New COPPA Options for Verifiable Consent
Yesterday, the FTC gave its blessing to some new ways that covered organizations can obtain verifiable parental consent before collecting personal information from children under 13. The updated COPPA Rule FAQs offer expanded options to get consent using payment card information and for developers using a third party such as an app store to get consent. If you want to collect payment card information to obtain parental consent, you may now have additional ways to get sufficient consent other than having to conduct a monetary transaction. In its updates to the FAQs, the FTC departed from its position that a financial transaction must occur for a parent's payment card number to be used for consent. Collecting a 16-digit credit or debit card number alone is still insufficient to satisfy the standard, however, the FTC explained that a card number used in conjunction with another safeguard could be sufficient. For example, it may be enough to also ask questions that only the parents would know the answers. The revised FAQ answer suggests that other options could also be sufficient and depend on the available technology and circumstances.
If you are an app developer, the recent FAQ updates offer additional options for using a third party to get consent on your behalf. Formerly, the FAQs generally prohibited covered organizations from relying solely on a third party for consent. Now, app developers can have third parties obtain consent as long as the developers ensure that the COPPA requirements are met, including, for example, that the third party is using a method that is reasonably calculated based on available technology to ensure that the person providing consent is the parent. As one illustration, the third party may not simply require an app store account number or password, but must also require other indicia of reliability, such as knowledge-based authentication questions or verification of government identification. The FTC’s updated FAQ answer also reminds developers to provide direct notice outlining your information collection practices before the parent provides consent.
Finally, the FTC added a new FAQ that considers a platform's liability if it takes advantage of the new options for helping developers obtain consent by providing a verifiable parental consent mechanism. The FAQ makes clear that app stores will not be liable as “operators” under COPPA for failing to investigate the privacy practices of the operators for whom they obtain consent, but points out that the platform may have liability under other laws such as Section 5 of the FTC Act.