Recent revisions to Federal Trade Commission (FTC) compliance materials offer new clarity on the Children’s Online Privacy Protection Act (COPPA) Rule and provide businesses with several new tools to consider as they determine how to comply with the Rule’s requirements. The revisions to the COPPA “Frequently Asked Questions” document should make it easier for businesses to obtain “verifiable” consent from parents, as is required before a website collects personal information from children under the age of 13.
The COPPA Rule applies to websites that are (i) “targeted” at children under the age of 13 and (ii) that have “actual knowledge” that they are collecting personal information directly from users of another website or online service directed to children (covered websites). Primarily, the Rule requires a covered website to provide notice to parents about its information collection practices, as well as obtain “verifiable parental consent” prior to collecting personal information from children. The Rule defines “verifiable parental consent” as making “any reasonable effort (taking into consideration available technology)” to ensure that a parent receives notice of a covered website’s data practices and authorizes the collection, use and/or disclosure of their child’s information. The Rule also provides a list of approved methods of obtaining verifiable consent. However, the list is not exclusive and the FTC encourages businesses to develop additional ways of obtaining verifiable consent.
The FTC revised its FAQs to address several concerns that have been raised since the release of the revised COPPA Rule, including the burden of complying with the Rule and ensuring that the Rule allows website operators to take advantage of the latest technology when seeking parental consent.
First, the FTC released revisions to its guidance related to the use of credit cards to obtain verifiable parental consent. Under previous guidance, the FTC had stated that a business could not obtain verifiable parental consent simply by collecting a parent’s credit or debit card number in the absence of a payment transaction. For example, under the previous guidance, if a website required a parent to enter their credit card number before their child could use the website — but the website did not collect a payment from the card — the FTC would find that the website had not obtained the parent’s “verifiable” consent. Under revised FAQ H.5., a website can obtain consent by collecting a credit card or debit card number from the parent, so long as the information is collected in conjunction with some other verification safeguard. For example, under the new guidance, verifiable consent would be obtained if a website asked for a credit card number and required the parent to answer “special questions” that only the parent would be able to answer. The FTC would consider this form of consent to be appropriate even if no payment is processed with the credit or debit card.
The FTC also updated its guidance regarding the methods used by mobile app developers for obtaining verifiable consent. Specifically, revisions to FAQ H.10. clarify that mobile app developers can rely on third parties such as the iTunes App Store or Google Play to obtain verifiable consent on their behalf. The revisions should make it easier for app developers to “outsource” the parental consent requirement to third parties rather than implementing consent procedures on their own. So long as the third party obtains consent in a way that is reasonably calculated to ensure that the person providing consent is the child’s parent, as required under the COPPA Rule, the consent will comply with the Rule.
Further, in order to encourage third parties to work with app developers and website operators to provide verifiable consent, the FTC clarified in FAQ H.16. that such third parties will not be held liable under the COPPA Rule “for failing to investigate the privacy practices of the [website] operators for whom [they] obtain consent.” Thus, potential liability under the COPPA Rule will remain with website operators and app developers, even if they outsource the parental consent procedures.
What Does This Mean for Business?
The recent changes to the FTC’s COPPA Rule FAQs, available here, offer several new options for obtaining verifiable parental consent under the COPPA Rule. Businesses can now use a combination of credit or debit card numbers with some other safeguard, or businesses can work with a third party, such as the iTunes App Store or Google Play, to get consent on their behalf. Further, with a reduced threat of liability, there may also be a growing number of third parties who are willing to help businesses obtain verifiable consent. Ultimately, the updates to the COPPA FAQs are likely to reduce the compliance burden on businesses and to help increase the transparency of data practices.