Comments on AgeCheq Proposal Highlight COPPA Enforcement Debates
Disagreements over the FTC’s role in enforcing the Children’s Online Privacy Protection Act (COPPA) spilled into comments due Tuesday on AgeCheq’s verifiable parental consent (VPC) method application. In August, AgeCheq filed its VPC application, proposing a central location where parents can control their child’s access to numerous apps and websites (WID Aug 26 p1).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Detractors argued the application doesn’t propose a new form of verification. So the FTC should dismiss it, they said. “This application is mooted by the fact that it proposes no new VPC method,” said the Center for Digital Democracy. CDD said the proposal violates COPPA because it enables “children to impersonate their parents and approve all future information collection by any app.” CDD, in comments not yet posted, called on the FTC to open a COPPA investigation.
Defenders said the current VPC landscape makes it impossible to manage consent and forces parents and apps to disobey COPPA rules. “Parents have been turned into a nation of liars,” said Jules Polonetsky, executive director of the tech industry-backed Future of Privacy Forum, in an interview. The FTC should use its latitude to consider creative solutions that encourage COPPA compliance, even if it’s not a novel verification solution, AgeCheq defenders said. The application presents “an ease of use thing, but you certainly want the FTC to have a look at it,” Polonetsky said.
The back-and-forth is indicative of broader debates over the FTC and COPPA compliance following a COPPA rules update (WID July 1 p1). If industry is to create COPPA-compliance solutions, it needs FTC guidance, industry officials have told us. Decisions on these applications provide that, Polonetsky said. More enforcement actions also provide guidance, industry and privacy representatives have told us. After the FTC restarted publicly announced COPPA enforcement actions, observers remained confused over the commission’s interpretation of consent requirements (WID Sept 18 p1).
AgeCheq calls its proposal in its application a “consent management platform” (http://1.usa.gov/VOjSHZ). App developers, websites and third-party advertisers submit their data collection information and parents select what level of consent they want to give for each app, website or advertiser.
"One of the big challenges for app developers has been the limited options for getting parental consent,” Polonetsky told us. AgeCheq addresses this problem, said several commenters. The “one-to-many approach,” said COPPA researcher Greg Kudasz, “will bring many publishers into compliance” (http://1.usa.gov/1xynEpz). Children’s app developer Famigo commented: “By making it easier for guardians to act as the fiduciary of their child’s personal information and facilitating timely disclosures by developers, AgeCheq provides a valuable, mobile-first solution that safeguards the privacy of children under the age of 13” (http://1.usa.gov/1rC8dIe). The Application Developers Alliance has also promoted AgeCheq’s offering as a convenient, privacy-oriented, COPPA-compliance product.
AgeCheq inadequately illustrated the technology it will use to achieve its goals, CDD said. Even worse, CDD said the company is actively “deceiving its customers, treating parents unfairly.” The application “suggests strongly that the company is acting deceptively and unfairly, in breach of the FTC Act and COPPA,” said CDD Legal Director Hudson Kingston in a statement.
AgeCheq’s stated verification methods -- financial transactions and print-and-send verification -- arise from the original COPPA, which is over a decade old, CDD said. Overall, the application is composed of “vague charts,” “extraneous content,” “redacted empty space” and “superfluous footnotes,” said CDD. “Nowhere in this document does the company offer technical specifications of how it purports to do any of the things it claims to do, nor does it rely on studies or industry practice to validate its proposal.” The application’s videos demonstrating the technology raise concerns that a children could easily gain access to their parents’ accounts and, “with a single click, provide themselves with seamless approval for all current and future app data collection,” CDD said. That’s a privacy risk, the organization said.
Some FTC-approved safe harbors believe they should be the go-to for VPC method applications, like AgeCheq’s, which present unique COPPA-compliance approaches without novel VPC methods (WID Aug 28 p1). “Safe harbor is a different program,” Polonetsky said. “It’s the way you can be part of a self-regulatory effort.” While all companies must be COPPA compliant, he said that “we can’t mandate that every single company that gets parental consent be in the safe harbor.”
The FTC had declined to rule on iVeriFly’s VPC method application because the verification methods -- using Social Security numbers and knowledge-based questions -- were already approved under COPPA (WID Feb 26 p7). AgeCheq declined to comment.