Verifiable parental consent is required under COPPA to make sure parents know what information is shared with who. If a company is covered by COPPA, they must get parents’ “verifiable” consent before collecting, using or disclosing personal information (PI) from their kids. An operator must choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent/guardian.
Getting permission from a parent can be done in different ways. First, what constitutes personal information?
COPPA defines personal information to include:
- First and last name
- A home or other physical address including street name and name of a city or town
- Online contact information
- A screen or user name that functions as online contact information
- A telephone number
- A social security number
- A persistent identifier that can be used to recognize a user over time and across different websites or online services
- A photograph, video, or audio file, where such file contains a child’s image or voice
- Geolocation information sufficient to identify street name and name of a city or town
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above
How Do Online Operators Get Consent?
- Collect parent’s online contact information from child
- Typically email address; cannot be cell phone number
- Contact parent
- Provide “Just in Time” direct notice to parent
- Description of the personal information operator has collected, what else will be collected
- Purpose of the notification
- What action parent must take, if any
- Use operator will make of information
- Must contain certain additional disclosures
- Must include names of all operators collecting personal information through the site/service
- Take “reasonable steps” to verify parent
- Rule provides a sliding scale of methods, depending on risk associated with the activity in which the child wants to engage
Obtaining Verifiable Parental Consent
Instead of having kids cheat the system, there are legitimate ways a parent’s identity can be verified. Here are examples of reasonable steps:
- Providing a consent form to be signed by the parent, returned by mail, facsimile or electronic scan
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or another online payment system that provides notice of each discrete transaction
- Having a parent call a toll-free telephone number or have a video conference staffed by, or connect by video conference to, trained personnel
- Having a parent provide a form of government issued ID compared to a database
- Providing knowledge-based challenge questions that would be difficult for someone other than the parent to answer
- Verifying a picture of a driver's license of other photo ID submitted by the parent and then comparing that photo
At PRIVO we provide the identity verification services to ensure that your business is compliant when it comes to obtaining verifiable parental consent. We make parental verification easy, convenient, and scalable, reducing the negative impact on your conversion rate. As an FTC approved COPPA Safe Harbor, PRIVO is authorized to sanction new identity and consent mechanisms that can be relied upon for COPPA compliance. Work with us to design your own method.
Discover how PRIVO's COPPA & GDPR compliant consent and identity verification platform can help drive a better digital strategy for your organization by clicking here.
Thinking of building your own age verification & permission management platform? Check out our Buy vs Build blog.