EPIC, CDD, Fairplay Comments to the FTC on Proposed Parental Consent Method Submitted by Yoti Inc. under COPPA Rule

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER, THE CENTER FOR DIGITAL DEMOCRACY, FAIRPLAY

to the

FEDERAL TRADE COMMISSION

Request for Comment on Proposed Parental Consent Method Submitted by Yoti, Inc. Under the Voluntary Approval Processes Provision of the Children’s Online Privacy Protection Rule

88 Fed. Reg. 46,705

August 21, 2023

__________________________________________________________________

The Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD) and Fairplay submit these comments in response to the Federal Trade Commission (FTC)’s July 20, 2023 request for comment on the proposed parental consent method submitted by Yoti, Inc, together with Entertainment Software Rating Board and SuperAwesome Ltd.[1] If approved, Yoti’s age-estimation method would facilitate Verifiable Parental Consent (VPC) pursuant to the Children’s Online Privacy Protection Act (COPPA).[2] An approved VPC must be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”[3] In its application, Yoti argues that its Age-Estimation method meets the COPPA Rule’s legal standard and is not currently enumerated in the Rule.[4]

EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation.[5] EPIC routinely files comments in response to proposed FTC rules and consent orders regarding business practices that violate privacy rights, including the privacy of children online.[6]

The Center for Digital Democracy (CDD) is a public interest research and advocacy organization, established in 2001, which works on behalf of citizens, consumers, communities, and youth to protect and expand privacy, other digital rights, and data justice.  Its research-led initiatives are designed to educate policymakers, the news media, civil society, and the public, and to hold corporations accountable. CDD aims to ensure that digital technologies serve and strengthen democratic values, institutions, and processes. CDD engages with the FTC on a broad range of digital policy topics, with a focus on commercial and marketing practices, including youth and health.

Fairplay is the leading independent watchdog of the children’s media and marketing industries. It has filed numerous comments and enforcement actions at the FTC regarding COPPA and has advocated for more comprehensive privacy and safety protections for children and teens at the federal level. Fairplay’s advocacy is grounded in the overwhelming evidence that child-targeted online marketing—and the excessive screen time it encourages—undermines healthy child development.

The Commission should carefully consider the privacy and data security risks enmeshed in Yoti’s Age-Estimation method. First, the Commission should determine whether age-estimation even qualifies as a form of VPC under the COPPA Rule because age-estimation does not ensure a person providing consent is the child’s parent, just that a person is an adult. Second, even if the Commission considers Yoti’s Age-Estimation to be a legitimate form of VPC, EPIC, CDD and Fairplay would oppose its approval unless the Commission fully investigates whether Yoti’s privacy and data security claims stand up to scrutiny, and whether its privacy policies are sufficiently robust, through an independent audit. Because some of the technologies relied on in Yoti’s Age-Estimation method may pose high risks to consumers’ privacy and data security and are an ineffective method to establish a parent-child relationship for VPC, the risks may outweigh any benefits to consumers. Finally, EPIC, CDD and Fairplay encourage the Commission to consider the standard setting for more privacy invasive Yoti products and for Digital ID products generally.

I. Yoti’s Age-Estimation Product Appears Not to Qualify as a VPC Method

Responsive to Questions 2 and 3

Yoti’s Age-Estimation method does not meet the requirements for parental consent in the COPPA Rule. An acceptable VPC method under the COPPA Rule “must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”[7] Yoti’s Age-Estimation tool does not effectively establish that a person providing consent is the child’s parent. According to the application, once a child provides their parent’s email address (which is not itself a reliable link to establish a parent-child relationship), the person opening the email can choose to participate in Yoti’s Age-Estimation service. Yoti’s Age-Estimation evaluates whether a person is an adult, not whether that person is the child’s parent, or the identity of the person. Yoti does not provide evidence in its application that age-estimation is a reliable proxy for identifying the parent of a child for VPC purposes. In its application, Yoti acknowledged that the goal of Age-Estimation is not to verify a parent-child relationship, but simply to “provid[e] a high level of assurance that the person providing the consent is old enough to be a parent.”[8] Moreover, even that “assurance” is limited to certain ages, because the Age-Estimation method does not work for people between the age of 18-25 who may be parents.[9]

Yoti’s Age-Estimation is not “reasonably calculated” because it poses an unwarranted risk to consumers’ biometric and personal information without establishing a useful or effective method of VPC. Yoti’s Age-Estimation method facilitates various types of sensitive data collection and processing that can be privacy invasive and pose data security risks through a potential breach or unauthorized access. While Yoti claims that its method is more accessible to parents, other approved methods are similarly accessible without being so privacy invasive. For example, the Commission has approved a VPC method involving answering a series of knowledge-based questions,[10] as well as signing a consent form.[11]

II. The Commission Should Not Approve Yoti’s Age-Estimation Without Fully Investigating the Method’s Privacy and Data Security Practices Through an Independent Audit

Unless the Commission requires and receives an independent audit that shows that Yoti’s privacy practices are sufficiently robust, EPIC, CDD and Fairplay would oppose the approval of Yoti’s Age-Estimation for VPC. While age-estimation can be privacy protective, commercial uses of biometric technologies, from face recognition to emotion detection, “warrant heightened scrutiny for their potential to enable discrimination and cause privacy harms.”[12] These technologies process sensitive biometric information and can rely on machine learning, leaving consumers without the ability to remedy harmful outcomes.[13] Moreover, the retention and sale of biometric data can also pose data security harms in the event of a breach or unauthorized access.

