Under the Children’s Online Privacy Protection Act (COPPA), operators of certain websites, mobile applications, and other online services must provide parents notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13 online. The FTC has approved a new facial-recognition based method to comply with COPPA, under which parents may consent by submitting a picture of their government-issued ID and a picture of themselves (a “selfie”).
Jest8 Ltd., trading as Riyo, proposed the new “face match to verified photo identification” system to the FTC last July. According to the application, the parent begins by using a mobile phone or computer to take a picture of the parent’s photo identification (such as a driver’s license), which is authenticated by “computer vision technology, algorithms and image forensics” by examining “fonts, holograms, microprint, and other details coded in the document.” The parent then uses the Riyo software to take a picture of him- or herself. To ensure that the parent is physically present (as opposed to a child submitting another picture of the parent), the software detects slight facial movements. Finally, the live image and the image from the ID are compared by facial recognition algorithms and a live agent to validate that the person providing consent is the same person in the photo identification, after which the parent’s information is deleted.
The FTC granted Riyo’s application, analogizing it to the already-approved method of “[v]erifying a parent’s identity by checking a form of government-issued identification against databases of such information.” Indeed, the FTC found that the newly-proposed method was “more rigorous than the existing approved method” due to its inclusion of facial recognition technology to ensure the parent is “interacting with the system at [the] moment [of verification].” Further, the Commission highlighted Riyo’s statements that its software could capture and check the parent’s age from the submitted ID, that the software encrypts sensitive data, and that Riyo and its service providers would “promptly delete” any parental information within five minutes of verification.
To date, the FTC has only approved one other industry-proposed verification mechanism, which relies on asking the parent a series of challenge questions. Approval of Riyo’s facial-recognition approach may provide companies additional flexibility when designing new verifiable parental consent mechanisms because approved methods may be used by any company, not just the specific company who sought approval.