First-Shot Misfire for Application Seeking Streamlined FTC Approval of New COPPA Parental Consent Mechanism
By: Ronnie London
The Federal Trade Commission (FTC) voted thumbs down in its first ruling under the new streamlined process adopted in its Children’s Online Privacy Protection Act (COPPA) Rule review for additional methods of securing verifiable parental consent for online collection and use of children’s personal information. In its letter ruling, the FTC determined the proposed method of “social-graph verification” suggested by AssertID, Inc., did not meet the criteria for approval.
Under COPPA and the FTC’s COPPA Rule, operators of websites or online services directed to children under 13 must provide notice to parents and obtain verifiable parental consent prior to the online collection and use of personal information from such children. The Rule provides a variety of methods for doing so, including provision of a consent form to be signed by a parent and returned by mail or fax, requiring parents to use a credit card in a transaction, having parents call a toll-free number, digital certificates using public key technology, and email accompanied by a PIN or password. In its rule review concluded at the beginning of this year, the FTC also adopted a streamlined process for those who want to propose new methods.
AssertID proposed a “social-graph verification” method where a parent’s “friends” on a social network would be asked to verify the identity of parents and existence of parent-child relationships. The FTC determined that AssertID failed to provide sufficient evidence that its proposed method is reasonably calculated, in light of available technology, to ensure that the person consenting is the child’s parent (the other criteria is providing a detailed description of the proposed method). Specifically, the FTC ruled unfavorably given the lack of relevant research or marketplace evidence demonstrating the efficacy of social-graph verification.
The FTC noted that most of the articles AssertID offered toward this metric predate the public availability of the social network it wishes to use in its service. Also, while the FTC noted AssertID’s method is premised on verification by a minimum number of verifiers and requires a minimum “trust score,” the studies cited did not establish a particular “trust score” or number of verifiers is adequate to verify an individual’s identity. It also cited the lack of adequate evidence that the techniques AssertID plans to use to improve social-graph verification’s efficacy will work in the open market, and that limited beta testing did not demonstrate the method will work in a live environment, or is reasonably calculated to ensure the person consenting is the parent.
The FTC also cited opposition to the application, which noted users can easily fabricate profiles on Facebook, whose own SEC 10-Q indicates approximately 83 million fake accounts representing about 8.7% of users. It was also noted how children under 13 have falsified age information to establish social media accounts, including very active accounts with significant age-inflation that could appear credible.
Review of AssertID’s application, the comments raising concerns about it, and the ultimate FTC determination should provide useful guidance for future applicants. It remains to be seen, in the wake of this denial, and pending decisions on future applications, if the process will be as “streamlined” as industry may have hoped upon announcement of the new application process in the Rule update.