The Federal Trade Commission (FTC) recently approved a new method for website operators and mobile application developers (“operators”) to obtain parental consent to collect personal information from children.1 Under this new method, which is the first to use biometric identifiers to verify that a parent is providing consent for a child, the FTC will permit operators to use facial recognition technology to compare an image of the person providing consent with an image of verified photo identification, such as a drivers’ license or passport. If the two images match, the user is verified and can provide consent for the child to use the website or mobile application.
COPPA Requirements to Collect Personal Information from Children Under 13
Generally, under the FTC’s COPPA Rule, before a website, app, or online service collects personal information from children under 13, it must:
- provide proper notice of its practices with regard to the collection, use, or disclosure of personal information from children directly to parents and on its website, and
- obtain verifiable parental consent to its privacy practices.
Verifiable Parental Consent
COPPA requires an operator to make “reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”2 COPPA delineates specific, existing methods of obtaining verifiable parental consent that satisfy the foregoing standard, including a signed consent form, a monetary transaction, a telephone or video-conference call, or checking a form of government-issued identification against databases of such information.3 COPPA also allows interested parties to file a written request for FTC approval of parental consent methods not specifically laid out in the rule, in order to encourage the development of new consent methods that provide businesses with more flexibility while ensuring that parents are providing consent for their children. The FTC has previously approved additional methods of parental consent such as knowledge-based authentication, which uses “out-of-wallet” challenge-and-response questions to verify that a parent is providing consent.4
Requirements for New Methods of Verifiable Parental Consent
For the FTC to accept a proposed verifiable consent method, it must conclude that: (1) the proposed parental consent method is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent; and (2) if there is any risk to consumers’ personal information, the risk is outweighed by the benefit to consumers and businesses of using this method.5 When the FTC approves a new method, the applicant or any other party can use the method.
FTC Approval Letter for “Face Match to Verified Photo Identification”
On November 18, 2015, the FTC granted an application submitted by Riyo Verified Ltd. seeking approval of its proposed verifiable parental consent method involving facial recognition technology. The new method, “face match to verified photo identification” (FMVPI), combines photo ID verification with facial recognition technology in a two-step process. For the first step, the parent sends a picture of his or her photo identification (e.g., driver’s license or passport) to the service performing the verification. The service then verifies the authenticity and legitimacy of the identification document to ensure that it is an authentic government-issued identification.
The second step of proposed FMVPI method involves facial recognition technology. The verification service prompts the parent to take a photo of his or her own face with a phone camera or webcam. The service detects facial movements to ensure this photo is of a live person, rather than a photo of a photo. The image of the parent’s face is then compared to the face displayed on image of the photo identification. Photos that do not meet the required level of quality to perform a comparison are rejected. After passing these checks, both images are then reviewed by live agents who are trained to double-check that the photos match. Once the parent is verified, the consent process is completed, and the identification information submitted by the parent is promptly deleted—within five minutes.
The FTC concluded that facial recognition algorithms are sufficiently accurate and reliable at one-to-one verification—comparing one image against a second image—to be used to match a photo of a user against a government-issued ID card.6 While acknowledging that facial recognition technology is not perfect, the FTC noted that the technology has rapidly improved performance in recent years and is now being used to verify identity by retailers, financial institutions, and technology companies for safety and security purposes. The FTC also pointed out that a second level of review by trained personnel would help to ensure accurate matches. Finally, the FTC found that the risk to personal information was minimized by using the submitted information only to perform the service and then promptly destroying it, and the FTC’s approval was conditioned on adherence to these conditions. The FTC also highlighted in its press release that all of the personal information would be encrypted.1
With the FTC’s approval of Riyo Verified Ltd.’s application, website operators and mobile application developers have another option for obtaining verifiable parental consent in order to collect personal information from children. For many website operators and mobile application developers, this high-tech option may be more appealing than some of the other lower-tech methods already accepted by the FTC. Operators that choose to implement the FMVPI method, whether in-house or through a service provider, must comply with the conditions described in the FTC’s approval letter to ensure that the method is reliable and adequately protects the parents’ privacy.
1 See Commission Letter Approving Application Filed by Jest8 Limited (Trading As Riyo) For Approval of A Proposed Verifiable Parental Consent Method Under the Children’s Online Privacy Protection Rule at https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf.
216 C.F.R. § 312.5 (b)(1).
3 16 C.F.R. § 312.5 (b)(2).
4 See WSGR Alert, “Websites and Apps Have More COPPA Options,” July 23, 2014, at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-coppa-options.htm.
5 Children’s Online Privacy Protection Rule Proposed Parental Consent Method, 80 Fed. Reg. 47429, 47429 (August 7, 2015).
6 The FTC cautioned that its approval only speaks to one-to-one-matching and declined to opine on any facial recognition method that involves checking a single photo against a database on many photos.