FTC Ending “Email Plus” Parental Consent under COPPA
The FTC came out earlier this month with a press release announcing it was seeking public comment on proposed changes to the Children’s Online Privacy Protection Rule (often referred to as “COPPA”). As many readers are probably aware, COPPA requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. In other words, if you run a website or online service (including a mobile app) that appeals to kids, or if you know that kids are using your service, you can’t collect, use, or disclose their personal data without getting a parent’s consent.
COPPA has needed an update for years (basically since it went into effect in 2000), so a lot of people in the interactive media space are hopeful that the FTC will figure out how to make the rule more workable while continuing to protect kids’ privacy online. The central challenge of COPPA is, and probably always will be, how can publishers get “verifiable parental consent?” The FTC’s frustration on this point is evident in their request for comment on proposed revisions, and they have proposed a number of measures to encourage businesses to come up with some solutions.
First, the Commission proposes eliminating a verification method many publishers view as the only practical one available, “email plus.” Email plus allows publishers to get parental consent by sending an email to the parent, followed by another email (or some other form of communication) confirming consent; more or less a double opt-in. This method is only available for publishers using kids’ data for purely internal purposes. If publishers want to market, share, or disclose data, more secure methods of obtaining parental consent are required. But the FTC doesn’t like email plus because it’s too easy for kids to game the system, and they think it has caused publishers to be complacent about finding better ways to get parental consent.
So, the FTC wants to ditch email plus to spur innovation. For similar reasons, the FTC wants to clarify and strengthen its COPPA safe-harbor rules, enabling publishers who are members of programs like TRUSTe to experiment with consent mechanisms “reasonably calculated” to ensure that the person providing consent is, in fact, the child’s parent. Finally, the FTC is also going to allow publishers to submit new parental-consent mechanisms directly to the Commission for a 180-day period of comment and review.
If you’ve ever worked with TRUSTe or been through an FTC regulatory process of any kind, you’re probably not terribly excited about these options. There are a lot of smart people at TRUSTe, and their certification programs serve an important purpose, but in my experience TRUSTe does not have the bandwidth or expertise to vet novel verification technologies. As far as the FTC process is concerned, 180 days is a lifetime in the interactive media space, and companies will have a hard time allocating the resources to develop, propose, and defend a verification method in this manner.
Still, there’s enough to be gained from solving the “verified parental consent” problem that some companies will take part in both of these processes. However, this prompts the question: will eliminating email plus actually do anything to encourage innovation? Being able to confirm that Internet users are who they say they are is a huge challenge generally, not just in the COPPA context. In the information security world, it’s called “authentication,” and there are already dozens of companies spending tens of millions of dollars trying to crack this nut.
I have to question the policy rationale of eliminating email plus—a practical albeit imperfect method of obtaining parental consent—to encourage innovation where there’s already plenty of incentive to develop solutions. Furthermore, given that email plus is only available for operators using data for internal purposes, it seems unlikely that the FTC’s proposal will significantly enhance kids’ privacy; yet it will almost certainly make it more difficult for kids to have an engaging experience on the web.