71 FR 50 pgs. 13247-13258 - Children's Online Privacy Protection Rule

Next Article Next

Type: RULEVolume: 71Number: 50Pages: 13247 - 13258

FR document: [FR Doc. 06-2356 Filed 3-14-06; 8:45 am]

Agency: Federal Trade Commission

Official PDF Version: PDF Version

FEDERAL TRADE COMMISSION

16 CFR Part 312

Children's Online Privacy Protection Rule

AGENCY:

Federal Trade Commission.

ACTION:

Retention of rule without modification.

SUMMARY:

The Federal Trade Commission ("the Commission") has completed its regulatory review of the Children's Online Privacy Protection Rule ("the COPPA Rule" or "the Rule"), which implements the Children's Online Privacy Protection Act of 1998. The Rule regulates how Web site operators and others may collect, use, and distribute personal information from children online. The Commission requested comment on the costs and benefits of the Rule and whether it should be retained without change, modified, or eliminated. The Commission also requested comment on the Rule's effect on: information practices relating to children; children's ability to obtain online access to information of their choice; and the availability of Web sites directed to children. Pursuant to this review, the Commission concludes that the Rule continues to be valuable to children, their parents, and Web site operators, and has determined to retain the Rule in its current form. This document discusses the comments received in response to the Commission's request for public comment and announces the Commission's decision to retain the Rule without modification.

DATES:

Effective Date: March 15, 2006.

FOR FURTHER INFORMATION CONTACT:

Karen Muoio, (202) 326-2491, Federal Trade Commission, 600 Pennsylvania Avenue NW., Mail Drop NJ-3212, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Introduction

Pursuant to Congressional direction and the Commission's systematic program of reviewing its rules and guides, in April 2005 the Commission issued a Federal Register Proposed Rule seeking public comment on the overall costs and benefits of the COPPA Rule and other issues related to the Rule ("April 2005 NPR").¹In response, the Commission received 25 comments from various parties, including: trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers.²As part of its review, the Commission also considered the 91 comments received in response to its January 14, 2005 Notice of Proposed Rulemaking ("January 2005 NPR") on the Rule's sliding scale approach to obtaining verifiable parental consent.³

Footnotes:

¹ 70 FR 21107 (Apr. 22, 2005). The NPR also may be found online at http://www.ftc.gov/opa/2005/04/coppacomments.htm.

² The comments responsive to the April 2005 NPR have been filed on the Commission's public record as Document Nos. 516296-00001, et seq. , and may be found online at http://www.ftc.gov/os/comments/COPPArulereview/index.htm . This document cites comments by commenter name and page number. If a commenter submitted comments in response to the April 2005 NPR and the January 2005 NPR, the comment submitted second is delineated with the number "2." All comments are available for public inspection at the Public Reference Room, Room 130, Federal Trade Commission, 600 Pennsylvania Ave., NW., Washington, D.C. 20580.

³ 70 FR 2580 (Jan. 14, 2005). The comments responsive to the January 2005 NPR have been filedon the Commission's record as Document Nos. 514511-00001, et seq. , and may be found online at http://www.ftc.gov/os/comments/COPPA%20Rule%20Ammend/Index.htm.

In the April 2005 NPR, the Commission asked members of the public to comment on all aspects of the Rule and additionally posed twenty-one specific questions. The Commission requested comment on the general costs and benefits of the Rule, each specific provision of the Rule, prominent issues that have arisen since the inception of the Rule, and particular issues that Congress statutorily directed the Commission to evaluate. The April 2005 NPR also restated the questions pertaining to the sliding scale approach to obtaining verifiable parental consent that were posed in the January 2005 NPR, to give the public further opportunity to comment on that issue.

Commenters generally favored retaining the Rule without modification. In addition, although some commenters did not favor making the sliding scale approach permanent, they did not provide the Commission with sufficient data upon which to base a determination to eliminate or revise the sliding scale approach.

