Childrens Online Privacy Protection

James Chiodo, Certified Information Privacy Professional CIPP/US

We all know the web can lure children in like candy. Children (just like adults) increasingly spend their time staring at glowing screens. Since parents cannot control much of what the web puts in front of their children, the Federal Trade Commission (FTC) has developed a number of regulations aimed to prevent companies from taking advantage of these underage net-surfers. One requirement is that online websites and services directed at children under the age of thirteen must obtain permission from a parent before obtaining any personal information from the child. The FTC recently approved a new method (called knowledge-based consent) that companies can use to obtain this permission.

Children’s Privacy Is Protected Under COPPA

The FTC’s regulations relating to children’s online privacy are found in the “Children’s Privacy Protection Act” (COPPA).  The COPPA rules enumerate a select number of methods companies can use to obtain parental consent. The goal of the approved parental consent methods is to verify that the individual consenting to the child’s use of an online site or service is the actual parent (not, for example, the child claiming to be his or her parent).

The COPPA rules also allow companies to propose new verifiable consent methods for the FTC’s consideration. Recently, the FTC approved a new parental consent method proposed by Imperium, Inc. Pursuant to this approval; COPPA now allows companies to use a knowledge-based authentication system to obtain verification of parental consent.

How the Knowledge- Based Parental Consent Method Works

The knowledge-based consent method works by sending an email to the parent asking a series of questions. The questions typically rely on information only a parent would know (sometimes this is referred to as “out-of-wallet” information because the information is not available by looking at the documents in a typical person’s purse or wallet). You’ve probably encountered similar identity verification questions if you use online banking, since financial institutions have used this type of authentication for many years. Commonly, the questions will rely on personal information from the consenter’s past such as “what is the name of the grammar school you attended” or “what was the name of your first pet.”

The FTC’s approval of the knowledge-based authentication method for children’s websites and services requires the process meet the following criteria:

  • The process must use dynamic (changing) multiple-choice questions,
  • There must be enough multiple-choice  answers provided the probability of a child guessing correctly is low, and
  • The questions must be sufficiently difficult that a child age twelve or under could not reasonably have known or guess the answers.

FTC Might Approve More Parental Consent Methods in the Future

The FTC’s approval of knowledge-based consent as an acceptable verifiable consent method provides companies with sites or services directed at children another valuable way to obtain effective consent. The approval also shows the FTC is willing to consider and adopt alternative verifiable parental consent methods proposed under COPPA. This is a good sign that companies might enjoy an even greater number of ways to obtain verifiable consent in the future.

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More