COPPA §312.5 requires 'verifiable' parental consent — a method that gives reasonable assurance the person consenting is actually the parent, not the child. The FTC's approved methods (email-plus, credit card transaction, signed form, KBA, government ID) each create an out-of-band verification step the child cannot complete. A checkbox on the child's own registration form gives zero assurance that any parent was involved. If a consent mechanism cannot reliably exclude the child from self-approving, it fails the 'verifiable' standard and the operator is treated as collecting data without consent.
High because using a non-approved consent method means parental consent is legally invalid — the operator has the same exposure as if no consent mechanism existed at all.
Use the email-plus method for applications handling data internally: send a direct notice to a parent-provided email address and require an explicit click on a confirmation link before any account data is stored. Document the method in your privacy policy.
async function sendParentConsentEmail(
{ parentEmail, childEmail, token }:
{ parentEmail: string; childEmail: string; token: string }
) {
await emailService.send({
to: parentEmail,
subject: 'Action required: Your child wants to create an account',
html: `
<p>Your child (${childEmail}) has requested an account.</p>
<h2>What we collect from children</h2>
<p>Display name and usage data only. No location, phone, or real name.
Not shared with third parties for advertising.</p>
<h2>To approve</h2>
<p><a href="https://example.com/parent-consent/${token}">Click here to approve</a></p>
<p>Link expires in 7 days. Ignore this email to decline — no account will be created.</p>
`,
})
}
If your application shares children's data with third parties, the email-plus method is insufficient — consult a COPPA attorney about credit card verification or KBA methods.
ID: coppa-compliance.parental-consent.ftc-approved-method
Severity: high
What to look for: Count all relevant instances and enumerate each. The FTC has published a list of approved methods for obtaining verifiable parental consent under COPPA. If a parental consent workflow exists, identify which method it uses. The FTC-approved methods are: (1) a signed consent form returned via mail, fax, or electronic scan; (2) credit or debit card transaction (not just collection — an actual charge as verification); (3) toll-free telephone or video conference with trained personnel; (4) government-issued ID checked against a database; (5) knowledge-based authentication (answers to personal questions that a parent would know but not a child); (6) email with follow-up verification to the parent (the "email plus" method — acceptable for internal use only, not for sharing children's data with third parties); (7) facial recognition matched to a government ID. Check which of these the application implements. The most common acceptable web implementation is the "email plus" method: a direct notice email to the parent with a confirmation link, and the consent is used only internally (not to share data with third parties). If the application shares children's data with third parties, a stronger method is required.
Pass criteria: The parental consent method used matches one of the FTC's approved mechanisms. If the email-plus method is used, it is only used for internal data handling (not for authorizing third-party data sharing). The method is documented in the privacy policy.
Fail criteria: Parental consent is collected via a simple checkbox on the child's signup form that the child can check themselves — this is not verifiable parental consent. No verification that the person consenting is actually the parent (e.g., no out-of-band communication to a parent-controlled channel). Consent is a click-through on the Terms of Service page, not a direct parent notification.
Skip (N/A) when: The application hard-blocks all users under 13 and no child accounts are possible.
Detail on fail: Specify the method and why it fails. Example: "Parental consent implemented as a checkbox on the child's registration form labeled 'My parent or guardian has given permission for me to create this account.' This is not verifiable — the child can check the box themselves." or "Consent link sent to the parent email, but no follow-up confirmation step exists. The link immediately creates the child's account without requiring the parent to explicitly confirm.".
Remediation: Use the email-plus method for applications that handle data internally. For third-party data sharing, consult a COPPA attorney about stronger methods:
// Email-plus: direct notice to parent + explicit confirmation link
// This method is FTC-approved for internal use (no third-party data sharing)
async function sendParentConsentEmail({
parentEmail,
childEmail,
token,
}: { parentEmail: string; childEmail: string; token: string }) {
await emailService.send({
to: parentEmail,
subject: 'Action required: Your child wants to create an account on [App Name]',
html: `
<p>Your child (using email address ${childEmail}) has requested to create
an account on [App Name].</p>
<h2>What information we collect from children</h2>
<p>We collect: display name, and usage data within the app.
We do not collect location, phone numbers, or real names.
We do not share this data with third parties for advertising.</p>
<h2>Your rights as a parent</h2>
<p>You may review your child's data, request deletion, or revoke consent at any time
by contacting privacy@example.com.</p>
<h2>To approve this account</h2>
<p><a href="https://example.com/parent-consent/${token}">Click here to approve</a></p>
<p>This link expires in 7 days. If you did not expect this email, you may ignore it
and no account will be created.</p>
`,
})
}
Document the method in your privacy policy: "For users under 13, we use the email-plus method of verifiable parental consent as approved by the FTC. We send a direct notice to the parent's email address and require the parent to click a confirmation link before we create the child's account."