This document first describes the background and requirements of the Rule. It then summarizes the comments received regarding the costs and benefits of the Rule and whether it should be retained, eliminated, or modified. It finally explains the Commission's determination to retain the Rule without modification.⁴

Footnotes:

⁴ Because the Commission is not modifying the Rule, this document does not contain analyses under the Regulatory Flexibility Act, 5 U.S.C. 601-612, and the Paperwork Reduction Act, 44 U.S.C. 3501-3520.

II. Description and Background of the Children's Online Privacy Protection Rule

On October 21, 1998, Congress enacted COPPA (15 U.S.C. 6501-6508), which prohibits certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet.⁵Pursuant to COPPA's requirements, the Commission issued its final Rule implementing COPPA on November 3, 1999.⁶

Footnotes:

⁵ 15 U.S.C. 6501-6508.

⁶ 64 FR 59888 (Nov. 3, 1999).

The Rule imposes requirements on operators of Web sites or online services directed to children under 13 years of age or that have actual knowledge that they are collecting personal information online from children under 13 years of age (collectively, "operators").⁷Among other things, the Rule requires operators to provide notice to parents and to obtain "verifiable parental consent" prior to collecting, using, or disclosing personal information from children under 13 years of age.⁸"Verifiable parental consent" means that the consent method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.⁹

Footnotes:

⁷ 16 CFR Part 312.

⁸ 16 CFR 312.4(c) and 312.5.

⁹ 16 CFR 312.5(b)(1).

When the Commission issued the Rule in 1999, it adopted a sliding scale approach to obtaining verifiable parental consent.¹⁰Under such an approach, more reliable measures are required for parental consent if an operator intends to disclose a child's information to third parties or the public than if the operator only uses the information internally. The Commission adopted the sliding scale approach to address concerns that it was not yet feasible to require more technologically advanced methods of consent for internal uses of information. To reflect the expectation that this assessment could change, the sliding scale was scheduled to sunset in 2002. When public comment in 2002 indicated that changes in the technology had not occurred, the Commission extended the sliding scale approach three more years.¹¹In January 2005, the Commission sought public comment on whether to make the sliding scale approach permanent.¹²Based on the comments received, the Commission determined that it would be appropriate to evaluate the sliding scale approach in the broader context of the current Rule review. Pending the outcome of the instant review, the Commission amended the Rule to extend the sliding scale approach.¹³

Footnotes:

¹⁰ The Commission adopted the sliding scale as part of the Rule in 1999 after soliciting public comments, http://www.ftc.gov/privacy/comments/index.html, and conducting a public workshop, http://www.ftc.gov/privacy/chonlpritranscript.pdf, on consent methods.

¹¹ 67 FR 18818 (Apr. 17, 2002).

¹² 70 FR 2580.

¹³ 70 FR 21107.

In addition to requiring operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, the Rule requires operators to post a notice of their information practices online, provide parents with access to their children's information, and keep that information confidential and secure.¹⁴It also prohibits operators from conditioning children's participation in an activity on the children providing more personal information than is reasonably necessary to participate in that activity.¹⁵Further, the Rule provides a safe harbor for operators following Commission-approved self-regulatory guidelines, and instructions on how to get such guidelines approved.¹⁶

Footnotes:

¹⁴ 16 CFR 312.4(b), 312.6, and 312.8.

¹⁵ 16 CFR 312.7.

¹⁶ 16 CFR 312.10.

Both the Act and the Rule require that the Commission initiate a review of the Rule, including requesting data on certain issues, within five years of the Rule's effective date, i.e. , April 21, 2005.¹⁷The Commission initiated its review on that date.¹⁸The review also has been conducted pursuant to the Commission's systematic program of periodically reviewing its rules and guides.

Footnotes:

¹⁷ 15 U.S.C. 6507; 16 CFR 312.11.

¹⁸ 70 FR 21107. The NPR also may be found online at http://www.ftc.gov/opa/2005/04/coppacomments.htm.

III. Discussion of Comments and the Retention of the Rule Without Modification

A. Summary of Comments

The Commission received 25 comments in response to its April 2005 NPR on the overall Rule and 91 comments in response to its January 2005 NPR on the sliding scale approach to obtaining verifiable parental consent, for a total of 116 comments.¹⁹The commenters included trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers.

