FTC Approves Knowledge-Based Authentication for COPPA Consent

Published On January 6, 2014 | By Dan Sachs | Children's Online Privacy Protection Act (COPPA), FTC, Privacy

FTCDAYFor the first time, the Federal Trade Commission (“FTC”) has pre-approved a proposed form of parental verification under the Children’s Online Privacy Protection Act (“COPPA”) beyond the methods explicitly authorized under the FTC’s COPPA Rule.

Imperium LLC proposed a “knowledge-based authentication” method for parents to verify their identities, which they must do under COPPA in order to consent to collection, use and disclosure of under-13 children’s personal information.  The method generates dynamic “out-of-wallet” (i.e., not simply information that would be found in a person’s wallet) multiple choice questions about the parent, which must be correctly answered.  The FTC noted that this method has been used by entities such as banks and credit bureaus to authenticate persons seeking access to their sensitive account or credit information and that there is market evidence of its reliability, which has been recognized by various federal agencies including the FTC itself as well as independent standards organizations.

The Commission’s decision comes less than two months after it rejected a mechanism proposed by AssertID that would have used parents’ social network connections to verify their identities.  At that time, the FTC explained that there was insufficient research and marketplace evidence to support pre-approval.  In tandem, these decisions suggest that future successful proposals will—at a minimum—include evidence of the mechanism’s performance in the marketplace and positive peer reviews or regulatory imprimatur.

Under the COPPA Rule, the FTC approves methodologies, not companies’ specific implementations for parental consent.  As such, any company seeking to implement a knowledge-based authentication method for parental verification consistent with the Commission’s guidance may now do so based on this ruling.

An extensive and complimentary analysis FTC’s Amendments to the COPPA Rule is available on the Zwillgen blog.

 

About The Author

Dan Sachs, ZwillGen’s inaugural Fellow, assists ZwillGen attorneys on a broad range of matters, including litigation, investigations, product counseling, regulatory compliance, and policy. Prior to joining the firm, Dan worked at Facebook, where he assisted the Chief Privacy Officer for Policy in responding to federal, state, and international policy developments, engaging with regulators and stakeholders, and advising business units on privacy issues. During law school, Dan was a member of the George Washington Law Review and served as a research assistant to Professor Jeffrey Rosen, focusing on U.S. and international consumer privacy and surveillance issues. He was a legal intern with ZwillGen in the summer of 2012. Dan also worked as a legal intern with the U.S. Attorney’s Office for the District of Columbia.

Comments