The Federal Trade Commission announced that is has denied AgeCheq, Inc.’s second proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. After trying but failing last year to gain FTC approval for a third-party common consent administrator mechanism, AgeCheq offered a new proposal, which would have allowed parents to access and submit an online “sign and send” form to a third party intermediary’s online verification portal. But the FTC once again turned AgeCheq away.
Under COPPA and the FTC’s COPPA Rule, websites and online services that collect personal information online from children under 13 must obtain verifiable parental consent for the collection, use and/or disclosure of the information. The Rule allows limited collection of personal information from the child in the first instance in order to allow consent to be obtained, including the child’s name or online contact information, and/or the parent’s name or online contact information. The Rule also specifies several means of obtaining parental consent, and allows parties to submit and seek FTC approval of additional means for obtaining consent not presently permitted by the Rule.
AgeCheq submitted its proposed “Device-Sign Parental Consent Form” (DSPCF) method to the FTC in October 2014. The proposed consent mechanism consisted of a multi-step verification process where a parent would register with an online intermediary or operator and provide his or her personal information including name, address, year of birth and mobile phone number. The intermediary or operator would then transmit a validation code to the parent’s mobile phone, which the parent would enter into an online “sign and send” form and digitally sign to verify the parent’s information and ownership of the registered mobile phone.
The FTC listed two reasons for declining AgeCheq’s application in its January 27 letter to the company. First, the FTC noted that AgeCheq’s proposed DSPCF process would violate COPPA because a parent’s home address or mobile phone number does not qualify as online contact information under the Rule for the purposes of seeking verifiable parental consent. Consequently, an intermediary or operator’s consent process cannot depend on the collection of such information.
Second, the FTC found that the DSPCF is not reasonably calculated to ensure that the person giving consent is actually the child’s parent; rather AgeCheq’s method “authenticates the device rather than the user.” The Commission stated that because many children under 13 years old either have their own smartphones or easy access their parent’s device(s), children could easily use the DSPCF method to provide false parental verification. According to the FTC, “AgeCheq’s method simply assumes that the parent has complete control and authority at all times over the device,” and does not add any indicia that the digital signature provided is that of the parent.
This marks the second verifiable parental consent method the FTC has rejected from AgeCheq. On November 21, the Commission announced that it denied the company’s first proposed method, which the FTC stated was already a valid means of verification under the Rule. It remains to be seen whether AgeCheq will test the “third time’s a charm” adage.