FTC Updates COPPA Guidance: Six-Step Compliance Plan for Your Business

Written by Michelle Anderson and Samantha Glazer

In a June 21, 2017 blog post, the FTC announced updates to its Six-Step Compliance Plan for Your Business under the Children’s Online Privacy Protection Act (COPPA). The revisions make clear that the FTC considers new business models (e.g., voice-activated devices) and products (e.g., connected toys) to be covered under COPPA. The changes also reflect two methods for obtaining parental consent that the FTC approved in the past few years: (1) asking knowledge-based authentication questions and (2) using the Face Match to Verified Photo Identification method.

In December 2013, the FTC approved use of knowledge-based authentication (KBA) questions as a verifiable parental consent (VPC) method. KBA involves the use of dynamic multiple-choice questions with a “reasonable” number of questions and an “adequate” number of possible answers to lower the probability of another individual guessing the correct answers. The level of difficulty of these questions should be such that a child 12 years or younger “could not reasonably ascertain the answers.”

In November 2015, the FTC approved the use of Face Match to Verified Photo Identification (FMVPI). This method involves a two-step process using facial recognition technology. The first step is for a parent to take a photo of his/her government issued identification using a phone’s camera or a webcam. The FMVPI system then verifies the authenticity and legitimacy of the identification document. Upon verification, the system prompts the parent to use the same phone camera or webcam to take a photo of his/her own face. The system then matches that photo with the verified government ID photo. If the photos match, consent is deemed given, and the identification information submitted by the parent should be deleted within five minutes.