COPPA crowdsourcing. Yeah, really.

Share This Page

We got an interesting suggestion recently.  “With how fast technology changes, how about building in a process so companies can see if newer methods meet the requirements of existing rules?”  A related recommendation:  Crowdsourcing.  “The FTC could publicize an idea and get feedback from people.”  We’re fans of innovation, too, which is why the Children’s Online Privacy Protection Rule includes a procedure for companies to ask if methods of getting parental consent not listed in COPPA nonetheless meet the Rule’s standards.  As for crowdsourcing, we call it a notice and request for public comment — and we’ve been at it since the Truman Administration.  The FTC’s approval of a verifiable parental consent method proposed by Imperium, LLC, illustrates how the agency builds these two ideas into the policy-making process.

COPPA requires certain sites to get verifiable parental consent before collecting, using or disclosing personal information from kids under 13.  The Rule lists some options for how to do that, but also opens the door for companies to request FTC approval for other ways to get Mom or Dad's OK.  It makes sense, doesn’t it?  Rather than setting out the process in stone, COPPA was crafted with the assumption that new methods could come along that merit a close look.

Imperium recently proposed a parental consent method based on knowledge-based authentication.  That’s a way to verify a user by asking challenge questions about "out-of-wallet" information — info that can’t be determined by looking through a person’s wallet and would be tough for someone else to answer correctly.  The method may be new as far as COPPA is concerned, but financial institutions and credit bureaus have been using it for years.

Earlier this year, the FTC published Imperium’s proposal and asked for your feedback.  Based on everything in the record, the FTC sent a letter to the company OKing knowledge-based authentication as an acceptable method for getting verifiable parental consent.  But there are some caveats.  The specific process needs to use multiple-choice questions with enough options to minimize the chance of lucky guessing.  Also, the questions must be sufficiently tough so it’s unlikely a kid living in the household could figure out the answers.

Interested in weighing in on the next COPPA proposal?  Your timing couldn’t be better.  Santa Ana-based iVeriFly has asked the FTC to approve its suggested method of getting parental consent.  You’ll want to read the proposal for details, but here’s what the FTC is asking:

  1. Is iVeriFly’s proposed method already covered by existing methods in the Rule?
  2. Does it meet the Rule’s requirement that it’s reasonably calculated to ensure the person giving consent is actually the kid’s parent?
  3. When it comes to consumers’ information, what are the risks and benefits of the proposal?

The FTC is hosting a virtual flash mob where people with opinions on the subject can gather.  Actually, it’s just the link  where you can file public comments by the January 21, 2014, deadline.  But if it encourages public participation in the process to think of it that way, we’ll go with it. 

Looking for more on making your site or service COPPA complaint?  The Business Center has free resources, including a six-step compliance plan for your company.



Really interesting Lesley, thanks​!​ I think that you would be really interested in some recent research that I have come across explaining crowds and citizen science.​ ​In particular I feel you may find these two emerging pieces of research very relevant: - The Theory of Crowd Capital - The Contours of Crowd Capability Powerful stuff, no?
yes i wood agree but we steel need to trak ho has ben in awwere fiels...epesiolly our kid's....
I am for crowdsourcing too. let the FTC hear peoples ideas to help the FTC make a decision. isn't this kind of thing for sites lije or crowdsourceit? I Love technology. We are in the high tech era according to
I am also for crowdsourcing since at least, why I am so passionate about online child safety it's because I need a proper, efficient and reliable way of parental or legal guardian's consent obtaining, than just blocking kids with an excuse of "pedophiles, pornography and cyberbullying" online, or "kids should play outside and read books", even on non-commercial websites. This stuff is not what FTC studies. I am also not a U.S. citizen, not a commercial website operator or former operator (all websites I operated were totally non-commercial). I would rather request a parental/legal guardian's verification than be such a jerk.

"Out of wallet" verification method is a better approach than traditional verification methods. Or let an app do the verifying, let a person use their own fingerprint. [link deleted]

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.