Skip to main content

COPPA: "Knowledge-Based Authentication" Method Approved by Federal Trade Commission

Written by Julia Siripurapu

The FTC has announced that it has unanimously approved the knowledge-based authentication method proposed by Imperium, LLC (“Imperium”) as a COPPA-compliant method of obtaining verifiable parental consent (“VPC”). Knowledge-based authentication has been used by entities in the financial services industry to authenticate users for several years. For more information regarding the Imperium VPC solution called ChildGuardOnline™ please see our prior blog post.

As noted in its letter to Imperium, under the Voluntary Commission Approval Process of the COPPA Rule, the FTC will consider for approval new verifiable parental consent methods that not currently enumerated in Section § 312.5(b) of the COPPA Rule, and not a party’s specific implementation of such methods. In fact, if a VPC method is approved by the FTC, the method can be used by any party, not just by the applicant. In its letter to Imperium, the Commission has therefore approved knowledge-based authentication as a method that satisfies Section 312.5(b)(1) of the COPPA Rule when “appropriately implemented based on factors including: 1) the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and 2) the use of questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.