Gone are the days when parental consent meant a signed permission slip—in the realm of data collection from children through the Web, parental consent takes on a whole new look. The Children’s Online Privacy Protection Act (COPPA)—which restricts the collection, use, and disclosure of certain personal information from children under the age of 13 by operators of commercial websites or online services (including mobile applications)—generally requires that the operator obtain a parent’s “verifiable parental consent” prior to collecting such information. Recent updates to the Federal Trade Commission’s (FTC’s) guidance on COPPA added some clarity to the scope of this necessary parental consent.
The FTC’s guidance, presented in the form of Frequently Asked Questions (FAQs), notes that an operator may use various methods to meet the COPPA parental consent requirement as long as the method is “reasonably calculated to ensure that the person providing consent is the child’s parent.” The FTC’s recent updates included three revised FAQs that pertain to the scope and methods of obtaining “verifiable parental consent” under COPPA:
- Although the collection of a parent’s debit or credit card information is not, in itself, sufficient as verifiable parental consent, this method may be deemed sufficient in conjunction with other mechanisms. For example, an operator may charge a nominal amount to the credit card to test its authenticity (and later refund the amount) or obtain answers to special questions that could only be answered correctly by the parent.
- Developers of mobile applications can rely on a third-party app store to obtain parental consent as long as the developer ensures that the consent is being obtained in a “reasonably calculated” manner to ensure that the person providing consent is, in fact, the child’s parent. The FTC notes that an account number or password is not, in itself, sufficient. Also, the app developer must provide the parent with a notice of the specific information-collection practices to be applied prior to the parent consenting.
- App stores that provide a mechanism for developers to obtain verifiable parental consent are not “operators” covered by COPPA and, in turn, are not liable under COPPA for failure to investigate the developers’ privacy policies. The FTC cautions that an app store may still be held liable for misrepresenting the amount of oversight that the store provides for an application directed at children.