FTC approves facial recognition to verify parental consent under COPPA
The U.S. Federal Trade Commission has allowed a new verification method that uses facial recognition technology and photographs of parents captured by a smartphone or webcam when providing consent for a child to use an online service, under the Children’s Online Privacy Protection Act, according to a report by IDG News Service.
Prior to the FTC’s approval, the inclusion of facial recognition technology went through a long process of debate including public comment.
Under the current rules of the Children’s Online Privacy Protection Act, parents are allowed to mail, fax or send electronic scans of consent forms, call specified toll-free numbers with their consent, or use their bank or credit cards for payments.
Though one method in use involves cross-matching government-issued identification documents sent by parents against databases with such information, this new system involves conducting the entire verification process by using imaging and face recognition technology.
Proposed by regulatory compliance firm Riy, the “face match to verified photo identification” (FMVPI) system requires the parent to submit an image capture of a personal photo ID, such as a driver’s license or passport.
The photo is verified as a genuine government-issued document using computer vision and image forensics technology.
The parent is then prompted to submit a selfie, captured by a smartphone camera or webcam, which the system then compares using facial recognition technology to determine whether the individual who appears in the photo ID is the same individual as in the second photo. The two images are then reviewed by trained personnel.
Upon completion of the verification and consent process, the biometric and biographical data sent by the parent will be erased within five minutes, said the FTC.
In comments to the FTC in September, the Center for Digital Democracy said that the system could be bypassed by children as it does not verify that the person is actually the parent of the child.
The consumer advocacy organization also questioned the reliability and accuracy of facial recognition technologies and their respective privacy implications.
The FTC unanimously approved the Riyo proposal (4-0 votes) after determining that the proposed verifiable parent consent (VPC) mechanism is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”
“Identity verification via facial recognition technology can be reasonably reliable for purposes of determining whether an individual pictured in a government-issued identification is the same person in the second image,” the FTC said.
It also said that the software performs an automated check of the individual’s birth date and therefore blocks “efforts by underage users who possess their own valid documents to authenticate.”
Meanwhile, CDD executive director Jeff Chester said the agency was pleased that the FTC had ordered Riyo to immediately destroy any data it collects from a child or parent.
“While facial recognition technology has many applications, its role protecting children’s privacy is unproven,” Chester said.