After giving the mobile app industry a few years of heartburn over the breadth and ambiguity of its expanded Children’s Online Privacy Protection Act (COPPA) Rule, the Federal Trade Commission has gradually begun to provide some much-needed clarity.
Earlier this month, the FTC revised three portions of “Part H” in its online FAQs, which deal with how entities subject to COPPA may obtain verifiable parental consent.
One of COPPA's key methods of protecting children's privacy is by requiring companies to give notice to parents and obtain verifiable parental consent before collecting personal information. The FTC implements COPPA by means of its "COPPA Rule." When the FTC rewrote this Rule in 2012, it expanded the breadth of activities covered by the Rule without offering much guidance on how to comply with it.
Now, Part H.5 of the FAQ gives more credence to the use of credit card or debit card numbers as a means of verifying parental consent. The Rule already allows these financial numbers to suffice as consent when given in connection with a monetary transaction. But companies wanted the ability to use the numbers for this purpose even when money doesn't change hands. and the FTC listened. Part H.5 now says:
Although collecting a 16-digit credit or debit card number alone would not satisfy this standard, there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice. For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.
So the number alone is not enough, but it can suffice when combined with "other" security protocols that are “reasonably calculated” to ensure that the consent is being provided by the parent.
Another important update comes in FAQ H.10, which clarifies that the app stores selling the app can be the entity that collects the parental consent on the app developer's behalf. The FTC warns developers, however, that they still retain the responsibility for "ensur[ing] that COPPA requirements are being met." To underscore the point, FAQ H.16 has also been amended to clarify that app stores are not liable under COPPA.
How can app developers verify that the app stores are providing them what they need to comply with COPPA? The FTC has a few suggestions:
For example, you must make sure that the third party is obtaining consent in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child. You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent."
These updates do not ease COPPA's burden on app developers. But every bit of guidance from the FTC in complying with the Act's often-tricky requirements is welcome.