Footnotes:

¹⁹ The comments are discussed in subsections B and C of this Part. In addition, complete lists of the commenters and their comments appear at http://www.ftc.gov/os/publiccomments.htm.

Of the 116 comments received, 68 were non-form letter comments from various entities and individuals. Approximately two-thirds of these 68 comments solely addressed the sliding scale approach.²⁰About one-third of them addressed other aspects of the Rule, in some cases also addressing the sliding scale approach.²¹

Footnotes:

²⁰ Dori Acampora; ADVO, Inc.; American Association of Advertising Agencies, et al. ("AAAA"); Lou Apa; Susan Barrett; Belinda Brewer; American Library Association ("ALA"); Center for Digital Democracy ("CDD"); Children's Advertising Review Unit ("CARU"); Children's Media Policy Coalition ("CMPC"); Consortium for School Networking ("CoSN"); Council of American Survey Research Organizations, Inc. ("CASRO"); Council for Marketing and Opinion Research ("CMOR"); Credit Union National Association ("CUNA"); William Demers; Gale DeVoar Sr.; Direct Marketing Association, Inc. ("DMA"); Christina Dukes; Electronic Privacy Information Center ("EPIC"); Gestweb S.p.a.; Illinois Credit Union League ("ICUL"); IT Law Group ("ITLG"); Gary Kelly; Liana Laughlin; Masterfoods USA; Mattel, Inc.; Adrieh Mehdikdani et al. ; Jim Minor; Motion Picture Association of America ("MPAA"); National Cable Telecommunications Association ("NCTA"); Navy Federal Credit Union ("NFCU"); Alta Price; Privo, Inc.; Procter Gamble ("PG"); Schwab Learning; Terri Seleman; Software Information Industry Association ("SIIA");TRUSTe; John Surr; United States Internet Service Provider Association ("US ISPA"); John Villamil et al. ; Anton Vogel et al. ; Scot Wallace-Zeid; Carrie Williams.

²¹ Parry Aftab, et al. ; ALA 2; Robert Chapin; CoSN 2; CUNA 2; Robert Custer; DMA 2; Edita Domentech, et al. ; EPIC 2; Entertainment Software Rating Board ("ESRB"); Eileen Fernandez-Parker; Joseph Hodges; William Kreps; Mattel 2; Microsoft Corporation; MPAA 2; NFCU 2; Nickelodeon; Chris O'Neal; Peter Renguin; Scholastic Inc.; Time Warner Inc.; TRUSTe 2; Washington Legal Foundation ("WLF").

Forty-eight commenters submitted a form letter opposing letting operators obtain verifiable parental consent through a reply to an e-mail alone, because this could allow children to forge their parents' consent. The form letter states, in pertinent part, that "Merely receiving an email from a parent's email address does not qualify as permission since it is possible for parents to not even be aware that an exchange has taken place and therefore allows companies to market to children without parental permission."²²In its original COPPA rulemaking, the Commission agreed, concluding "that e-mail alone does not satisfy the COPPA because it is easily subject to circumvention by children."²³Therefore, the Commission adopted the requirement in the Rule that operators must take an additional step to verify that it is, in fact, the parent sending the e-mail, a consent method commonly known as "e-mail plus."²⁴Specifically, the operator must send the parent by e-mail, letter, or telephone call a confirmation of his or her consent.²⁵

Footnotes:

²² See, e.g. , Barbara Abbate.

²³ 64 FR at 59902.

²⁴ Id. Under the sliding scale approach, if an operator wants to collect personal information from children and disclose it to third parties or the public, the Rule requires the operator to obtain verifiable parental consent through one of the more reliable means described in Section 312.5(b)(2) of the Rule. 16 CFR 312.5(b)(2).

²⁵ Id.

