This week the FTC released updates to its Children Online Privacy Protection Act (COPPA) Frequently Asked Questions. The FAQs provide specific guidance for COPPA compliance and the updates reflect new and clarified guidelines on parental consent methods.
If your website, Mobile App, or other online service collects data from children under the age of 13, COPPA (and these updates) apply to you.
1. All Online Service Providers: Updates to Verifiable Parental Consent Guidelines
COPPA requires that online services gain “verifiable parental consent” before collecting data from children under the age of 13. The FTC provides several approved mechanisms for gaining verifiable parental consent, but has long said that companies are not limited to those mechanisms and may use any consent method that is “reasonably calculated” to verify that the consenting individual is in fact the child’s parent.
One FTC-approved verification method requires that the parent enter a credit or debit card number. Previously, the guidelines specified that using a credit or debit card to obtain consent needed to be “in connection with a financial transaction.” The rationale behind the transaction requirement is that the charge appearing on the parent’s financial statement serves as an additional notice and consent safeguard.
The updates note that companies may use a credit or debit card to obtain verifiable consent in absence of a financial transaction if the credit or debit card information is supplemented with other confirmation measures. Such measures include asking security questions to which only the parent would know the answer, or finding supplemental ways to contact the parent for confirmation. This reflects the FTC’s long-standing position that companies may choose a consent mechanism that works for their business, so long as it is reasonably calculated to identify that the person providing consent is the parent.
2. Mobile Developers: Gaining Parental Consent Through a Third Party (Such as an App Store)
The COPPA guideline updates clarify that mobile developers may allow app stores or other third parties to gather consent on their behalf, as an intermediary. Mobile developers are responsible for ensuring that the third party complies with COPPA requirements for gaining the consent.
Mobile developers who use this method must still provide direct notice to parents explaining their data collection and use policies before the parent provides consent via the third party.
The updates also reinforce the FTC’s position that merely asking a parent to enter an app store user name and password is not sufficient to qualify as verifiable parental consent.
TRUSTe does not directly facilitate Verifiable Parental Consent but recently announced its partnership with AssertID, a service provider that obtains Verifiable Parental Consent on behalf of the operator.
3. App Stores: Liability for Developers’ COPPA Compliance
The COPPA guideline updates added section H.16, which discusses potential liability for app stores who are collecting consent on behalf of developers, as discussed above.
App stores that choose to offer a parental consent mechanism for developers using their sales platform must ensure that their own methods of gaining parental consent comply with COPPA. The updates clarify, however, that app stores will not face secondary liability for failing to investigate the data collection and use practices of mobile developers using their store.
You can read the revised FTC COPPA FAQs here.
You’re not on your own! For more details on how to make sure you’re compliant with COPPA, contact a TRUSTe representative at 1-888-878-7830.