By Debbie Wong* and Nickolas Milonas
The Federal Trade Commission recently expanded the options for obtaining verifiable parental consent (“VPC”) under recent revisions to the Children’s Online Privacy Protection Act. COPPA requires covered websites and online services to obtain verifiable parental consent before collecting information on children under 13. The VPC method must be reasonably calculated to ensure that the person giving consent is the child’s parent. While the rule enumerates several acceptable methods for obtaining parental consent, changes to the rule that took effect last July allow for FTC approval of new VPC methods. As we previously reported, the FTC has already approved and rejected new VPC methods under the revised rule.
The FTC’s revised guidance on obtaining VPC includes three main clarifications. First, the FTC will now include the collection of parent’s payment card information as a potential VPC method. Although obtaining a 16-digit credit or debit card number alone would not satisfy COPPA’s VPC requirement, the FTC explained that there may be circumstances in which the collection of payment information would suffice in conjunction with other safeguards. For example, the card number could be supplemented with security questions that only a parent could answer.
Second, the FTC will allow a developer of a child-related app to use a third party, such as an app store, to obtain VPC. The developer, however, must ensure that COPPA requirements are met. For example, requiring an app store account number or password is insufficient for obtaining parental consent without other indicia of reliability, like authentication questions. In addition, the developer must provide parents with direct notice that outlines its information collection practices.
Last, the FTC clarified that in instances where a third party, like an app store, obtains VPC on behalf of app developers, the third party is not an “operator” under COPPA and therefore would not be liable if it fails to investigate the privacy practices of the developers for whom it obtains consent. However, such third party may still be liable under the FTC Act if it misrepresents its level of oversight for child-related apps.
The FTC revisions were praised by app developer trade associations as “a major win for innovation and privacy” because the revisions help clarify COPPA and remove obstacles that can discourage developers from creating educational apps for children.
*Debbie Wong is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.