By Ronald G. London
Under the provisions of the Children’s Online Privacy Protection Act (COPPA) Rule that invite proposals for new mechanisms for obtaining the verifiable parental consent required to collect, use and disclose personal information from children under 13, the Federal Trade Commission (FTC) has announced that it concluded its proceeding on iVeriFly’s proposal by declining to issue an approval, as the FTC found the method to be simply a variation on those already recognized under the Rule, rendering further FTC action unnecessary.
The verifiable parental consent mechanism iVeriFly proposed uses verification by Social Security number (SSN) as an initial step in confirming the parent’s identity. But SSN verification is already approved under the COPPA Rule. Similarly, another step in iVeriFly’s proposed mechanism relies on knowledge-based authentication, which the FTC recently approved (as we discussed here) after iVeriFly’s application was already on file. In addition, under iVeriFly’s mechanism, once a parent’s COPPA account is created, iVeriFly uses verification codes to confirm the parent’s identity for future contacts, an approach akin to using passwords or PIN numbers for previously authenticated parents, as described in the FTC’s updated frequently asked questions (FAQs), which we discussed here and here.
It is unclear if companies like iVeriFly, who have “variations” on approved COPPA consent methods, seek explicit approval out of concern over enforcement and/or uncertainty about how the FTC will interpret the rules, or whether by doing so, even if arguably already covered, they wish to obtain an FTC letter like iVeriFly did that confirms their approach is already approved (also note that, at least part of iVeriFly’s application encompassed a method that at the time of filing was not approved, but was encompassed by another party’s already-on-file application that the FTC granted before it got to iVeriFly’s proposal). But in any event, iVeriFly has a green light to proceed, even with the FTC’s non-action on its application.