United States: The FTC, COPPA, And Riyo's "Face Match To Verified Photo Identification"

The FTC's COPPA (the Children's Online Privacy Protection Act) Rule requires website operators to obtain "verifiable parental consent" prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a). (As I previously blogged, the Rule also allows for broader safe harbors consisting of comprehensive "self-regulatory guidelines," of which parental consent methods can be a part.)

Last week, the FTC called for public comment on a proposed method from Jest8 Limited (trading as Riyo) that is a good example of why the FTC allows new methods to be proposed as time goes on. In contrast to 16 CFR 312.5(b)'s somewhat-quaint "consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan," Riyo proposes a method based on what it calls "Face Match to Verified Photo Identification." Essentially, the parent would first use a phone camera or webcam to take a picture of some kind of photo identification (a driver's license, for example). The parent would then use a camera to take a picture of his or her face, and verification would be approved (or not) by facial recognition software.

• Ultimately, the FTC will decide whether to approve the method based on three criteria:
• Is the method substantially different from a method already enumerated in 16 CFR 312.5(b)?
• Is it reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent?
  Does the method pose a risk to consumers' personal information and, if so, does the benefit of the method outweigh that risk?

It seems fair to say that facial recognition is substantially different from methods enumerated in 16 CFR 312.5(b). Whether it satisfies the other criteria will be for the FTC to decide, based upon the application and comments from the public.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.