3

I'm working on a website where we expect many of our users to be under 18. Our lawyer told us that anyone under 18 will need their parents to agree to the Terms of Service, since they aren't legally able to do it themselves.

So my question is, how thoroughly do we need to verify a user's age? Is it enough to just ask them?

declan
  • 249
  • 6
    Uh, you have a lawyer to tell you it needs to be done, but not how thoroughly? – Karl Bielefeldt Mar 28 '11 at 19:48
  • 11
    What did you lawyers's say? If they say "anyone under 18 will need their parents to agree to the Terms of Service", they must have some workable definition of "agree" and "under 18". Start with them, since they're writing the requirements. – S.Lott Mar 28 '11 at 19:49
  • 1
    You might have some luck looking for the rules promulgated pursuant to COPPA, I think they talk about valid ways to obtain parental consent, though they're probably for a different purpose than your current need. As always with questions like this, discuss it with your lawyer and not a bunch of yahoos on a community help site. – Aneurysm9 Mar 28 '11 at 20:41
  • I don't think it should be as strict as asking their parents to physically sign and ship the form. There are many U.S based websites e.g facebook where you just have to click the agree button – Click Upvote Mar 28 '11 at 22:03
  • 4
    I'm voting to close this question as off-topic because it definitely is asking a legal question a bunch of software developers are not qualified to answer. – Scant Roger Dec 26 '15 at 01:02

1 Answers1

8

The two attempts to set a legal standard for this (COPA and OAVSCA (Son of COPA)) have, in the former case, been repeatedly trounced in court (to the point of being ruled unconstitutional), and in the latter case, never even made it into law in the first place. As it stands there is no real law that enforces online age verification.

There is no reasonable way to get a persons age over the internet other than by asking them, so you're going to have to ask them. There is just no way around it. This is why COPA failed: it placed an obscene and insurmountable burden on website maintainers.

Even if you asked a person to physically show up at your offices with proof of age, and verified all their information before you gave them their login, there is still no way to know that the person who logged in is the person who showed up. You'd need some kind of biometric system coupled with a camera to make sure the original person didn't leave the terminal at any time. I've used classified government systems that didn't have that level of security.

In the end, you're going to be forced to go with self-reported data, and you're absolutely going to have people who are misrepresenting their age for the purpose of agreeing to your ToS.

Satanicpuppy
  • 6,200