By Ronald G. London and Bryan Thompson
This past Nov. 18, the Federal Trade Commission (FTC) approved a new verifiable parental-consent method under the Children’s Online Privacy Protection Act (COPPA) Rule, which will allow entities to use facial-recognition technology to obtain the parental consent required under the COPPA Rule prior to collecting, using or disclosing information on children younger than 13 years old.
Back in July, Riyo Inc. applied for FTC approval of its proposed “face match to verified photo identification” (FMVPI) method, a two-step facial-recognition process that compares an image of a parent’s photo identification (for example, a driver’s license or passport) taken with the parent’s phone or device camera with a selfie that is later provided for verifiable parental consent. The technology used is in turn designed to detect facial movements to ensure that the selfie is of a live person and not a photo of a still image. Both images are then analyzed by the FMVPI system as well as live agents for verification.
Under the FTC’s COPPA Rule, websites and online services that collect personal information online from children younger than 13 must obtain verifiable parental consent authorizing the collection, use and/or disclosure of a minor’s information. The rule specifies several methods of gaining verifiable parental consent and allows parties to submit and seek FTC approval of additional means for obtaining consent not currently permitted by the rule.
In its letter approving Riyo’s application, the FTC found that facial-recognition technology is currently used in a number of industries to verify an individual’s identity and that the technology’s sophistication has grown rapidly in recent years. Riyo’s FMVPI method is also more rigorous than the government-issued identification method of verifiable consent already approved under the COPPA Rule because, according to the FTC, FMVPI verifies that “the individual to whom the identification was issued is the same individual who is interacting with the system at that moment.” Consequently, the FTC held that Riyo’s FMVPI method is in line with the COPPA Rule and is “reasonably calculated, in light available technology, to ensure that the person providing consent is the child’s parent.”
Businesses and other entities that need to obtain COPPA-required verifiable parental consent prior to collecting, using or disclosing children’s information will likely benefit from the FTC’s approval of Riyo’s facial-recognition method, as it will allow parents to quickly provide their consent via a smartphone, tablet or other photo-enabled device that is typically within a parent’s reach. And because the FTC “does not approve one party’s specific implementation of a [consent] method or a proprietary system under the … Rule,” the FTC’s decision will also likely allow other companies to gain approval for other verifiable parental-consent methods that rely on facial-recognition systems distinct from Riyo’s FMVPI method.
A company that is interested in using facial-recognition technology in its verifiable parental-consent program should consult with counsel before employing any new mechanisms to ensure that all of its consent burdens under COPPA are met.