By: Aaron Krowne
The Federal Trade Commission (“FTC”) has recently made a number of significant updates to its guidance for Children’s Online Privacy Protection Act (“COPPA”). Chiefly, these updates streamline compliance requirements for COPPA’s parental consent mandate, in response to the widespread popularity of “app stores” for obtaining and running software. The updates also add support for “knowledge based identification,” a new method of verification that utilizes credit cards.
The Recent COPPA Updates
The FTC provides an online “FAQ” which serves as its guidance on how to comply with COPPA (for more background on COPPA click here for the extended version of this article). Periodically, it updates this FAQ in response to various developments, including changing technology. On July 16, 2014, a significant set of updates was made, containing key clarifications and additions.
1. Knowledge Based Identification
One of the updates was to section H.5 of the FAQ, where the FTC added “credit card plus” authentication as an express approved means to confirm parental consent. Originally, the FTC’s guidance expressly approved verification via the use of a parent’s credit card, but only if it was charged. The rationale for this requirement, as originally written, was that it would cause an actual financial record to be generated that a parent would be sure to see. But this guidance by itself had the effect of foreclosing other useful authentication methods that made use of a credit card without charging it.
The new H.5 now suggests that a credit card, used in combination with additional questions (the “plus”) which only a parent would typically know the answers to, such as detailed items from a parent’s credit history, can constitute valid confirmation of parental consent.
This update was most likely in direct response to Imperium, Inc.’s December 13, 2013, consent method inquiry for such “knowledge-based identification,” which included questions associated with credit history (e.g., past addresses), that was ultimately approved by the FTC.
2. App Store Apps And Parental Consent
The FTC also updated H.10 of the FAQ, to state expressly that developers can rely on parental consent obtained by “app stores.” “App stores” (e.g., Google Play and Apple’s App Store) are the now-popular venues where customers can purchase, download and install software for their smartphones, computers or tablets. This update considerably lowers the barrier for app store developers, as they no longer have to implement the “mechanics” of COPPA parental consent.
Finally – and critically – the developer must ensure the app store’s parental consent method complies with COPPA fully; it is not enough to simply trust assurances.
In sum, a significant part of the COPPA compliance process has been removed vis-a-vis app developers; but operators of apps must still comply with the other aspects of COPPA, including actually invoking the app store’s parental consent method properly, and making sure the consent method is actually compliant.
3. App Store Liability