No commenter stated that the Rule should be eliminated. To the contrary, almost all commenters advocated retaining the Rule in its current form²⁶or adding to its requirements.²⁷Two commenters suggested excepting certain kinds of Web sites from the Rule's requirements,²⁸and one of the Rule's safe harbor programs suggested extending the protected status granted to safe harbor program participants.²⁹Some commenters requested clarification on particular aspects of the Rule.³⁰

Footnotes:

²⁶ E.g., ALA 2; CoSN 2; DMA 2; Mattel 2; MPAA 2; Nickelodeon; O'Neal; Scholastic; Time Warner.

²⁷ CUNA 2; EPIC 2; Fernandez-Parker; Domenech; Kreps; NFCU 2; Reguin.

²⁸ Aftab; Custer.

²⁹ TRUSTe 2.

³⁰ Chapin; ESRB; EPIC 2; Microsoft; Privo; Reguin.

On the specific issue of the sliding scale approach, unique commenters generally supported retaining it, with 34 unique comments submitted in favor of making it permanent³¹and nine unique comments submitted in favor of extending it for some period of time.³²Forty-eight form-letter comments opposed allowing receipt from a parent's e-mail address to qualify as permission but, as explained above, the Rule already requires more. Eleven unique commenters were against making permanent or extending the sliding scale approach³³and four did not take a clear position.³⁴

Footnotes:

³¹ ADVO; Aftab; AAAA; Apa; Brewer; ALA 1, 2; CARU; CoSN 1, 2; CUNA 1, 2; DeVoar; DMA 1, 2; ESRB; ICUL; ITLG; Mattel 1, 2; Masterfoods; MPAA 1, 2; NCTA; NFCU 1, 2; Nickelodeon; PG; Scholastic; SIIA; Time Warner; TRUSTe; U.S. ISPA; WLF.

³² CDD; CMPC; CASRO; CMOR; EPIC 1, 2; Mehdikdani; Villamil; Vogel.

³³ Acampora; Barrett; Demers; Dukes; Laughlin; Minor; Price; Privo; Schwab Learning; Seleman; Williams.

³⁴ Gestweb; Kelly; Surr; Wallace-Zeid.

B. General Comments on the Rule

The Commission's April 2005 NPR asked several questions about the implementation and necessity of the Rule as a whole. The NPR contained several standard Commission regulatory review questions about the costs and benefits of the Rule. The NPR also sought comments on three specific issues that Congress in the Act directed the Commission to evaluate.

1. The Costs and Benefits of the Rule

The Commission asked several general questions in the April 2005 NPR pertaining to the necessity and effectiveness of the Rule. The questions requested comment on how the Rule has affected children's online privacy and safety, whether the Rule is still needed, and how the Rule has affected consumers and operators. The Commission also requested comment on the Rule's effect on small businesses and whether the Rule is in conflict with other existing laws.

Commenters uniformly stated that the Rule has succeeded in providing greater protection to children's personal information online, that there is a continuing need for the Rule, and that the Rule should be retained.³⁵For example, in explaining the Rule's success in protecting children's privacy and safety online, one commenter stated that "COPPA has been very successful in improving the data collection practices and curtailing unscrupulous interactive marketing practices of commercial Web sites,"³⁶while another said that "all indications are that COPPA and its implementing rules provide an important tool in protecting the privacy and safety of children using the Internet."³⁷Another commenter stated that the Rule has increased consumer awareness of privacy issues across the board while encouraging operators to respond creatively to the challenge of protecting children online.³⁸

Footnotes:

³⁵ E.g., Aftab at 2; ALA 2 at 1; COSN 2 at 1; CUNA 2 at 1-2; DMA 2 at 1-2; EPIC 2 at 1, 3; MPAA 2 at 2, 5; NFCU 2 at 1; Nickelodeon at 1; O'Neal; Scholastic at 2-3; Time Warner at 1.

³⁶ Aftab at 2.

³⁷ EPIC 2 at 1.

³⁸ Chapin at 1.

As to the continuing need for the COPPA Rule, numerous commenters emphasized that the Rule provides operators with a clear set of standards to follow and that operators have received few, if any, complaints from parents about the standards and how they are implemented.³⁹One commenter described how the Rule's definite standards have fostered consumer and business confidence in the Internet.⁴⁰Moreover, operators stated that they have no complaints about the costs of complying with the Rule's requirements.⁴¹

Footnotes:

³⁹ DMA 2 at 2; MPAA 2 at 2, 5; Nickelodeon at 1; Scholastic at 2-3; Time Warner at 1.