Yoti’s application obfuscates and omits important information about data collection and retention. For example, Yoti claims that the Age-Estimation method protects parents’ privacy because it “does not retain any information about parents, including their images.”[14] However, the implementation example in Appendix B contradicts that policy. The notice alongside the “Face Scan method” reads: “SuperAwesome will remember that you have verified your age the next time you use your email address to access other games/services powered by SuperAwesome’s technology[.]”.[15]

The application critically omits other information about the collection and retention policies regarding other information about the user. While Yoti’s application clearly describes its policy to delete photos after Age-Estimation use, the application does not include policies about the age estimate itself, location data, IP addresses, consumer analytics or other sensitive information collected or retained in the Age-Estimation process. Without proper data security and privacy safeguards, Yoti’s Age-Estimation method may contribute to the continued commercial surveillance of adults and children.[16] The Commission should not adopt Yoti’s narrow conception of privacy to simply delete photos as a sufficient privacy policy. Instead, the Commission should require a more thorough privacy and data security framework that acknowledges all data collection and data flows involved in the Age-Estimation method.

Even if the Commission considers Yoti’s Age-Estimation method to be a form of VPC, it should ensure responsible privacy and data security policies through an independent audit prior to considering approval. In particular, the audit should investigate: (1) whether Yoti is in fact deleting photos after Age-Estimation; (2) potential bias against certain demographic groups, including younger parents between the ages of 18-25; (3) what kind of (and how much) information Yoti is collecting, using, retaining or disclosing, including biometric information, age estimation data, or other data collected during the VPC process; and (4) whether Yoti in fact transmits the photo for age estimation in a secure way. Without a thorough, independent audit confirming Yoti’s responsible privacy practices, EPIC, CDD and Fairplay oppose the approval of Yoti’s Age-Estimation as a form of VPC.

III. The Commission Should Consider Long-Term Implications for Other Yoti Products and Standard Setting for Commercial Biometrics and Digital ID

Although Yoti’s Age-Estimation VPC application is not aimed towards Age-Estimation for children, Yoti currently has products outside of the U.S. performing facial identification and age-estimation on children.[17] The Commission should ensure that Yoti would be required to re-apply for additional approval and oversight if it would like to employ identification technologies, age-estimation for children, or Digital ID beyond age-estimation for VPC or other COPPA compliance purposes. These methods carry significant risks to consumer privacy and data security, especially for young children.

Relatedly, the FTC should be careful when approving this kind of technology that they are not walking backwards into a standard for broader Digital ID products. Remote biometric identification, like the off-device biometric system used in Yoti’s Age-Estimation product, is generally not the most privacy-protective Digital ID method.[18]

IV. Conclusion

EPIC, CDD and Fairplay applaud the Commission’s ongoing efforts to center privacy and data security in evaluating potential VPC methods. Yoti’s Age-Estimation method may not even qualify as a VPC method because it does not verify the person providing consent is the child’s parent. Meanwhile, Yoti’s Age-Estimation method may pose serious privacy and data security risks to consumers. Therefore, prior to considering approval, the Commission should investigate the privacy and data security policies that are mentioned or absent from Yoti’s application through an independent audit to establish that Yoti’s privacy practices are sufficiently robust. Finally, the FTC should consider long term implications and standard setting for biometrics and Digital ID should it approve Yoti’s Age-Estimation method for VPC under the COPPA Rule.

Respectfully submitted,

Electronic Privacy Information Center

Center for Digital Democracy

Fairplay

[1] Request for Comment on COPPA Rule Proposed Parental Consent Method, 88 Fed. 46,705 (July 20, 2023), https://www.govinfo.gov/content/pkg/FR-2023-07-20/pdf/2023-15415.pdf.

[2] Yoti Inc., Application of the ESRB Group for Approval of Parental Consent Method (July 19, 2023), https://www.regulations.gov/document/FTC-2023-0044-0002 [hereinafter “Yoti Application”].

[3] 16 C.F.R § 312.5(b)(1) (2022).

[4] Yoti Application, supra note 1 at 1.

[5] About Us, EPIC (2023), https://epic.org/about/.

[6] See, e.g.,Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security 167-80 (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillanceANPRM-comments-Nov2022.pdf; Comments of EPIC, FTC COPPA Rule Review (Dec. 11, 2019), https://epic.org/documents/coppa-rule-review/.

[7] 16 C.F.R. §312.5(b)(1).

[8] Yoti Application, supra note 1 at 8.

[9] Id. at 6.

[10] Letter from Federal Trade Commission to Imperium LLC approving proposed VPC Method, FTC Matter No. P135419 (Dec. 13, 2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf.

[11] FTC Business Guidance, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for your Business (June 2017), https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business.

[12] EPIC, Comments to NTIA on Privacy, Equity and Civil Rights 7 (Mar. 6, 2022), https://epic.org/documents/comments-of-epic-to-the-national-telecommunications-and-information-administration-on-privacy-equity-and-civil-rights/.

[13] EPIC, Comments to the FTC on Proposed Trade Regulation Rule on Commercial Surveillance and Data Security 100-101 (Nov. 21, 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf [hereinafter “EPIC FTC Commercial Surveillance Comments”].

[14] Yoti Application, supra note 1 at 10.

[15] Id. at 21.

[16] See EPIC FTC Commercial Surveillance Comments, supra note 13 at 7-11 (describing data protection crisis).

[17] Yoti, Inc., Yoti Facial Age Estimation White Paper (March 2023), https://www.yoti.com/wp-content/uploads/Yoti-Age-Estimation-White-Paper-March-2023.pdf.

[18] See e.g., Comments of EPIC and the ACLU to NIST on NIST SP 800-63A-4 ipd Digital Identity Guidelines: Enrollment and Identity Proofing (Apr. 14, 2023), https://epic.org/documents/epic-and-aclu-comments-on-nists-2023-digital-identity-draft-guidelines/.