The Federal Trade Commission (FTC or Commission) is seeking comment on an application from the Entertainment Software Rating Board (ESRB), Yoti and SuperAwesome for a new way to obtain parental consent under the Children’s Online Privacy Protection Act (COPPA) Rule.
Under the COPPA Rule, online sites and apps directed to children under 13 years of age must obtain parental consent before collecting or using any personal information from a child. The COPPA Rule lists a number of acceptable methods for obtaining parental consent. It also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.
ESRB is the self-regulatory body for the United States video game industry. ESRB currently operates a COPPA safe harbor program and has received Commission approval for self-regulatory guidelines that implement the protections of the rule. ESRB was joined in its application by Yoti, a digital identity company, and SuperAwesome, which provides technology to help companies comply with parental verification requirements.
The companies requested approval for the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that the user is an adult.
According to the application, facial age estimation uses computer vision and machine learning technology to estimate a person’s age based on an analysis of patterns found in an image of their face. The system takes a facial image, converts it into numbers and compares those numbers with patterns in its training dataset that are associated with known ages. By contrast, facial recognition technology, such as the technology used to open an iPhone, seeks to identify a specific person based on a photo, looking for unique geometric measures of the face and matching them to an existing set of measurements already recorded in a database along with unique identifying information. However, both technologies involve scanning the face and using artificial intelligence (AI).
The application states that Yoti trains its neural network model by feeding it millions of images of diverse human faces with the actual month and year of birth. The following diagram illustrates this process.
When using this technology, the user takes a photo of themselves (a selfie), assisted by an automatic face capture module that guides the positioning of their face in the frame. The system then checks whether there is a live human face in the frame and requires the image to be captured in the moment. The upload of still images is not accepted, and imaging that does not meet the required level of quality to create an age estimate is rejected. This minimizes the risk of children circumventing the system by taking images of unaware adults or using photos of adults.
The application states that this proprietary anti-spoofing technology has been tested and approved by the National Voluntary Laboratory Accreditation Program of the United States National Institute of Standards and Technology (NIST).
The captured image is encrypted and securely transmitted from the user’s device to the Yoti server for age estimation processing.
The process takes less than one second on average. The operator of the website or app receives only a yes/no result of whether the individual in the image meets a designated age threshold. The Facial Age Estimation proposed in the application uses a threshold age of 25 years in order to minimize the likelihood of a minor passing as an adult. Images are immediately and permanently deleted and are not used by Yoti for training purposes. If the image does not meet the age threshold, the individual may be permitted to restart the verification process or use another method for parental consent.
According to the application, the facial age estimation system correctly estimates that someone is an adult 99.97% of the time.
The FTC has requested comment on a number of questions regarding the application. These questions include whether the proposed age verification method is covered by existing methods; whether it meets the requirements of the COPPA Rule, specifically whether it is reasonably calculated to ensure the person providing consent is the child’s parent, considering available technology; and whether it poses a privacy risk to consumers’ personal information, including their biometric information. The public has until August 21, 2023, to submit comments.
Why It Matters
New, easy methods for gaining parental consent that are effective and reliable are helpful for website and app operators to ensure that their platforms are only used by children under 13 who have parental consent to do so. These methods are also helpful to parents who wish to provide consent for their children.
Currently the methods to obtain verifiable parental consent include the following:
- Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile or electronic scan
- Requiring a parent, in connection with a monetary transaction, to use a credit card, a debit card or another online payment method that provides notification of each discrete transaction to the primary account holder
- Having a parent call a toll-free telephone number staffed by trained personnel
- Having a parent connect to trained personnel via videoconference
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, with the parent’s identification being deleted by the operator from its records promptly after such verification is complete
If the application is approved, this new method for obtaining verifiable parental consent would be added to these existing methods.
The application is based on a substantial amount of data and appears to be sound. According to the application, the Privacy-Protective Facial Age Estimation method has already been implemented for legally required parental consent in countries outside the United States and has delivered more than 4.8 million age estimates since 2022.
The application lists a number of benefits provided by this method:
- It is highly accurate. The rate of false positives is only 0.03%, meaning that only 3 in 10,000 users under 18 years old who try to pass as an adult might get through the system. This is likely a materially lower false positive rate than that of other methods, which can be circumvented by the child gaining access to a parent’s credit card.
- It is effective. On average, 35% of users in the European Union and the United Kingdom who attempt to prove they are adults are rejected for being under the threshold age.
- It is private. It requires no collection of identity or credit card information, and no images are stored.
- It is inclusive. Everyone has a face, but not everyone has a credit card, passport, driver’s license or Social Security number.
- It is as reliable as or more reliable than existing methods. When combined with a liveness test, face scans are very difficult to spoof.
- Users prefer it. When given a choice of several methods, over 70% of users chose facial age estimation.
- It is easy to use. Ninety-one percent of users who start a face scan complete it, compared with 65% of users who use a credit card method of approval and 66% who use a Social Security number method of approval.