⁴⁰ MPAA 2 at 3-4.

⁴¹ CoSN 2 at 1; NFCU 2 at 1; Nickelodeon at 1; Scholastic at 2-3; Time Warner at 1. Indeed, one commenter detailed the ways in which changing the Rule's sliding scale approach would impose substantial costs on operators. MPAA at 4-5. The commenter, a large trade association representing numerous Web site operators, stated that these costs would include not only up-front labor and other quantifiable financial costs, but also unquantifiable costs associated with operators becoming unwilling to invest in new technology due to an uncertain regulatory climate and consumers becoming unwilling to trust an uncertain system. Id.

The Commission did not receive any comments specifically addressing the Rule's costs and benefits for small businesses or the Rule's overlap with other laws or regulations.

The Commission concludes that no modifications to the Rule are necessary on the basis of general comments submitted on the Rule and its costs and benefits.

2. COPPA-Mandated Issues

When Congress enacted COPPA, it included a provision requiring the Commission to evaluate and report on the implementation of the Rule five years after its effective date. Congress directed the Commission to evaluate three particular issues: (1) How the Rule has affected practices relating to the collection and disclosure of information relating to children online; (2) how the Rule has affected children's access to information of their choice online; and (3) how the Rule has affected the availability of Web sites or online services directed to children.⁴²Accordingly, the Commission specifically included questions about these issues in the April 2005 NPR.⁴³

Footnotes:

⁴² 15 U.S.C. 6507.

⁴³ 70 FR at 21109.

Some commenters submitted views on the three issues, although none provided the Commission with related empirical data. Regarding the question of whether and, if so, how the Rule has affected practices relating to the collection, use, and disclosure of information relating to children online, three commenters (two operators of major Web sites and their trade association) provided specific and concrete examples of how the Rule has affected their own information practices concerning children.⁴⁴These commenters stated that the primary response of operators has been to limit the personal information they collect from children (by either not collecting any personal information or collecting only e-mail addresses) while developing innovative ways to offer the interactive online experiences children want. The commenters each described a wide variety of activities they offer at their Web sites that let children interact with the sites but require little or no information collection or disclosure.⁴⁵

Footnotes:

⁴⁴ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.

⁴⁵ Id .

These commenters also stated that the Rule's exceptions to prior verifiable parental consent for e-mail addresses are useful for providing children with safe online interactivity while preserving their Web sites' viability.⁴⁶The Rule sets forth five exceptions to its requirement that operators obtain verifiable parental consent before collecting a child's personal information. These exceptions allow operators to collect a child's online contact information ( i.e. , an e-mail address)⁴⁷without obtaining prior parental consent and use that information only for certain specified purposes.⁴⁸In each instance, the Rule prohibits the operator from using the information for any other purpose.

Footnotes:

⁴⁶ Id.

⁴⁷ Id. Some exceptions also allow the operator to collect the child's name, the parent's name, or the parent's online contact information.

⁴⁸ 16 CFR 312.5(c). For example, an operator can collect and use a child's e-mail address without prior parental consent to obtain verifiable parental consent, to protect the safety of a child visitor, or to respond to judicial process. 16 CFR 312.5(c)(1), 312.5(c)(4), and 312.5(c)(5)(ii).

