The Evolution of “Verifiable Parental Consent”
How do we know you are who you say you are? Authenticating a user’s identity is an ongoing struggle for developers, merchants, lawmakers and consumers. An ideal solution balances costs for providers and convenience for users without sacrificing accuracy, but the Children’s Online Privacy Protection Rule (COPPA) illustrates that striking this balance isn’t so easy.
COPPA requires that operators obtain verifiable parental consent before collecting any personal information from a child, unless the collection satisfies one of the narrow exceptions, which are detailed in the FTC’s revised COPPA FAQs. So, how are operators supposed to get this “verifiable parental consent”?
While COPPA allows the use of “[a]ny method to obtain verifiable parental consent [which is] reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” it also lists six concrete methods that operators may employ (16 CFR § 312.5(b)):
(i) Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan;
(ii) Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
(iii) Having a parent call a toll-free telephone number staffed by trained personnel;
(iv) Having a parent connect to trained personnel via video-conference;
(v) Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, where the parent’s identification is deleted by the operator from its records promptly after such verification is complete; or
(vi) Provided that, an operator that does not “disclose” (as defined by 16 CFR § 312.2) children’s personal information, may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: Sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email.
In § 312.12, the Rule provides a procedure for parties to apply for pre-approval of an alternative consent mechanism (more on this below), perhaps as an acknowledgement that the tech community can come up with other creative alternatives.
Operators also can participate in one of the Commission-approved COPPA safe harbor programs, which enforce a set of self-regulatory guidelines (including a verifiable parent consent mechanism) for their members. Five groups have been approved as safe harbors – Aristotle International, Inc., the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, ESRB Privacy Online, TRUSTe, and Privo, Inc.
Although the revised Rule actually offers operators more options to obtain verifiable parental consent, implementing and maintaining these systems may be costly. Opponents voiced their concerns in a recent panel discussion. “According to an estimate by the Federal Trade Commission provided by TechFreedom, the cost of compliance will run existing operators more than $6,200 a year. But new companies could be facing up to $18,670 a year – a hefty price tag for a start-up or small business, speakers noted.”
On August 21, the FTC published a request for public comments on AssertID’s proposed parental consent method (the first proposed since the Rule became effective on July 1). Unlike the options enumerated in the revised Rule, AssertID’s method is both automated and dynamic. They explain:
AssertIDTM has developed patent-pending processes which, through a combination of peer verifications and analysis of an individual’s social-graph can derive a quantitative score (“trust score”) which is a quantitative measure of the likelihood that an individual’s self-asserted identity attributes are accurate.
AssertID’s core identity-verification service allows participating users to create a digital identity credential (an “AssertID”) which contains the user’s self-asserted identity attributes (e.g. Name,
Age, Gender, Email, Photo, Location, etc.) provided by the user. Once created, a user’s AssertID becomes available for verification by select friends and family from the user’s social graph.
As an individual’s AssertID is verified by their friends and family, the AssertID process analyses the number, quality and nature of these peer-verifications (“direct verifiers”) and of these verifier’s verifiers (“indirect verifiers”). From this analysis AssertID derives a numeric trust score which is a reliable indicator of the accuracy of the user’s self-asserted attributes.
This trust score is dynamic, meaning that an individual’s trust score is continuously updated as changes or additions are made to the identity attributes contained in an individual’s AssertID credential and as additional peer verifications are performed.
AssertID listed low cost as a specific objective of their proposed method, and explained that they “will offer the basic ConsentIDTM service [a web-service incorporating the proposed consent method] completely free of charge. Additional premium services will be offered on a fee-basis. ConsentIDTM is always free to end-users (parents).”
The FTC is accepting written comments on AssertID’s proposal until September 20. What do you think of AssertID’s method? Does this use of social-graph analysis appropriately balance costs, convenience, and accuracy?