For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.

Facial Age Estimation Overview

According to the application, to use facial age estimation, the parent takes a selfie “assisted by an auto face capture module that guides the positioning of their face in frame. The system then checks whether there is a live human face in the frame and requires the image to be captured in the moment.” The Yoti system then takes the captured selfie, converts it into numbers, and compares the new numbers to patterns in its training dataset that are associated with known ages. For parental verification purposes, the operator then receives a yes/no result regarding whether the image meets a designated age threshold. The review process typically takes less than one second. Images submitted for parental verification purposes are immediately and permanently deleted and not used for training purposes.

The application further notes that regulators have approved of facial age estimation technology in privacy and other regulatory contexts. For example, the French data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL) noted in a 2023 blog post that it considers acceptable the use of age verification by validation of a payment card or a process of facial age estimation based on facial analysis without facial recognition.  Similarly, in 2021, the U.K. Information Commissioner (ICO) conducted a voluntary audit of Yoti’s app and concluded that Yoti’s approach was consistent with the requirements of the GDPR and UK AADC.

Using the method described above, more than 4.8 million age estimations for legally required parental consent have been completed in other jurisdictions (including, e.g., the U.K.), and according to the applicants, the system correctly estimates that someone is an adult 99.97% of the time.

Facial Age Estimation as a VPC Mechanism

The application includes a proposal for integrating facial age estimation into a COPPA VPC flow. After neutral age screening, collection of the parent’s email address from the child, and delivery of the direct notice to the parent’s email, the operator would inform the parent that it must verify that they are an adult. The parent would then be given several verification options, and if facial age estimation is selected, the VPC mechanism would:

  • Provide the parent notice of how facial age estimation works and request consent for the collection of the face scan for VPC.
  • Request parental consent to access the camera on the device.
  • Require the parent to face the camera to facilitate the liveness test and selfie.
  • Conduct age estimation and delete the image.
  • Provide results of age estimation to the operator, confirming whether the parent is over the configured age threshold.

Facial Age Estimation COPPA Compliance

The application makes the following primary points in favor of approval of the VPC mechanism:

  • Distinct: The application states that the FTC “has not approved a VPC method that involves facial analysis without requiring additional personal information.”  The facial age estimation only requires the adult’s selfie, as compared to the Face Match to Verified Photo Identification (FMVPI) approved by the FTC in 2015, which requires the parent to submit a photo and additional personal information (e.g., a government-issued ID) to perform a one-to-one match.
  • Reasonably calculated in light of available technology to ensure that the person providing consent is the child’s parent: Facial age estimation uses available technology to make it easy for the parent to provide consent while making it difficult for the child to pose as the parent. The application further states that although currently approved VPC methods establish that the person is an adult, no method definitively authenticates the parent-child relationship.
  • Promotes child and parent privacy without bias, discrimination, or inclusion issues: Facial age estimation is designed with privacy and data minimization principles in mind for both children and parents.It does not require registration or identity evidence, nor does it retain any information about parents. Finally, the method addresses issues like inclusion, bias, and discrimination by providing a VPC method to parents who do not have a social security number or who do not have access to a payment card.

FTC Public Comment Period

The FTC has requested public comment on the application. The public comment period closes August 21, 2023.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Janis Kestenbaum Janis Kestenbaum

Janis Kestenbaum is a partner in the Privacy & Security practice and Advertising, Marketing & Promotions industry group. Janis represents companies under investigation by the Federal Trade Commission (FTC), state attorneys general, congressional committees, and foreign data protection authorities regarding privacy, data security…

Janis Kestenbaum is a partner in the Privacy & Security practice and Advertising, Marketing & Promotions industry group. Janis represents companies under investigation by the Federal Trade Commission (FTC), state attorneys general, congressional committees, and foreign data protection authorities regarding privacy, data security, and consumer protection issues.

Photo of Calvin Cohen Calvin Cohen

Calvin Cohen counsels clients on compliance with privacy laws and regulations, and represents clients in privacy-related regulatory enforcement actions and litigation matters.

Photo of Evan Davis Evan Davis

Evan Davis advises clients in the technology, consumer products, retail, and video gaming industries on varied privacy and data protection matters.