WASHINGTON (12/27/13)--The Federal Trade Commission (FTC) has decided that use of certain knowledge-based authentication (KBA) methods may count as a verifiable parental consent (VPC) method under the Children's Online Privacy Protection Act (COPPA) rule..
Credit unions that operate websites or online services that collect information about children under age 13 fall under COPPA rules and must provide a COPPA notice clearly and conspicuously on their homepage.
Under COPPA rules, online sites and services directed at children must obtain permission from a child's parent or guardian before collecting personal information from that child.
The rules specify a number of acceptable methods for gaining parental consent, but also allows interested parties to submit new verifiable parental consent methods to the FTC for approval. If approved, the method can be used by the applicant or any other party.
Imperium LLC, a fraud-prevention and identity-validation company, submitted an application for approval from the FTC for its ChildGuardOnline parental consent method. In a letter to Imperium, the FTC recently stated that the use of KBA will be included in the rule as a VCP method, provided it is appropriately implemented based on factors including:
The use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and,
The use of questions of sufficient difficulty that a child age 12 or under in the parent's household could not reasonably ascertain the answers.