FTC Approves Knowledge-Based Authentication for COPPA Consent
For the first time, the Federal Trade Commission (“FTC”) has pre-approved a proposed form of parental verification under the Children’s Online Privacy Protection Act (“COPPA”) beyond the methods explicitly authorized under the FTC’s COPPA Rule.
Imperium LLC proposed a “knowledge-based authentication” method for parents to verify their identities, which they must do under COPPA in order to consent to collection, use and disclosure of under-13 children’s personal information. The method generates dynamic “out-of-wallet” (i.e., not simply information that would be found in a person’s wallet) multiple choice questions about the parent, which must be correctly answered. The FTC noted that this method has been used by entities such as banks and credit bureaus to authenticate persons seeking access to their sensitive account or credit information and that there is market evidence of its reliability, which has been recognized by various federal agencies including the FTC itself as well as independent standards organizations.
The Commission’s decision comes less than two months after it rejected a mechanism proposed by AssertID that would have used parents’ social network connections to verify their identities. At that time, the FTC explained that there was insufficient research and marketplace evidence to support pre-approval. In tandem, these decisions suggest that future successful proposals will—at a minimum—include evidence of the mechanism’s performance in the marketplace and positive peer reviews or regulatory imprimatur.
Under the COPPA Rule, the FTC approves methodologies, not companies’ specific implementations for parental consent. As such, any company seeking to implement a knowledge-based authentication method for parental verification consistent with the Commission’s guidance may now do so based on this ruling.
An extensive and complimentary analysis FTC’s Amendments to the COPPA Rule is available on the Zwillgen blog.