This week the FTC released updates to its Children Online Privacy Protection Act (COPPA) Frequently Asked Questions. The FAQs provide specific guidance for COPPA compliance and the updates reflect new and clarified guidelines on parental consent methods.
If your website, Mobile App, or other online service collects data from children under the age of 13, COPPA (and these updates) apply to you.
1. All Online Service Providers: Updates to Verifiable Parental Consent Guidelines
COPPA requires that online services gain “verifiable parental consent” before collecting data from children under the age of 13. The FTC provides several approved mechanisms for gaining verifiable parental consent, but has long said that companies are not limited to those mechanisms and may use any consent method that is “reasonably calculated” to verify that the consenting individual is in fact the child’s parent.
One FTC-approved verification method requires that the parent enter a credit or debit card number. Previously, the guidelines specified that using a credit or debit card to obtain consent needed to be “in connection with a financial transaction.” The rationale behind the transaction requirement is that the charge appearing on the parent’s financial statement serves as an additional notice and consent safeguard.
The updates note that companies may use a credit or debit card to obtain verifiable consent in absence of a financial transaction if the credit or debit card information is supplemented with other confirmation measures. Such measures include asking security questions to which only the parent would know the answer, or finding supplemental ways to contact the parent for confirmation. This reflects the FTC’s long-standing position that companies may choose a consent mechanism that works for their business, so long as it is reasonably calculated to identify that the person providing consent is the parent.