FTC Approves New COPPA Verifiable Parental Consent Method That Relies on Knowledge-Based Authentication

The Federal Trade Commission recently approved Imperium, LLC’s proposed verifiable parental consent method under the Children’s Online Privacy Protection Rule (COPPA). COPPA requires an operator to obtain verifiable parental consent before collecting any personal information from children under 13 years old, subject to certain enumerated exceptions. As we have previously discussed, operators can obtain parental consent through certain options set forth in the FTC’s COPPA Rule. Under the revised COPPA Rule, entities may also submit a written request for Commission approval of methods not enumerated in 16 C.F.R. § 312.5(b), which approved methods become a part of the Rule (and thus available for all entities to use). Imperium’s proposed method for obtaining verifiable parental consent was to give an individual the opportunity to answer a series of “dynamic, ‘out-of-wallet,’ multiple-choice questions,” which, according to the Imperium request, is a technique financial institutions and credit bureaus have used for years to verify identity called knowledge-based authentication. The Commission approved the method, finding that it is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Specifically, the FTC noted in its letter that appropriately implementing this method requires the following: “1) the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and 2) the use of questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”

TIP: This is the first new parental consent mechanism the FTC has approved since the COPPA Rule change went into effect. The approval letter from the FTC indicates that knowledge-based authentication, “when conducted as set forth in this letter” meets the approval criteria for a new parental consent mechanism.