Verifiable parental consent process

parental-consent-processDomain: parental-controlsType: mixed

Description

Verifiable parental consent is the workflow that runs before a platform collects personal information from a user under the age of digital consent. The age threshold is jurisdiction-specific: under 13 in the US under COPPA at 16 CFR 312.5, between 13 and 16 in the EU under GDPR Article 8 depending on member-state implementation (Germany and the Netherlands set 16, France and Italy at 15, Spain and several others at 14, Belgium and the UK at 13), and varying by similar bands across the wider set of privacy regimes that have adopted COPPA-equivalent frameworks (LGPD, DPDPA, PIPL, PIPA, FERPA in the school-services context). The verifiability part is what distinguishes VPC from a checkbox. The FTC's standard under 16 CFR 312.5(b) is that the platform makes reasonable efforts to ensure the consenting party is actually the parent or guardian, calibrated to the sensitivity of the data collected and the use to which it will be put. Accepted methods cluster into six categories. A signed consent form returned by mail, fax, or electronic scan (the longest-standing method, still accepted, slowest in practice). A credit-card or debit-card transaction in a nominal amount with the verification message attached to the charge (relies on the fact that minors typically do not hold the card). A knowledge-based authentication challenge that requires non-public information about the parent (often vendor-provided, with the question pool sourced from credit-bureau data). Government-ID verification with document-authenticity and selfie-match checks. A video call with the parent and a trained reviewer (used for higher-sensitivity cases where the platform wants the assurance of a live verification). And, since the 2013 COPPA Rule amendments, the use of payment systems that satisfy the underlying verification through a card-on-file or banking relationship. Self-attestation by checkbox is not VPC, and the FTC has been clear in successive enforcement actions (TikTok, Microsoft / Xbox, Amazon / Alexa, and others) that a checkbox-only flow attracts substantial penalty exposure regardless of subjective good faith. The operational system handles four pieces. Consent collection at the front door of the under-age account-creation flow, with the chosen verification method appropriate to the data sensitivity (the FTC's sliding-scale framing is that more sensitive collection requires more rigorous verification). Per-user audit log of which method was used and when, retained long enough to defend against any future enforcement inquiry into specific accounts. The revocation pathway: a parent who consented can withdraw consent at any time, and the withdrawal has to flow through to data deletion and (where consent was the lawful basis under GDPR Article 6) to cessation of any further processing. And the after-the-fact-discovery case, where the platform receives an indication that an account that completed without VPC is actually held by a child; the obligation in that case is to delete the prior data collection and either obtain consent retroactively or close the account, and the speed of the response is the load-bearing piece in enforcement reviews. KOSA, the proposed COPPA 2.0 revisions, and the patchwork of state-level child-safety laws (California AADC, UK AADC adjuncts, several proposed state laws aligned with KOSA) would extend VPC-adjacent obligations up the age band. The operational direction of travel is broader, not narrower; operators building VPC infrastructure now generally do so with the expectation that the age threshold will rise to 16 or 17 across more of the operator's footprint over the medium term, and architect for that rather than for the narrowest current scope.

Applicability

Applies when: age groups include under13.

How predicates are evaluated

Required by (14 regulations)

CCPA/CPRA
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
Minors Online Protection
Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)
CPA
Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3
CTDPA
Conn. Gen. Stat. §§42-515 to 42-525
COPPA
Verifiable parental consent — § 312.5.
15 U.S.C. §§6501-6506; 16 CFR Part 312
DPDPA
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023
FERPA
GDPR
Article 8 — child consent; member-state-specific age range 13-16.
Regulation (EU) 2016/679 of the European Parliament and of the Council
LGPD
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
PIPA
Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)
PIPL
Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)
UK AADC
Age of digital consent + parental engagement.
Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)
VCDPA
Va. Code §§59.1-575 to 59.1-585
California SB 976
Implements the verifiable parental consent SB 976 requires before providing an addictive feed or out-of-hours notifications to a known minor.
California SB 976 (2024), Protecting Our Kids from Social Media Addiction Act
Source →

Fulfilled by (5)

persona · partial · medium effort · $$
yoti · partial · medium effort · $$
In-house build · high effort
superawesome · full · medium effort · $$
COPPA-compliant VPC flow.
privo · full · medium effort · $$
COPPA VPC + ongoing consent management.

Magist does not accept payment from vendors. Methodology.

Evidence formats

VPC method spec
consent-event log

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (14 regulations)

CCPA/CPRA

Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

Minors Online Protection

Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)

CPA

Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

CTDPA

Conn. Gen. Stat. §§42-515 to 42-525

COPPA

Verifiable parental consent — § 312.5.

15 U.S.C. §§6501-6506; 16 CFR Part 312

DPDPA

Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

FERPA

GDPR

Article 8 — child consent; member-state-specific age range 13-16.

Regulation (EU) 2016/679 of the European Parliament and of the Council

LGPD

Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

PIPA

Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

PIPL

Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

UK AADC

Age of digital consent + parental engagement.

Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

VCDPA

Va. Code §§59.1-575 to 59.1-585

California SB 976

Implements the verifiable parental consent SB 976 requires before providing an addictive feed or out-of-hours notifications to a known minor.

California SB 976 (2024), Protecting Our Kids from Social Media Addiction Act

Source →

Fulfilled by (5)

persona · partial · medium effort · $$

yoti · partial · medium effort · $$

In-house build · high effort

superawesome · full · medium effort · $$

COPPA-compliant VPC flow.

privo · full · medium effort · $$

COPPA VPC + ongoing consent management.

Magist does not accept payment from vendors. Methodology.