1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. ekyc-ida
  4. Issues

develop example for social media parental-child relationship

Issue #1427 new
Mark Haine created an issue

No description provided.

Comments (7)

  1. Mark Haine reporter

    One or more examples of how to represent that a parent/guardian is related to a child would be useful.

    The use case families to spur the development:

    1. Social medial and gaming (like streaming or other social media - not gambling)
    2. Age appropriate services (gambling, alcohol related, dangerous products, adult content)
    3. Med-tech & healthcare
    4. Education
    5. Travel

  2. rachel

    Legal requirements: Article 8 of the EU’s General Data Protection Regulation (GDPR) specifically addresses the processing of personal data of children. It aims to protect the fundamental rights and freedoms of children, particularly their right to privacy. Key Points of Article 8:

    • Consent for Children Under 16:

      • The processing of personal data of a child aged below 16 requires the consent of the authorised holder of parental responsibility.
      • Member states may lower this age limit to 13, but this requires a law to this effect.

    • Information to the Child:

      • When obtaining consent from a holder of parental responsibility, clear and comprehensible information about the processing must be provided to the child in a language and manner suitable to the child.

    • Rights of the Child:

      • A parent /guardian on behalf of the child has the right to withdraw consent at any time.

    The Children's Online Privacy Protection Act (COPPA) is a US federal law that places restrictions on websites and online services that collect personal information from children under 13. It requires website and online service operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.  

    Key Requirements of COPPA:

    • Verifiable Parental Consent: Websites or online services must obtain verifiable consent from a parent or legal guardian before collecting personal information from a child under 13.

    COPPA outlines several methods for obtaining verifiable parental consent. Here are some commonly used approaches:

    • COPPA Email+

      • Requires child to provide parents email address.
      • A hyperlink is sent to the email address.
      • Parents click on the link.

    • Credit Card Authorisation:

      • Parents provide credit card information.
      • A small, non-refundable charge is applied.
      • The charge is refunded after ‘verification’.

    • Secure Online Form:

      • A secure online form collects detailed parent information.
      • Additional verification steps can be included

  3. rachel

    We agreed to use the McCallister family from the movie Home Alone to illustrate the complexities of parental consent in the digital age.

    Based on the McCallister family, here are some potential personas:

    Persona 1: Kevin McCallister (The Child)

    • Age: 8
    • Digital Literacy: High for his age, curious and tech-savvy.
    • Behaviour: Eager to explore online worlds, often without fully understanding the implications.
    • Goals: Wants to access games, social media, and entertainment.

    Persona 2: Kate McCallister The Parent / legal guardian responsible for his children.

    • Age: Mid-30s
    • Digital Literacy: Moderate, aware of online risks but overwhelmed by the complexity of data privacy.
    • Behaviour: Wants to protect her child but struggles to understand technical jargon and processes.
    • Goals: To ensure her child's safety and privacy online.

    Persona 3: Peter McCallister the legal guardian responsible for his children.

    • Age: Mid-30s
    • Digital Literacy: Low, feels overwhelmed by technology.
    • Behaviour: He relies on Kate to handle online matters but is concerned about his children's safety.
    • Goals: To protect his children but struggles to engage with the process.

    Persona 4: Buzz McCallister (The Older Sibling)

    • Age: Teenage
    • Digital Literacy: High, tech-savvy and influential over younger siblings.
    • Behaviour: Risk taker
    • Goals: To access adult content or bypass parental controls.

    Other elements

    • The Platform: This could be a social media platform, gaming platform, or any online service that collects children's data.
    • The Verifiers: A third-party entity that utilises methods to obtain verifiable parental consent (US law), obtain consent from the authorised holder of parental responsibility for a child (EU law).
    • Methods include:

    ·       Email verification: Confirming ownership of an email address can be a basic level of identity verification.

    ·       Charge against a credit card.

    ·       Bank authentication

    ·       Social Security number check

    ·       KYC (Know Your Customer) check adult often through document verification (passport, driver's license) or biometric authentication.

    ·       Verifying relationship against authoritative data sources: This involves cross-referencing provided information (e.g., names, dates of birth) with trusted databases or government records.

  4. Mark Haine reporter

    It seems to me that there are multiple stages to this that might benefit from both the “authority” draft and the “identity Assurance” drafts (almost final).

    • Process of validation and verification of adult identity to a sufficient assurance level
    • Presentation of adult assured identity using Identity Assurance drafts.
    • Process of validation and verification of as far as is practical of the young person identity (maybe a vouch from parent?) to a given assurance level
    • Presentation of young person assured identity using Identity Assurance drafts
    • Some process of verification and validation of the relationship between young person and parent/guardian
    • Presentation of the outcome of all the above by parent/guardian using both Identity Assurance and Authority drafts - This is the most obvious artifact to develop here
    • Approval by parent for young person to access some service
    • Presentation by young person of their assured identity and the approval granted by their parent/guardian using Identity Assurance and … something for communicating consent (potentially involving Authority draft) - less obvious what this might be based on - let’s discuss

  7. rachel

    Methods for Verifying Parental Responsibility

    Low Confidence

    Email check: A child is asked to provide a parent's email address, which the relying party uses to automatically send an email containing a hyperlink. Clicking the hyperlink is deemed as parental consent. However, this method is easily manipulated as children can create their own email accounts.

    Credit card charge: Requires a person to provide credit card details against which a charge is made. Once this is done successfully, it is assumed that this is an adult with a connection to a child. However, this method is susceptible to fraud and unauthorized use.

    Adult-Child Connection Indicator (ACCI): Low confidence in establishing a relationship based on methods such as email check, credit card charge, or other indirect indicators.

    Medium Confidence

    Social Security number check: Primarily for identity verification, not relationship confirmation.

    Bank authentication: Primarily for identity verification, not relationship confirmation.

    KYC (Know Your Customer) checks: Verifies adult identity but does not confirm the parent-child relationship.

    Adult-Child Connection Indicator (ACCI): Medium confidence in establishing a relationship based on KYC checks of the adult, providing additional evidence beyond basic identity verification.

    High Confidence

    Verified Parental Responsibility (VPR): Verifying the relationship between parent/guardian and child against authoritative data sources

    The new standard will address the need for levels of confidenece in checks conducted and will be crucial for companies seeking to comply with regulations like the US Children's Online Privacy Protection Act (COPPA), the new Kids Online Safety Act, GDPR, and the Digital Services Act. It will standardise and simplify the process of selecting services that meet specific confidence levels and regulatory requirements for obtaining consent from the authorised holder of parental responsibility for a child and it will complement the ISO 27566 age assurance framework.

  8. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Component
Authority claims/legal entity
Milestone
Authority ID1
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!