By Ronald G. London and Bryan Thompson
The Federal Trade Commission announced on July 31 that it is seeking public comment on a new verifiable parental consent method set forth in an application submitted by Riyo under the Children’s Online Privacy Protection Act (COPPA) Rule. If approved by the FTC, Riyo’s proposed mechanism would allow entities to obtain verifiable parental consent through a two-step facial recognition process.
Under the FTC’s COPPA Rule, websites and online services that collect personal information online from children under 13 must obtain verifiable parental consent authorizing the collection, use and/or disclosure of a minor’s information. The rule also specifies several methods of gaining parental consent, and allows parties to submit and seek FTC approval of additional means for obtaining consent not currently permitted by the rule. Parties must demonstrate to the FTC that any new method is substantially different from an already approved verification method, and how it is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”
According to Riyo’s application, its proposed consent method would first require a parent to capture an image of his or her photo identification via a smartphone or computer camera. The parent would later provide verifiable parental consent by taking a selfie, which would then be compared against the photo identification image provided earlier. Riyo claims its process would not upload to or rely on third party databases to verify information.
The FTC’s public comment period for Riyo’s proposal ended on September 14, and the Commission is presently reviewing the comments submitted. The Commission’s decision on Riyo’s application is expected sometime this fall. The FTC previously received five applications seeking approval of proposed verifiable parental consent methods, but has approved only the method submitted by Imperium, LLC, which uses knowledge-based authentication to confirm a parent’s identity.
Meanwhile, the FTC has denied consent method applications where the proposed method either is a variation of a method already approved under the Rule, or is not reasonably calculated to ensure that it is the parent providing consent. The FTC most recently denied an application by AgeCheq that proposed the parent enter a validation code and digitally sign on a mobile device to authenticate the parent’s ownership and approval. In denying its application, The FTC claimed AgeCheq’s method “authenticate[d] the device rather than the user.”
Riyo’s two-step facial recognition process substantially differs from the methods that met with recent denials.