The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”). COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they are collecting personal information from children under 13 to provide notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. The FTC’s regulations implementing COPPA (the “COPPA Rule”) outline certain approved methods of verifiable parental consent and establish a voluntary process whereby companies may submit a formal application to have new methods of parental consent considered by the FTC.
On December 23, the FTC approved the application of Imperium, LLC and determined that KBA, when properly implemented, is an acceptable method of verifiable parental consent under the COPPA Rule. KBA presents parents with dynamic, multiple choice “challenge” questions that test “out-of-wallet” information — information that is not ascertainable from the contents of an individual’s wallet and that would be difficult for someone other than the individual to know. In order to qualify as a method of verifiable parental consent, the KBA questions must be sufficiently difficult that a child under 13 could not reasonably know the answers. The questions are not general knowledge questions but rather questions about the specific person answering the questions. For example, in its application, Imperium suggested that KBA questions might ask about old addresses or phone numbers. The FTC’s letter approving KBA notes that financial institutions and credit bureaus have used KBA for many years.