Knowledge-Based Authentication Approved as Method to Verify Parental Consent Under COPPA
On December 23, 2013, the Federal Trade Commission (“FTC”) issued a letter approving the use of knowledge-based authentication as a method of obtaining prior verifiable parental consent under its new Children’s Online Privacy Protection Act (“COPPA”) Rule, 16 C.F.R. Part 312 (“Amended Rule”). The Amended Rule not only expanded the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent but it instituted a pre-approval mechanism for methods not already detailed in the Amended Rule (among several other changes, all of which are discussed in our post analyzing the Amended Rule). With this revision, anyone seeking approval for a novel consent method can present a detailed description of the proposed parental consent mechanism along with an analysis of how it is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” 2012 SBP, 78 FR 3972, 3987.
In August 2013, Imperium LLC (“Imperium”), the owner and operator of ChildGuardOnline, a service that assists others in obtaining verifiable parental consent on their websites, submitted a proposal containing a new method for obtaining verifiable parental consent—knowledge-based authentication. In its sophisticated form, knowledge-based authentication uses challenge questions that cannot be answered by material readily available in the individual’s household, or what are referred to by the FTC as “out of the wallet” questions, to authenticate an individual’s identity.
In its letter to Imperium, the FTC approved the use of knowledge-based authentication “provided it is appropriately implemented based on factors including:
- the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and
- the use of questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
Federal Trade Commission, In re: Imperium, LLC Proposed Verifiable Parental Consent Method Application (FTC Matter No. P135419) (December 23, 2013).
The letter did not detail what other factors the FTC may consider in determining whether the knowledge-based authentication was appropriately implemented, what a “reasonable” number of questions or “adequate” number of answers are, or what makes a question “sufficiently difficult” such that a child will not be able to ascertain the answers. However, the letter approvingly referenced the use of knowledge-based authentication by other to federal agencies (such as the Federal Financial Institutions Examination Council (“FFIEC”)) and the following additional guidance can be gleaned from the FFEIC’s paper on the topic:
- Questions that could easily be answered by conducting an Internet search are not sufficiently difficult (e.g., mother’s maiden name, high school the individual graduated from, year of graduation from college, etc.).
- Inclusion of a “red herring” to mislead the child, but which the parent would recognize as nonsensical would further increase the legitimacy of the authentication process.
- Multiple questions should be employed in a single session.
- All questions should not be exposed in a single session.
With its approval by the FTC, knowledge-based authentication, subject to its appropriate implementation based on the non-exhaustive list of factors detailed by the FTC in the letter, is available to any party to use as a method of obtaining verifiable parental consent under the Amended Rule.