Checking for Consent
.jpg)
Checking for Consent
Your requirements for correctly handling consent depend on whether your site is "general use" or "targeted at children."
- General Use
You can check consent status only when you are specifically required to do so by children's privacy laws, such as the Children's Online Privacy Protection Act (COPPA). On pages that check for authentication only and do not collect personal data about users, it is acceptable to allow users to be authenticated without consent. You can use the HaveConsent method to check consent status and then dynamically adjust what is displayed to users based on their consent status.
- Targeted at Kids
You must check for consent status by specifying KPP=3 for all authentication calls. In most cases, specifying KPP=3 on your authentication calls will prevent a child who does not have consent from signing in to your site. However, because there are some special cases in which a child without consent can be authenticated even if KPP=3 is specified, you should always verify consent with the HaveConsent method.
Before you can check a user's consent status, the user must be directed to the Login server using the LogoTag2 or AuthURL2 methods. These methods include an optional parameter, KPP, that determines the Login server's behavior with respect to consent. The value of KPP affects the user sign-in experience and determines whether consent status information is returned.
KPP=0
Specify this value if you want to be able to authenticate anyone regardless of consent status, and you do not want consent status to be returned in the user's profile.When you specify KPP=0, all users are authenticated normally. The consent database is not consulted during the authentication process, and no consent status information is returned in the user's profile. If the user is a child, no information about the user's birth date is ever returned when KPP=0. The Microsoft® Kids Passport bit flag in the user's profile will never be set.
KPP=1
Specify this value if you want to be able to authenticate anyone regardless of consent status, but you do want consent status to be returned in the user's profile.When you specify KPP=1, all users are authenticated normally. The consent database is consulted during the authentication process, and consent status information is returned in the user's profile. The user will be allowed to sign in even if consent is not granted, and the page that requests consent is never displayed. If the user is a child and parental consent has not been granted to your site, information returned in the child's profile is limited to the flags returned in the Flags attribute, the child's Microsoft® .NET Passport Unique ID (PUID) returned in the MemberIDHigh and MemberIDLow attributes, and the child's birth date precision returned in the BDay_precision attribute. Other profile attributes will not contain any data.
Specifying KPP=1 is useful if you want to initially authenticate users regardless of consent status, and then handle consent restrictions yourself. Specifying KPP=1 is also useful if you want to prevent children from accessing pages on your site. You can check the Kids Passport bit in the profile flags, and then take appropriate action, such redirecting children or displaying an "access denied to children" page.
KPP=2
Specify this value only if your site is general use and does not use Consent cookies.If your site uses Consent cookies and you specify KPP=2 in your authentication calls, under certain circumstances it is possible for a child who does not have consent to be authenticated. To prevent this, specify KPP=3 instead. The behavior that results from specifying this value is similar to the behavior when KPP=3 is specified, except that the user will not be prompted to provide a birth date if no birth date is included in the user's profile.
For more information about Consent cookies, see Domains and Consent.
Important If your site is targeted at kids, COPPA and other children's privacy laws prohibit you from specifying KPP=2. You must specify KPP=3 instead.
KPP=3
Specify this value if you want to prevent children from signing in to your site without parental consent. Sites that are targeted at kids must use this value for all authentication requests.Specifying KPP=3 causes consent controls to be activated during the authentication process. First, the Passport Manager determines if consent applies to the user by checking the user's birth date and place of residence. If the user's profile does not include a birth date, the user is prompted to provide his or her birth date before authentication can proceed. If the user is a child to whom consent applies, the Kids Passport consent database is checked to see if parental consent is granted to your site. If consent is not granted, a page is displayed by Kids Passport that informs the child that parental consent is required before the child can sign in. If the parent is available, he or she can grant consent immediately. Otherwise, the child can choose to have an auto-generated message sent to the parent. The child will not be allowed to sign in to a site until parental consent is granted to that site.
- KPP=4
This value is used only when authenticating a parent who is trying to access a child's data through the Account Data or Account Removal pages. For more information, see Verifying the Parent-Child Relationship.
Using Consent Status
After a user has been authenticated with KPP=3, KPP=2, or KPP=1, you can use the HaveConsent method to examine the user's consent status. This information can then be used to determine the behavior of your site, for example by redirecting users with consent to one page, and children without consent to a different page.
The HaveConsent method provides a simple way to check consent status. You can also determine consent status, as well as the user's status as a parent or child, by examining the Flags attribute in the .NET Passport profile. Bits 7 & 6 of the Flags attribute provide the user's consent status. Bits 9 & 8 enable you to determine if the user is a child or a parent, or if the user falls into neither category. For more information, see Flags.
The following code sample displays a chat room link only if the user has full consent or if consent does not apply.
<%
Dim oMgr, thisURL
Set oMgr = Server.CreateObject("Passport.Manager")
thisURL = "https://" & Request.ServerVariables("SERVER_NAME") & _
Request.ServerVariables("SCRIPT_NAME")
' First, verify that the user is authenticated.
If oMgr.IsAuthenticated Then
' Next, verify that the user's profile is available.
If oMgr.HasProfile Then
' Finally, determine consent status with the HaveConsent method.
If oMgr.HaveConsent(True,False) Then
' This code is executed if the user has full consent,
' of if consent does not apply to this user. In this case
' show the chat link.
Response.Write("<a href='chat.htm'>Enter the chat room.</a>")
Else
' This code is executed if the user has limited or no consent.
Response.Write("You need full parental consent to enter the chat room.")
End if
Else
' The user is authenticated, but has no profile. This most likely indicates that the user
' is a child who was authenticated on a root domain (for example, msn.com), but does not have
' consent for the particular site within the domain (for example love.msn.com). In this case,
' the child should be re-authenticated to obtain the consent status for the site being accessed.
' Be sure to specify a value for KPP (such as KPP=3) that will cause consent status to be returned.
Response.Redirect(oMgr.AuthURL2(thisURL,600,,,,,3)
End If
Else
' This code is executed if the user is not signed in.
Response.Write("Please sign in.")
End If
%>
It is possible for children who have been directed to the Login server with KPP=3 or KPP=2 to be returned to your site with a profile, even though consent is not granted for your site. This can happen with certain specialized clients, such as MSN TV, or in cases in which a child who was directed to the Login server registered for a new .NET Passport and was then returned to your site. Always verify consent with the HaveConsent method.
See Also