The Federal Trade Commission (FTC) has updated its Children's Online Privacy Protection Act (COPPA) FAQs. Under the COPPA Rule an operator must obtain verifiable consent from a parent before collecting any personal information from a child, which the FTC defines as under the age of 13. See 16 C.F.R. § 312.5(c). The update provides additional guidance in three areas: 1. obtaining credit card numbers as consent; 2. relying on third parties to obtain consent on one's behalf; and 3. potential liability of third party providers of verifiable consent solutions.
1. Credit Card Consent - In past guidance, the FTC listed use of a credit card, debit card, or other online payment system in connection with a monetary transaction as one method by which an operator could verify that a person providing consent is the parent. In this update, the FTC clarifies that an operator may not need to make a charge on a credit card or other payment method, so long as in addition to collecting credit card or account number the operator asks other special questions to which only parents would know the answers and finds supplemental ways to contact the parent.
2. Use of a Third Party to Get Consent on One's Behalf - The FTC further clarifies that an operator may use a third party such as an app store to obtain parental consent on the operator's behalf, as long as the operator makes sure COPPA requirements for obtaining consent are being met by that third party. The FTC notes that the mere entry of an app store account number or password, without more, would not be reasonably calculated to ensure that the person providing consent is the child’s parent. The FTC also reminds operators to provide parents with a direct notice outlining the operator's information collection practices before obtaining consent.
3. Liability of Third Party Provider of Verifiable Consent Mechanism - The FTC in the most recent COPPA Rule expanded potential liability to certain third parties. The FTC now considers third parties, such as advertising network services and plug-in developers, who gain actual knowledge that they have collected personal information from a website directed to children to be operators subject to COPPA. In this update, the FTC clarifies that a third party provider of a verifiable consent mechanism to a website directed toward children would not be an "operator" subject to liability under COPPA. The FTC warns, however, that while not subject to COPPA, a third party provider obtaining verifiable consent on behalf of an operator could face potential liability under Section 5 of the FTC Act if the provider misrepresents the extent of its oversight of the privacy practices of a child-directed app.