Verifiable parental consent process

parental-consent-processDomain: parental-controlsType: mixed

Description

Verifiable parental consent (VPC) is the workflow that runs before a platform collects personal information from a user under the age of digital consent (under 13 in the US under COPPA, between 13 and 16 in the EU under GDPR depending on member state). The verifiability part is what distinguishes VPC from a checkbox: the regulator's standard is that the platform takes reasonable steps to ensure the consenting party is actually the parent or guardian, calibrated to the data sensitivity. Accepted methods cluster into a few categories: a signed consent form returned by mail or scan, a credit-card or debit-card transaction in a nominal amount with the verification message, a knowledge-based authentication challenge that requires non-public information, government-ID verification, or a video call with the parent and a trained reviewer. Self-attestation by checkbox is not VPC; the FTC has been clear in successive enforcement actions. The operational system has to handle the consent collection, the per-user audit log of which method was used and when, the revocation pathway (a parent who consented can withdraw, and the withdrawal has to flow through to data deletion), and the special case where the platform receives an indication after the fact that a user is actually under 13 and prior data collection was made without VPC. KOSA and the proposed COPPA 2.0 revisions would extend VPC-adjacent obligations up the age band.

Applicability

Applies when: age groups include under13.

How predicates are evaluated

Required by (13 regulations)

CCPA/CPRA
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
Minors Online Protection
Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)
CPA
Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3
CTDPA
Conn. Gen. Stat. §§42-515 to 42-525
COPPA
Verifiable parental consent — § 312.5.
15 U.S.C. §§6501-6506; 16 CFR Part 312
DPDPA
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023
FERPA
GDPR
Article 8 — child consent; member-state-specific age range 13-16.
Regulation (EU) 2016/679 of the European Parliament and of the Council
LGPD
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
PIPA
Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)
PIPL
Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)
UK AADC
Age of digital consent + parental engagement.
Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)
VCDPA
Va. Code §§59.1-575 to 59.1-585

Fulfilled by (5)

persona · partial · medium effort · $$
yoti · partial · medium effort · $$
In-house build · high effort
superawesome · full · medium effort · $$
COPPA-compliant VPC flow.
privo · full · medium effort · $$
COPPA VPC + ongoing consent management.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

VPC method spec
consent-event log

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (13 regulations)

CCPA/CPRA

Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

Minors Online Protection

Regulations on the Protection of Minors in Cyberspace (promulgated by the State Council, Order No. 766, effective January 1, 2024)

CPA

Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

CTDPA

Conn. Gen. Stat. §§42-515 to 42-525

COPPA

Verifiable parental consent — § 312.5.

15 U.S.C. §§6501-6506; 16 CFR Part 312

DPDPA

Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

FERPA

GDPR

Article 8 — child consent; member-state-specific age range 13-16.

Regulation (EU) 2016/679 of the European Parliament and of the Council

LGPD

Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

PIPA

Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

PIPL

Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

UK AADC

Age of digital consent + parental engagement.

Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

VCDPA

Va. Code §§59.1-575 to 59.1-585

Fulfilled by (5)

persona · partial · medium effort · $$

yoti · partial · medium effort · $$

In-house build · high effort

superawesome · full · medium effort · $$

COPPA-compliant VPC flow.

privo · full · medium effort · $$

COPPA VPC + ongoing consent management.

ClearLaunch does not accept payment from vendors. Methodology.