To comply with COPPA, Internet service providers must obtain verified parental consent from parents before collecting personal information from those children of the parents who are under 13 years of age. The process for obtaining parental consent has always been an area where the FTC and companies have struggled a bit to arrive at a simple, seamless technique. Facial recognition software may ultimately provide the best solution to this quandary.
Kids Are Idiots?
COPPA has always worked off a false premise – kids are idiots. Few would argue most 12-year-olds are far more likely to understand the ins and outs of operating online than the lead sponsor of the original COPPA legislation – Sen. Richard Bryan (D-NV). While the same cannot be said for younger children protected under the law, the faulty foundations upon which COPPA are built lead to the FTC, Internet service providers, kids and parents being force-fed ineffective mechanisms that provide almost no benefit to anyone.
Consider the age gateway. General audience sites worried about children under 13 use scripts requiring visitors to check a box indicating they are not under 13 before being given access to the website. For this gateway to be effective, one must buy into two lies – kids don’t realize they will be locked out of the platform if they indicate an age younger than 13, and kids will not lie about their age. Facebook uses an age gateway, but still closes roughly 20,000 accounts a day opened by minors under 13 who take both these steps. This should tell you all you need to know about the effectiveness of such gateways.
The truth of the matter is children are not idiots contrary to the assumptions forming the basis of COPPA, and this conclusion should be applied to the parental verification process. At one time, a simple email from a parent was sufficient to obtain consent – as though a child couldn’t hop on the email account of a busy parent. Subsequent verification techniques have become more sophisticated, but the consent process is one that has always carried a whiff of potential shenanigans. Kids aren’t idiots – they’re smart. Unless a verification process contains visual evidence of consent, it’s hard to imagine a scenario where a child who really wants to access a particular site or app can’t figure out a method for doing so COPPA be damned.
In July of 2015, the FTC asked for comment on a proposal by Riyo, Inc. to use a three-step process incorporating facial recognition to establish verified parental consent. The process would work as follows:
- Parent takes a digital photo of a government identification such as a driver’s license.
- Parent takes a selfie of themselves with a smartphone.
- Parent forwards both documents to Riyo for verify their identity and provide consent with the necessary COPPA compliant documentation.
Facial recognition software is the type of technology that gives privacy advocates the willies. I tend to share this view, particularly given the aggressive data collection policies of the federal government. It is a small step from using facial recognition for verification purposes to monitoring individuals on a 24/7 basis. What was once a concern of the fringe should now be a concern for all.
Using facial recognition for COPPA parental verification may, however, be another matter entirely. The primary difference from a privacy perspective is regardless of the techniques used for verification; parents will be providing their personal information to third parties. Given this, is there a significant difference between a digital copy of the face of a parent and a faxed in version?
Facial recognition certainly seems an effective parental verification method that children will be unable to circumvent. The Riyo application with the FTC is still under consideration, so parties still have time to submit comments on the technology. I tend to favor the new approach, but encourage you to submit comments on the topic to the FTC whatever your view.
Richard A. Chapo, Esq.