FTC Updates COPPA FAQs on Parental Consent Mechanisms
This week, the Federal Trade Commission announced the latest revisions to its Frequently Asked Questions (“FAQs”) document to assist online operators as they work to comply with changes to the Children’s Online Privacy Protection (“COPPA”) Rule that went into effect on July 1, 2013. The updated FAQs provide the following expanded guidance on verifiable parental consent (“VPC”) mechanisms under the Rule:
- Credit or Debit Card Number: The FTC revises FAQ H.5 to recognize that an operator may collect a credit or debit card number without engaging in a monetary transaction, if the method is “reasonably calculated” to ensure that consent is being provided by the parent. For example, an operator could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent. This is a change from the FTC’s previous FAQ, which required all credit or debit card numbers to be coupled with a monetary transaction.
- Reliance on Third Party Platforms to Obtain VPC: The FTC revises FAQ H.10 to allow app developers to rely on VPC obtained by a third party, such as an app store, if the developer provides parents with a direct notice outlining its information collection practices before the parent provides consent. The operator, however, must ensure that the third party is obtaining consent in a way that is reasonably calculated to ensure the person providing the consent is the parent. Merely allowing a parent to enter an app store account number or password, however, would not be enough to guarantee that it is the parent, and not the child, entering the information.
- Third Party Platform Liability for Obtaining VPC: In connection with FAQ H.10, the FTC provides a new FAQ H.16 for app stores providing a VPC mechanism for operators to use. The FTC recognizes that, because app stores are not “operators” under COPPA, they will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom they obtain consent. The FTC cautions such third parties that they may nonetheless be liable under Section 5 of the FTC Act if, for example, they overstate the level of oversight provided for a child-directed app.