FTC Rejects Proposed “Social-graph Verification” Method for Obtaining Verifiable Parental Consent Under COPPA

Published On November 15, 2013 | By Dan Sachs | General
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

FTC NIGHTTIMEThe Federal Trade Commission (“FTC”) has rejected a proposed form of parental verification under the Children’s Online Privacy Protection Act (“COPPA”) that would allow parents’ “friends” on social networks to vouch for their identities.  The FTC ruled that there is not enough evidence that such a method is reliable.

The proposed “social-graph verification” could have made it significantly easier for parents to verify their identities, which they must do in order to consent to collection, use and disclosure of their children’s personal information under COPPA.  The verification methods currently permitted under COPPA require the parent to either print, sign and send a consent form, make a credit card payment, make a telephone or videoconference call, or provide government-issued ID.  An additional method, “email plus,” is only permitted when the website or online service will not share the child’s information with third parties.

Social-graph verification is used by many websites for identity verification.  For instance, Facebook has used social-graph verification as a password recovery tool.  The proponent of social-graph verification had argued that the method would “result in verification that the individual granting consent is in fact the parent that is significantly stronger than the currently approved methods.”

The FTC remained unconvinced based upon what it described as an absence of specific research or marketplace evidence about the proposed mechanism.  The FTC noted in particular that many children under 13 have falsified their age information to create social media accounts, raising the prospect of collusion among children to thwart the social-graph verification method.  However, most social-graph verification technologies include anti-collusion features such as excluding friends who are closely connected to each other and requiring users to have sufficiently dispersed friend networks.

While the FTC rejected the proposal, it signaled that “further research, development, and implementation” could someday permit approval.  It is also worth noting that the Commission’s decision is limited to COPPA and does not address the reasonableness of social-graph verification more generally as a data security practice.

About The Author

Dan Sachs, ZwillGen’s inaugural Fellow, assists ZwillGen attorneys on a broad range of matters, including litigation, investigations, product counseling, regulatory compliance, and policy. Prior to joining the firm, Dan worked at Facebook, where he assisted the Chief Privacy Officer for Policy in responding to federal, state, and international policy developments, engaging with regulators and stakeholders, and advising business units on privacy issues. During law school, Dan was a member of the George Washington Law Review and served as a research assistant to Professor Jeffrey Rosen, focusing on U.S. and international consumer privacy and surveillance issues. He was a legal intern with ZwillGen in the summer of 2012. Dan also worked as a legal intern with the U.S. Attorney’s Office for the District of Columbia.