Instagram, Snapchat etc. Terms of Service state that they do not allow any users under the age of 13 years, yet their platforms are flooded with young children.
My Question: In a web or mobile app for users under the age of 13 years, how can I design a verification flow that allows me to obtain "verifiable parental consent" in accordance with the US COPPA and EU GDPR laws?
I am aware that I can request the parent to provide their credit card information, which I believe will count as "verifiable parental consent". However, I am wondering if there are other options with a lower potential bounce-rate?
If this seems "too broad" a question, I am specifically looking for a verification flow that allows the parent to choose from different verification options. A flow chart would be great!
The short answer
there really isn't a good way to reliably verify someone's age without potentially alienating some segment of your user-base.
The long answer
Even your credit card solution doesn't really work for children between the ages of 13 and 18 years, where one wouldn't reasonably expect them to have credit cards or get their parents to verify age using theirs.
Some people would outright refrain from sharing other identifying documents like driver's licenses or passports out of concerns like identity-theft.
If your concerns are merely legal, then you can follow Facebook's Verification Model viz. an honor-based system coupled with a secondary mobile phone or email verification.
On the other hand, if your concerns are more towards improving user-experience, then any combination of some of the aforementioned sources of verification - Government-issued ID, Credit Cards, Phone Number, Email ID, etc. can be used depending how inclusive or exclusive you want to make your software service. You could also look to outsource this problem by relying on external authentication source(s) like Facebook Login and use the user-data collected to verify age-range.
Related
I came from a similar state in this question.
My objective is to reply to interested customers via whatsapp messages. I'll use a very special setup, so I'll be using the API.
Reasons:
With not to pay anyone other than container hosts
Solution with custom API
Customer doesn't like any extra costs
Just like user noboundaries, I see the numbers, but I cant get the certificate
User Navjot Singh has explained I need to create a "business api account"
I tried just that, put out all my contacts and stuff, in this site.
They did respond yes, but only with pointless instructions, since I wish not to contract any messaging providers. I had taken a look at it, but they charge a very expensive price beyond the $0.005 whatsapp will charge. Also, the solution I'm creating requires messages to be sent programatically, and the partners don't seem to provide the correct solution.
So, I wish to skip into using the api. I followed the appropriate guides:
Getting started
Phone Number
I already got some things done:
two phone numbers (one of them for testing) with whatsapp business;
company has been verified, with domain
have business management account
local environment with docker
I can access the local environment and I have set an user account and the admin acount. I can log into those via the API, since postman can ignore certificates, but in order to proceed I really feel like I need that certificate.
So to sim up I guess I need help creating the whatsapp business account for my customer. Any advice?
Also i'd appreciate any other helpful insight or feedback. I really feel lost and I don't see a place where I can talk to people trying to do the same thing, or doing this is much of a madness after all?
thanks for getting to read until here, and I apologize for my non natural, almost broken English.
Hi I wanted to start big in stackOverflow but I fell flat.
About the subject at hand, westerday I dwelt deep into the rabbit hole.
For most companies, you actually are forced to work with a provider, such as twllio or messagebird. They act as intermediary between the facebook business and the whatsapp business api.
Some of they offer messaging separated from whatsapp api setup I still need to take a look into it, but for those who are trying to set up whatsapp business api on their one, it seems as of november 2020 it's not possible.
please check out:
respond.io's guide
blog post from take.net PT-BR (google translate didn't like me trying to translate this to English)
I was asked by facebook to submit my app for an app review to get further access to some fields in their Graph API. I have done so and today I got a message from them:
The permissions and features review for (my app name) is complete.
Next, we'll verify your business. To do this, you may need to provide
documentation like a business license or utility bill.
The problem is that I have no company and therefore no documents to prove that I have one. I have created and launched this app as an individual and I just want access to few fields from their Graph API.
Please what should I do? I wanted to write them directly, but I haven't found something through what I can contact them.
New limitations
This is the new Facebook's policy. It looks like access to for example user_friends will be now limited to companies which can afford to implement advanced security systems.
Their requirements seem to be similar to the new European regulation - GPDR. These breaking changes are most likely caused by recent lawsuit related with Facebook & Cambridge Analytica and Mark Zuckerberg's promises during his testimony in Congress.
Facebook requires now to verify your business for some permissions:
If you don't pass app or business review, you will loose access to these APIs after August 1, 2018.
Influence on mobile applications
It's a really bad news for small applications, most likely it will kill Facebook integration.
They don't even provide any form to contact and discuss it, when you click on "support" you are forwarded to support page for Facebook Analytics.
If you have a small company and creating apps for fun, their terms are very demanding and could cause a huge problems for your business in the future. Therefore you should decide if it's worth to risk in exchange of displaying friends.
Interesting things about their requirements
When you start business verification process, it asks about company details, if you provide these, you will be asked to sign a contract with Facebook. I encourage to read carefully their terms, because they ask you to:
provide them from time to time upon a written request access to your books, records, agreements, services, facilities etc. which relate to user data in order to audit your security mechanisms and procedures,
cover review costs and expenses if they detect any noncompliance with their terms or security requirements.
Good luck to small apps...
