FPF Releases Report on Verifiable Parental Consent
Today, FPF released a new report on the effectiveness of a key federal children’s privacy requirement known as verifiable parental consent (VPC). The Children’s Online Privacy and Protection Act (COPPA) requires operators of child-directed services to provide parents with detailed, direct notice and obtain parents’ affirmative express consent – verifiable parental consent – before collecting personal information from kids. While companies are not required to use one of the Federal Trade Commission’s seven approved methods for obtaining VPC, most elect to do so.
FPF’s report, The State of Play: Is Verifiable Parental Consent Fit for Purpose?, and an accompanying infographic detail the mechanics of how VPC works; implementation challenges from both the parent and industry perspectives; and potential solutions, including alternative VPC methods and new regulatory approaches.
“Some of the same technology used to establish VPC is also the foundation for the age estimation technology required by new laws in California, Utah, and the United Kingdom,” said Jim Siegl, senior technologist with FPF’s Youth & Education Privacy team. “Utah’s law ups the stakes further by expanding age verification requirements to older and broader audiences. Understanding the challenges and opportunities posed by VPC has never been more important, as the FTC’s recent order against Edmodo makes abundantly clear. We hope this paper will inform the ongoing conversation about the privacy risks of estimating the ages of internet users and the trade-offs between the accuracy and invasiveness of VPC and age estimation technologies.”
FPF’s new report builds on a previous discussion draft and feedback from stakeholders. Based on public comments about COPPA and additional insights from parents, advocates, industry representatives, and academics, the report details unique challenges with the current VPC mechanisms and approaches, as well as potential solutions.
The identified concerns with VPC include efficacy (many VPC methods are easily circumvented by children), accessibility (not everyone has a government-issued ID or a credit card), privacy/security (concerns over sharing sensitive personal information like a credit card number or photo ID), and convenience (inconveniences in the process cause users to drop off, frustrating parents and online providers). The report also considers other potential avenues to obtaining VPC and age assurance, such as the use of mobile phone SMS or text messaging, the device’s operating system, the point of purchase or setup of a device by a parent, artificial intelligence, and profiling, as well as the associated privacy, security and accuracy tradeoffs.
“The online experience for kids has evolved tremendously in the last few years, and it is clear we need regulations and legislation that can keep up with the ever-changing digital environment and legal landscape,” said Alexa Mooney, policy counsel with FPF’s Youth & Education Privacy team. “While there is no single solution that will get us to that point, the recommendations and ideas outlined in this report provide a great place to start, and we hope will help advance this important conversation.”
To learn more, read FPF’s new report, The State of Play: Is Verifiable Parental Consent Fit for Purpose? in full, as well as its analysis of the new laws in California, Utah, and the United Kingdom that contain broader age assurance requirements.