The commenters highlighted two of the exceptions as particularly useful in providing interactive content to children. The first of these exceptions lets operators collect a child's e-mail address to respond once to a child's specific request, such as to answer a question ( e.g. , homework help) or to provide other information ( e.g. , when a new product will be on sale).⁴⁹The operator does not need to provide notice to the parents or obtain parental consent, so long as it deletes the child's e-mail address upon responding. The second noted exception lets an operator collect the e-mail addresses of the child and his or her parent so that the operator can respond more than once to a child's specific request, such as to subscribe the child to an electronic newsletter.⁵⁰Here, the operator must provide notice to the parent before contacting the child a second time and give the parent an opportunity to opt out of the repeated contact. Commenters stated that these two exceptions help them to provide safe, interactive, and fun children's content.⁵¹

The second statutorily mandated question was whether and, if so, how the Rule has affected children's ability to access information online. Most commenters stated that the Rule's requirements have struck an appropriate balance between protecting children's personal information online and preserving their ability to access content.⁵²One commenter stated that the Rule has "unfairly limited student access to educational sites."⁵³In contrast, another commenter noted that, in her experience as a teacher, children have been able to access online educational content without revealing their personal information and that her students "have not faced a problem because of COPPA."⁵⁴In addition, in the educational context, teachers often can act on behalf of parents to provide consent for purposes of COPPA.⁵⁵

Footnotes:

⁴⁹ 16 CFR 312.5(c)(2).

⁵⁰ 16 CFR 312.5(c)(3).

⁵¹ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.

⁵² DMA 2 at 1-2; Fernandez-Parker; Nickelodeon at1; Time Warner at 3.

⁵³ Custer. The commenter suggested that the Commission exempt educational sites from the Rule. The Commission notes that the Rule already exempts certain nonprofit entities, which would include many educational sites. 16 CFR 312.2 ("Operator means any person who operates a website * * * where such website or online service is operated for commercial purposes[.] * * * This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).").

⁵⁴ Fernandez-Parker.

⁵⁵ Most schools require parents to agree to the school's Internet "Acceptable Use Policy" ("AUP") before a child can visit the Internet at school. Such AUPs can and often do authorize teachers to act on behalf of parents to provide verifiable parental consent for purposes of COPPA. In this way, if children must provide personal information to access certain content, the teacher can provide the requisite consent. The Commission has posted COPPA guidance for teachers and parents at http://www.ftc.gov/bcp/conline/pubs/online/teachers.htm.

The final statutorily mandated question concerned the Rule's effect on the availability of Web sites directed to children. Many commenters indicated that they have been successful in operating popular and viable children's Web sites in the five years since the Rule's effective date.⁵⁶One commenter, however, suggested that the Rule's requirements could have caused at least a few smaller children's Web sites to fail.⁵⁷However, this commenter also acknowledged that, given the failure of innumerable Web sites for multiple reasons during the dot-com bust of 2000, it would be difficult to single out the Rule as the cause. No commenters submitted empirical data showing the Rule's direct impact on the availability of Web sites directed to children. Accordingly, the record does not indicate that the cost of complying with COPPA has decreased the number of children's Web sites.⁵⁸

Footnotes:

⁵⁶ DMA 2 at 2; MPAA 2 at 8; Nickelodeon at 11; Scholastic at 2.

⁵⁷ Aftab at 1.

⁵⁸ One commenter suggested that the Commission regularly evaluate the status of children's privacy online to ensure that the Rule continues to provide children with the best protection. EPIC 2 at 3. Under the FTC's systematic program of periodically reviewing its rules and guides, the Rule will be evaluated comprehensively, approximately every ten years.

The Commission concludes that no modifications to the Rule are necessary on the basis of the comments submitted in response to the three COPPA-mandated questions.

C. Comments Pertaining to Specific Rule Provisions ⁵⁹

Footnotes:

⁵⁹ The Commission received no comments on certain provisions of the Rule, including Section 312.1 (describing the Rule's scope); Section 312.3 (generally describing the Rule's requirements); Section 312.9 (providing that a violation of the Rule shall be treated as a violation of a rule prohibiting an unfair or deceptive act or practice prescribed under Section 18(a)(1)(B) of the FTC Act, 15 U.S.C. 57(a)(1)(B)); Section 312.11 (mandating the instant regulatory review); and Section 312.12 (providing that each Rule provision is separate and severable from the others). The Commission has determined that no modifications to these provisions are necessary.