References
Facebook Login Changelog - here you can check which permission requires app review, business verification and contract,
contract with Facebook is not published, you will receive it when you start a business verification,
short overview of Mark Zuckerberg's promises,
post on my blog with this answer,
from Facebook Login Changelog:
In order to help protect people's data, we're now requiring that an increased number of permissions go through the App Review process. For certain permissions, we are also requiring business verification and a contract between your business and Facebook. Businesses can be verified by providing forms of documentation including utility bills, business licenses, certificates of formation, articles of incorporation, tax ID numbers, and others. The contract introduces additional security requirements and other provisions around data.
August 6, 2019 - Update
Finally, the time has come. Permissions were supposed to stop working on August 1, 2018, but actually Facebook has given one extra year. Yesterday I received this e-mail:
As of September 4, 2019, MY_APP_NAME will no longer have access to the
following permissions or features:
user_friends
I was asked by facebook to submit my app for an app review to get further access to some fields in their Graph API. I have done so and today I got a message from them:
The permissions and features review for (my app name) is complete.
Next, we'll verify your business. To do this, you may need to provide
documentation like a business license or utility bill.
The problem is that I have no company and therefore no documents to prove that I have one. I have created and launched this app as an individual and I just want access to few fields from their Graph API.
Please what should I do? I wanted to write them directly, but I haven't found something through what I can contact them.
New limitations
This is the new Facebook's policy. It looks like access to for example user_friends will be now limited to companies which can afford to implement advanced security systems.
Their requirements seem to be similar to the new European regulation - GPDR. These breaking changes are most likely caused by recent lawsuit related with Facebook & Cambridge Analytica and Mark Zuckerberg's promises during his testimony in Congress.
Facebook requires now to verify your business for some permissions:
If you don't pass app or business review, you will loose access to these APIs after August 1, 2018.
Influence on mobile applications
It's a really bad news for small applications, most likely it will kill Facebook integration.
They don't even provide any form to contact and discuss it, when you click on "support" you are forwarded to support page for Facebook Analytics.
If you have a small company and creating apps for fun, their terms are very demanding and could cause a huge problems for your business in the future. Therefore you should decide if it's worth to risk in exchange of displaying friends.
Interesting things about their requirements
When you start business verification process, it asks about company details, if you provide these, you will be asked to sign a contract with Facebook. I encourage to read carefully their terms, because they ask you to:
provide them from time to time upon a written request access to your books, records, agreements, services, facilities etc. which relate to user data in order to audit your security mechanisms and procedures,
cover review costs and expenses if they detect any noncompliance with their terms or security requirements.
Good luck to small apps...
References
Facebook Login Changelog - here you can check which permission requires app review, business verification and contract,
contract with Facebook is not published, you will receive it when you start a business verification,
short overview of Mark Zuckerberg's promises,
post on my blog with this answer,
from Facebook Login Changelog:
In order to help protect people's data, we're now requiring that an increased number of permissions go through the App Review process. For certain permissions, we are also requiring business verification and a contract between your business and Facebook. Businesses can be verified by providing forms of documentation including utility bills, business licenses, certificates of formation, articles of incorporation, tax ID numbers, and others. The contract introduces additional security requirements and other provisions around data.
August 6, 2019 - Update
Finally, the time has come. Permissions were supposed to stop working on August 1, 2018, but actually Facebook has given one extra year. Yesterday I received this e-mail:
As of September 4, 2019, MY_APP_NAME will no longer have access to the
following permissions or features:
user_friends
I have a web app that you can currently log into with either your email address or your username.
I'm developing an iPhone application and I'm just wondering if I should offer the ability to log in with your phone number. If this is the case, a user would first have to provide the service with a number on the web (an optional parameter).
I find it convenient on other services I use where I might not remember what email I have connected to it.
Is this a good idea?
Would you offer it in a service you were
building?
I'm trying to decide if its worth the trouble to build.
NOTE: This number would strictly be used for authentication.
I think that if your service is not about phone numbers (calling, texting, etc., e.g., whatsapp, etc.) I would not add phone number authentication for a few reasons:
Some users might be deterred to provide a phone number due to privacy concerns (no matter how hard you try to explain them that you will keep it safe)
With the phone number you will now have 3 options to login with, which is way too much. You want to keep your mobile login screen very simple
Some people may think that they might get SMSs from you or get their phone bill charged somehow
Overloads your backend
Just keep it simple...:)
To add to that, I personally prefer just email, without a user name. So many sites require user names AND impose restrictions on how this user name should be structured, so you end up with tons of them. With emails, you can't go so wrong - most people use a primary one to sign up for sites.
Hope that helps.
If this question has already been asked, please comment so I can remove it.
I'm aware of the advantages of email verification, especially in regard to spamming (which could easily kill me since most of the functionality is in posting comments).
I'm contemplating the removal of email account verification for the application I'm currently building. This is for numerous reasons:
I've noticed other apps/websites
simply don't implement it.
It's far more user friendly then to
skew the user over to their email.
Since the application is moderate in scale and functionality, revisits are short-lived, some users may be inquisitive about it as to sign up, but some might feel it's an overkill to actually go through email verification.
App is not celebrated as to compel visitors to take effort, sign up and verify.
I know I'm getting into the gust of it, and while I'm writing this visitors could've verified their account for the gazillionth time; however, would you agree that for some moderately scaled applications an account verification might deter a casual visitor?
What measures do you personally prefer to undertake?
Why not use some form of federated ID like OpenID and such?
Verification is good if you plan to send email to them on a regular basis. Otherwise if it's just a casual site, you will probably need to offer something compelling to get them to register and provide you a valid email address.
Do you have something compelling?