The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the FTC’s longstanding position that the agency’s list of approved verifiable parental consent mechanisms is not exhaustive and that companies can implement different methods as long as they meet the statutory standard of amounting to a “reasonable effort (taking into consideration available technology) . . . to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” 15 U.S.C. § 6501(9).

Specifically, the revisions:

  • Confirm that a credit or debit card need not be charged to obtain parental consent if the collection of the card number is combined with “other safeguards.” In the revised COPPA Rule, the FTC reaffirmed its informal policy of requiring that, under the approved verifiable parental consent method for credit cards, the credit or debit card be charged so that the parent has a record of the transaction through the monthly credit card statement. This policy previously had been embodied in the informal COPPA FAQs. The update to COPPA FAQ H.5 does not change the FTC’s position that the collection of a credit or debit card number alone is insufficient under COPPA unless the credit card is charged.  But it clarifies that the collection of a credit card number in connection with a transaction is not the only way in which credit or debit cards can be used to obtain verifiable parental consent.  While there are a variety of other safeguards that should meet the statutory verifiable parental consent standard, the FTC staff lists as one option “supplement[ing] the request for credit card information with special questions to which only parents would know the answer and find[ing] supplemental ways to contact the parent.”
  • Reiterate that a mobile app developer can rely on an app store to obtain parental consent on its behalf.  The new COPPA FAQ retains the staff’s prior guidance that the entry of a parent’s app store account number or password is not itself sufficient to meet the verifiable parental consent standard, but that a parent’s app store account can be used as a COPPA-compliant parental consent method when coupled with other indicia of reliability and meets COPPA’s other requirements (such as the direct notice requirement).  The revisions make it clearer that, in such circumstances, a third party (i.e., the app store) obtains consent on the mobile app developer’s behalf.
  • Reiterate that third-party platforms, such as app stores, can develop “multiple-operator” parental consent solutions for the applications that run on top of the platform, while clarifying that such offerings do not expose platforms to legal liability under COPPA.  In its revised COPPA Rule, the FTC declined to add “platform” or “multiple-operator” methods to the list of approved parental consent methods, but spoke favorably of these types of common consent mechanisms and concluded that “nothing forecloses operators from using a common consent mechanism so long as it meets the Rule’s basic notice and consent requirements.”  78 Fed. Reg. 3972, 3990 (2013).  The revised COPPA Rule also made clear that “marketplace platforms” do not become subject to COPPA solely by enabling app developers to offer child-directed apps on the platform.  Id. at 3976.  New COPPA FAQ H.16 clarifies that, similarly, third-party platforms will not be exposed to legal liability under COPPA solely for developing and offering “platform” or “multiple-operator” parental consent solutions.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.