parent’s identity by checking a form of government-issued identification.
In December, the FTC approved an additional method – knowledge-based authentication, or KBA. Already used by financial institutions and credit bureaus, KBA is a way to verify an individual’s identity by asking a series of challenge questions that typically rely on so-called “out-of-wallet” information, or information that cannot be divined simply by looking at an individual’s wallet. Companies seeking to obtain verifiable parental consent via the KBA method must ensure that the specific process they employ uses dynamic, multiple-choice questions with enough options and of sufficient difficulty to prevent a child from guessing the correct answers.
KBA verification may prove easier to implement than other methods of obtaining verifiable parental consent, which typically rely on off-line forms of authentication. Still, companies are advised to consult with legal counsel before attempting to collect personal information from children online. In addition, although COPPA applies only to websites “directed to children,” FTC rules also construe this category expansively and will examine a wide range of factors – including but not limited to subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, and whether advertising promoting or appearing on the Web site or online service is directed to children – in determining whether COPPA applies to a given site. Thus, COPPA is potentially applicable to many websites that their owners might think of as general audience, rather than child-directed, sites. COPPA is a lengthy, complex statute that applies broadly and carries steep penalties for noncompliance.