The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the FTC’s longstanding position that the agency’s list of approved verifiable parental consent mechanisms is not exhaustive and that companies can implement different methods as long as they meet the statutory standard of amounting to a “reasonable effort (taking into consideration available technology) . . . to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” 15 U.S.C. § 6501(9).

Specifically, the revisions:

  • Confirm that a credit or debit card need not be charged to obtain parental consent if the collection of the card number is combined with “other safeguards.” In the revised COPPA Rule, the FTC reaffirmed its informal policy of requiring that, under the approved verifiable parental consent method for credit cards, the credit or debit card be charged so that the parent has a record of the transaction through the monthly credit card statement. This policy previously had been embodied in the informal COPPA FAQs. The update to COPPA FAQ H.5 does not change the FTC’s position that the collection of a credit or debit card number alone is insufficient under COPPA unless the credit card is charged.  But it clarifies that the collection of a credit card number in connection with a transaction is not the only way in which credit or debit cards can be used to obtain verifiable parental consent.  While there are a variety of other safeguards that should meet the statutory verifiable parental consent standard, the FTC staff lists as one option “supplement[ing] the request for credit card information with special questions to which only parents would know the answer and find[ing] supplemental ways to contact the parent.”
  • Reiterate that a mobile app developer can rely on an app store to obtain parental consent on its behalf.  The new COPPA FAQ retains the staff’s prior guidance that the entry of a parent’s app store account number or password is not itself sufficient to meet the verifiable parental consent standard, but that a parent’s app store account can be used as a COPPA-compliant parental consent method when coupled with other indicia of reliability and meets COPPA’s other requirements (such as the direct notice requirement).  The revisions make it clearer that, in such circumstances, a third party (i.e., the app store) obtains consent on the mobile app developer’s behalf.
  • Reiterate that third-party platforms, such as app stores, can develop “multiple-operator” parental consent solutions for the applications that run on top of the platform, while clarifying that such offerings do not expose platforms to legal liability under COPPA.  In its revised COPPA Rule, the FTC declined to add “platform” or “multiple-operator” methods to the list of approved parental consent methods, but spoke favorably of these types of common consent mechanisms and concluded that “nothing forecloses operators from using a common consent mechanism so long as it meets the Rule’s basic notice and consent requirements.”  78 Fed. Reg. 3972, 3990 (2013).  The revised COPPA Rule also made clear that “marketplace platforms” do not become subject to COPPA solely by enabling app developers to offer child-directed apps on the platform.  Id. at 3976.  New COPPA FAQ H.16 clarifies that, similarly, third-party platforms will not be exposed to legal liability under COPPA solely for developing and offering “platform” or “multiple-operator” parental consent solutions.
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.