After giving the mobile app industry a few years of heartburn over the breadth and ambiguity of its expanded Children’s Online Privacy Protection Act (COPPA) Rule, the Federal Trade Commission has gradually begun to provide some much-needed clarity.
Earlier this month, the FTC revised three portions of “Part H” in its online FAQs, which deal with how entities subject to COPPA may obtain verifiable parental consent.
One of COPPA's key methods of protecting children's privacy is by requiring companies to give notice to parents and obtain verifiable parental consent before collecting personal information. The FTC implements COPPA by means of its "COPPA Rule." When the FTC rewrote this Rule in 2012, it expanded the breadth of activities covered by the Rule without offering much guidance on how to comply with it.
Now, Part H.5 of the FAQ gives more credence to the use of credit card or debit card numbers as a means of verifying parental consent. The Rule already allows these financial numbers to suffice as consent when given in connection with a monetary transaction. But companies wanted the ability to use the numbers for this purpose even when money doesn't change hands. and the FTC listened. Part H.5 now says:
So the number alone is not enough, but it can suffice when combined with "other" security protocols that are “reasonably calculated” to ensure that the consent is being provided by the parent.
Another important update comes in FAQ H.10, which clarifies that the app stores selling the app can be the entity that collects the parental consent on the app developer's behalf. The FTC warns developers, however, that they still retain the responsibility for "ensur[ing] that COPPA requirements are being met." To underscore the point, FAQ H.16 has also been amended to clarify that app stores are not liable under COPPA.
How can app developers verify that the app stores are providing them what they need to comply with COPPA? The FTC has a few suggestions:
These updates do not ease COPPA's burden on app developers. But every bit of guidance from the FTC in complying with the Act's often-tricky requirements is welcome.