COPPA Verifiable Parent Consent Now Possible Using Credit Cards and App Stores
Ever since the Federal Trade Commission (FTC) first adopted regulations to implement the Children's Online Privacy Protection Act (COPPA) 15 years ago, the agency has tried to tinker with its requirements as markets and technology evolve. Any commercial business operating a website or a mobile app, especially one for which children under 13 comprise a noticeable segment of the audience, must stay up to date on the FTC's COPPA rules and guidelines, which change with the times.
Changed FTC FAQ
One of the fundamental requirements under COPPA is that a commercial website or mobile app operator must obtain “verifiable parental consent” to most collections, uses, and disclosures of personal information from children under the age of 13. In July, the FTC tweaked its COPPA requirements by amending its “Frequently Asked Questions” to address the role of credit cards and app stores in obtaining such “verifiable parental consent.” The changes generally made it easier for data collectors (known under the statute as “operators”) to rely on credit cards and app stores when obtaining the necessary consent.
One change now allows operators to collect a parent's credit or debit card number without engaging in a monetary transaction. In the past, the FTC did not allow credit cards to be used as verification absent an actual financial transaction. Now, the agency says that, even with no financial transaction, “there may be circumstances in which collection of the card number—in conjunction with” additional measures, may suffice. The FTC offers an example of supplementing a request for a card number with asking special questions for which only the parent would know the answer, but gives no other suggestions.
The FTC also addressed the role of app stores in obtaining consent in two ways. First, the agency said that an app developer can use the app store to obtain parental consent to data collection by the app as long as the developer ensures that the app store does so in a manner authorized by COPPA. The FTC did not elaborate on how an app developer would attain that assurance, beyond noting that the mere entry of an app store account name and password is not sufficient. The FTC also cautioned that the app developer “must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent.”
Second, the FTC also noted that the app store itself is not subject to the COPPA requirements directly, because platforms are not considered “operators” under the law. However, app stores, like other commercial businesses, are subject to the FTC's general consumer protection authority and could be liable for any misrepresentations made regarding the oversight they may provide for an app that is subject to COPPA.
The FTC's latest revisions to its COPPA guidance leave open a number of questions. However, they also provide some new opportunities that may reduce the burden of obtaining parental consent, particularly in the case of mobile apps.