1. Section 312.2: Definitions

Section 312.2 defines various terms used in the Rule.⁶⁰The Commission requested comment on whether the definitions contained in this section are effective, clear, and appropriate, and whether any improvements or additions should be made. In particular, the Commission asked whether the Rule correctly articulates the factors to consider in determining whether a Web site is directed to children and whether the term "actual knowledge" is sufficiently clear.⁶¹

Footnotes:

⁶⁰ 16 CFR 312.2.

⁶¹ 70 FR at 21109.

No comments were submitted on the general effectiveness of the Rule's definitions section, but the Commission received some comments concerning the terms "website or online service directed to children" and "actual knowledge." The term "website or online service directed to children" is defined specifically in COPPA and the Rule itself,⁶²while "actual knowledge" is discussed in the Rule's Statement of Basis and Purpose and later Commission guidance.⁶³Overall, most commenters stated that the terms are sufficiently clear,⁶⁴although two suggested that the Commission continue to refine the terms through enforcement actions or other guidance.⁶⁵

Footnotes:

⁶² 15 U.S.C. 6502; 16 CFR 312.2. See also discussion of factors to be considered in determining whether a Web site is directed to children at 64 FR 59893.

⁶³ 64 FR 59892; Frequently Asked Questions about the Children's Online Privacy Protection Rule: Volume One ("COPPA FAQs"), questions 38 and 39, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen; and The Children's Online Privacy Protection Rule: Not Just for Kids' Sites, available at http://www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.

⁶⁴ DMA 2 at 2-4; EPIC 2 at 3-5; Nickelodeon at 9-10; Time Warner at 4, 6.

⁶⁵ EPIC 2 at 5; ESRB at 2-3.

a. "Website or Online Service Directed to Children"

The Rule specifically defines the term "website or online service directed to children" as "a commercial website or online service, or portion thereof, that is targeted to children."⁶⁶The Rule further provides that, in determining whether a Web site or online service is "targeted to children," the Commission will consider several factors. These factors include subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or child-oriented activities or incentives.⁶⁷The Rule's Statement of Basis and Purpose states that the Commission, in making its determination, will consider "the overall character of the site-and not just the presence or absence of one or more factors."⁶⁸Commenters representing numerous Web site operators stated that the language of the Rule and discussion in the Rule's Statement of Basis and Purpose provide effective and clear guidance for determining whether a Web site is directed to children.⁶⁹

Footnotes:

⁶⁶ 16 CFR 312.2.

⁶⁷ 64 FR 59912-13.

⁶⁸ 64 FR 59893.

⁶⁹ DMA 2 at 2; Nickelodeon at 9; Time Warner at 4-5.

Two commenters suggested that the Commission clarify, through additional guidance, when a Web site is considered to be directed to children under the Rule. The first commenter suggested adding several design elements to the Rule's list of factors the Commission will consider, including color, non-textual content, interactivity, navigational tools, and advertisements.⁷⁰The Commission believes that the existing factors set forth in the Rule already encompass these suggested additions. For example, the Rule's definition expressly provides that the Commission will consider advertising appearing on or promoting the Web site or service.⁷¹The Rule also provides that the Commission will consider a site's visual and audio content, language and other characteristics of the site, and any child-oriented activities or incentives.⁷²The Commission therefore concludes it is unnecessary to modify the Rule's definition of a Web site or online service directed to children.

Footnotes:

⁷⁰ EPIC 2 at 4.

⁷¹ 16 CFR 312.2.

⁷² Id.

A second commenter suggested it might be instructive to incorporate into the Rule the analysis that Commission staff set forth in a recent letter denying a petition for law enforcement action filed concerning the Amazon Web site, http://www.amazon.com. ⁷³The letter, published on the petitioner's Web site,⁷⁴analyzes the Amazon Web site using the factors set forth in the Rule for determining whether a Web site is directed to children. The commenter suggested that incorporating the analysis into the Rule would clarify how the Commission determines whether other Web sites are directed to children. The letter does provide one example of how the Commission staff has applied the Rule's factors in analyzing whether a particular Web site was directed to children. However, the Commission does not believe that the general factors in the Rule need to be modified in light of the FTC staff's application of these factors in that specific instance.

Footnotes:

⁷³ ESRB at 2.

