In comments to the Federal Trade Commission, EPIC, the Center for Digital Democracy, and Fairplay urged the FTC to center privacy and data security risks as it evaluates Yoti Inc’s proposed face-scanning tool for obtaining verifiable parental consent under the Children’s Online Privacy Protection Act (COPPA). The COPPA Rule specifies that a new parental consent method must be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” According to Yoti’s application for FTC approval, if a child seeks to access a website that requires verifiable parental consent, the child can provide their parent’s email address, and then the person opening the email can choose to participate in Yoti’s face-scanning service to estimate their age. Yoti’s face-scanning tool analyzes a photo of a person’s face to determine if they are an adult. But Yoti’s tool does not appear adequate under the COPPA Rule because it only purports to determine that a person is an adult, not that the person providing “consent” is the child’s parent. At the same time, Yoti’s tool relies on sensitive data collection and processing of biometrics, posing privacy, equity, and security risks to consumers. If the FTC is still contemplating approval of Yoti’s face-scanning tool, the groups argued that the Commission must first require an independent audit establishing that Yoti’s privacy and data security practices are sufficiently robust.
EPIC regularly comments in response to proposed FTC rulemakings, orders, and other regulatory actions implicating privacy rights and data security. EPIC also commented in the most recent FTC regulatory review of the COPPA Rule.