FTC Rejects Proposed “Social-graph Verification” Method for Obtaining Verifiable Parental Consent Under COPPA
The Federal Trade Commission (“FTC”) has rejected a proposed form of parental verification under the Children’s Online Privacy Protection Act (“COPPA”) that would allow parents’ “friends” on social networks to vouch for their identities. The FTC ruled that there is not enough evidence that such a method is reliable.
The proposed “social-graph verification” could have made it significantly easier for parents to verify their identities, which they must do in order to consent to collection, use and disclosure of their children’s personal information under COPPA. The verification methods currently permitted under COPPA require the parent to either print, sign and send a consent form, make a credit card payment, make a telephone or videoconference call, or provide government-issued ID. An additional method, “email plus,” is only permitted when the website or online service will not share the child’s information with third parties.
Social-graph verification is used by many websites for identity verification. For instance, Facebook has used social-graph verification as a password recovery tool. The proponent of social-graph verification had argued that the method would “result in verification that the individual granting consent is in fact the parent that is significantly stronger than the currently approved methods.”
The FTC remained unconvinced based upon what it described as an absence of specific research or marketplace evidence about the proposed mechanism. The FTC noted in particular that many children under 13 have falsified their age information to create social media accounts, raising the prospect of collusion among children to thwart the social-graph verification method. However, most social-graph verification technologies include anti-collusion features such as excluding friends who are closely connected to each other and requiring users to have sufficiently dispersed friend networks.
While the FTC rejected the proposal, it signaled that “further research, development, and implementation” could someday permit approval. It is also worth noting that the Commission’s decision is limited to COPPA and does not address the reasonableness of social-graph verification more generally as a data security practice.