(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


US FTC (temporarily) declines to approve “Age Estimation” as a proxy for parental consent; @GetYoti “disappointed”

2024-04-02 18:37:28+00:00

Various peers are reporting, even crowing about this as a “take the win”-kind of victory, but I am not going to celebrate yet: reading between the lines, the FTC has basically kicked the ball of approving AI-based “Age Estimation” technologies for use in the USA into the long grass, awaiting a likely positive report from NIST:

The Federal Trade Commission has denied an application, without prejudice, by the Entertainment Software Rating Board, Yoti, and SuperAwesome for Commission approval of a new mechanism for obtaining parental consent under the Children’s Online Privacy Protection Rule (COPPA Rule). The applicants in 2023 requested approval for the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that they are an adult. Under the COPPA Rule, online sites and services directed to children under 13, and those that have actual knowledge they are collecting personal information from children under 13, must obtain parental consent before collecting, using, or disclosing personal information from a child. The rule lays out a number of acceptable methods for gaining parental consent but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval. https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-denies-application-new-parental-consent-mechanism-under-coppa

I’ll be frank: I do not like Yoti and their peers — and I have met them up close one or two times — mostly on the general principle that they are attempting to insert themselves into online transactions and communication stacks as convenient compliance-obligated “middlemen” … where I aver that the burden of knowing your customer or client should be an aspect of the client/server relationship, be performed only on a business-need-to-apply basis, and not be outsourced.

Also: having been on the receiving end of “if the data could be used to identify someone then it is personally identifying data” PII-related legal arguments, it seems bizarre to me that Yoti’s whole pitch is that “we process pictures of your face, but that’s okay because we never give them to anyone so it could never be used to identify you.”

It all strikes me as one of those “I smoked, but didn’t inhale” positions.

Between the Yoti CEO complaining that the FTC should have waited for a report from NIST, and the precise details of use cases like “parental consent” which scream of upcoming legal nitpicking, this is not one to celebrate. Not yet, at any rate.
[END]

[1] URL: https://alecmuffett.com/article/109562
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.