To protect children’s privacy online
The Entertainment Software Rating Board (ESRB) have proposed a new method for guaranteeing parental consent to help protect children’s privacy online. The method involves “Privacy-Protective Facial Age Estimation” technology, which would scan an adult’s face to confirm their age before they’re able to consent on behalf a child.
Under Children’s Online Privacy Protection Act Rule (COPPA), online sites and services, such as games, must have consent from a parent before they can collect or use personal information from a child. Microsoft need your permission before your kid can set up a Minecraft account, for example.
To guarantee an actual adult has provided that consent, the ESRB have partnered with Yoti, a “digital identity company”, and SuperAwesome, who develop technology to help other companies comply with parental verification requirements. SuperAwesome are owned by Epic Games.
Together they have created a technology which “analyzes the geometry of a user’s face to confirm that they are an adult”, according to the FTC. If the adult is deemed to be under the threshold of 25 years old, they would be unable to consent on behalf of the child.
The FTC are seeking public comment on the proposal, including “whether the proposed age verification method is covered by existing methods; whether the proposed method meets the requirements under the COPPA Rule; and whether the proposed method poses a privacy risk to consumers’ personal information, including their biometric information.” They also want to know if it poses “a risk of disproportionate error rates or other outcomes for particular demographic groups”.
It’s worth noting that even if the FTC approve “facial age estimation” as a method of obtaining parental consent, this does not mean that every service would need to implement it. It would only mean that the method was a valid way of obtaining parental consent under COPPA regulations. For services that do choose to implement it, other methods of consent would likely remain available, and the tech is already in use in some software in countries outside of the US where COPPA doesn’t apply.
As someone who already manage’s children’s accounts across Microsoft and Google ecosystems, I am deeply skeptical that introducing a new, complicated potential point of failure into the process is a good idea. I’m also not wild about anything scanning my face, or the face of children, no matter what provisions or promises are made about how the image is stored, transferred, or deleted after the fact. You can read the full 38-page proposal (PDF) for more detail on how the system works.
