Privacy & Information Security Law Blog

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under the age of 13. In addition to the acceptable methods for obtaining the required parental consent listed in the COPPA Rule, the FTC’s recent revisions also allow entities to propose their own parental consent mechanisms for approval by the Commission. On September 9, 2013, the FTC announced that it had received a proposal from Imperium and invited public comment on the proposed mechanism.

In its letter to Imperium, the FTC stated that Imperium’s method of knowledge-based authentication (“KBA”) is an acceptable method of obtaining verifiable parental consent as it is “reasonably calculated. . . to ensure that the person providing consent is the child’s parent.” KBA allows an individual to demonstrate that he or she is the relevant child’s parent by answering a series of challenge questions. The FTC noted that, to obtain verifiable parental consent, the challenge questions must be (1) structured so the probability of correctly guessing the answers is low, and (2) sufficiently sophisticated so that a child age 12 or under “could not reasonably ascertain the answers.”

In approving Imperium’s proposed parental consent mechanism, the FTC noted that “financial institutions and credit bureaus . . . have used KBA to authenticate users for many years” and that the FTC and other government agencies, such as the Federal Financial Institutions Examination Council, have previously acknowledged the efficacy of KBA. In November 2013, the FTC rejected a proposed parental consent mechanism submitted by a different company stating that the company failed to provide sufficient “relevant research” and “marketplace evidence” that its proposed mechanism would ensure that the person providing consent is the child’s parent. Accordingly, it appears that future proposals are more likely to be approved if they employ a mechanism that has a history of success and acceptance by industry and government in other identity verification scenarios.

View the FTC’s letter to Imperium.