As a general rule, the Children’s Online Privacy Protection Act (COPPA) requires operators of websites (including mobile apps) directed to children under the age of 13 to obtain verifiable parental consent before collecting personal information from those users. COPPA sets forth a non-exhaustive list of acceptable methods for obtaining parental consent. For example, operators can ask parents to sign and return a consent form by U.S. mail, fax, or electronic scan or they can direct parents to call a toll-free telephone number staffed by trained personnel, among other methods. Needless to say, many of the currently sanctioned methods are impractical and ill-suited to the pace of technology today, particularly mobile usage habits.
One company, Riyo, Inc., is currently seeking approval from the Federal Trade Commission (FTC) for a two-step facial recognition process that would require a parent to take a picture of his or her photo identification and then take a “selfie” using a smartphone or computer camera. The parent would then send the two pictures to the operator for review. If the pictures were determined to be authentic and to match, parental consent would be deemed verified.
The FTC recently announced that it is delaying its decision on the proposed method until November 18. While the proposal would appear to offer a practical alternative to some of the more outmoded methods of obtaining parental consent, it comes with its own privacy concerns. How would the photos be analyzed and with whom would they be shared? Where would the photos be stored and what security measures would be in place to prevent improper disclosure of the information submitted by parents?
The Riyo proposal is another good example of the challenges and tensions in the world of digital privacy. It will be interesting to monitor the FTC’s response as an indicator of the agency’s adaptability (or caution) in the fast-changing digital marketplace.