⁷⁴ See http://www.epic.org/privacy/amazon/ftc_amazon.pdf (last accessed 10/12/05).

b. "Actual Knowledge"

The Commission also asked whether the term "actual knowledge" is sufficiently clear. The Rule's requirements apply to operators of Web sites other than those directed to children (sometimes referred to as "general audience Web sites") if such operators have "actual knowledge" that they are collecting or maintaining personal information from children.⁷⁵The Rule's Statement of Basis and Purpose explains that a general audience Web site operator has the requisite actual knowledge if it "learns of a child's age or grade from the child's registration or a concerned parent * * * ."⁷⁶It may have the requisite knowledge if it asks age, grade, or other age-identifying questions.⁷⁷Subsequent to the Rule's issuance, the Commission staff posted guidance on the FTC Web site clarifying that a general audience Web site operator does not obtain actual knowledge of a child's age "[i]f a child posts personal information on a general audience site, but doesn't reveal his or her age * * *"⁷⁸In addition, the guidance provides that the operator would not have actual knowledge if a child posts his or her age in a chat room on the site, but no one at the operator sees or is alerted to the post.⁷⁹

Footnotes:

⁷⁵ 16 CFR 312.3.

⁷⁶ 64 FR 59892.

⁷⁷ Id.

⁷⁸ COPPA FAQs, question 38, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen.

⁷⁹ Id. The Commission also released a business alert in 2004 reiterating its guidance on actual knowledge, in conjunction with filing complaints and consent decrees against two general audience Web site operators that allegedly had actual knowledge that they were collecting personal information from children. See February 18, 2004 FTC news release at http://www.ftc.gov/opa/2004/02/bonziumg.htm and FTC Business Alert entitled The Children's Online Privacy Protection Rule: Not Just for Kids Sites at http://www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.

Most commenters stated that the Rule's Statement of Basis and Purpose and subsequent guidance have made the term "actual knowledge" sufficiently clear and no modification to the Rule is necessary.⁸⁰For example, one commenter states "the Commission's guidance clarifying that asking for age or date of birth information or similar questions through which the Web site would learn the ages of specific visitors[] provides clear criteria for Web sites to determine their obligations."⁸¹One commenter did suggest, however, that the Commission continue to clarify the term in the context of additional enforcement actions.⁸²The Commission concludes that no modifications to the Rule are necessary on the basis of these comments.

Footnotes:

⁸⁰ E.g., DMA 2 at 3-4; Nickelodeon at 9-10; Time Warner at 6-7.

⁸¹ Nickelodeon at 10.

⁸² EPIC 2 at 5.

c. Age Screening and Age Falsification

General audience Web sites or those directed to teenagers may attract a substantial number of children under the age of 13. Although such Web sites are not directed at children under 13, operators of such sites must comply with the Rule to the extent that they have "actual knowledge" that visitors are under 13.

Some operators of such Web sites choose to screen visitors to determine whether they are under 13. This practice, popularly referred to as "age-screening," started with Web sites directed to teenagers and is now used by many general audience Web sites that may appeal to children. Some general audience Web sites appear to use age-screening to reject children's registration requests, thus providing children with an incentive to falsify their age to gain access. The FTC staff has issued guidance regarding how operators of teen-directed Web sites can obtain age information from their visitors without encouraging age falsification.⁸³

Footnotes:

⁸³ COPPA FAQs, question 39, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen.

The Commission asked if there was evidence that a substantial number of children were falsifying age information in response to age-screening on general audience Web sites and, if so, whether the Rule should be modified to address this problem. The Commission received five comments concerning age-screening. Two commenters stated that some children falsify their age to register on Web sites that screen for age, but provided no empirical information as to how frequently this occurs.⁸⁴Other commenters stated that age falsification is not a problem in practice, especially when Web sites follow Commission staff guidance and request age information in a neutral manner, then set session cookies to prevent children from later changing their age.⁸⁵One commenter suggested that attempting to regulate online age falsification would be unrealistic, because there is no way to prevent certain children from falsifying their age.⁸⁶Instead, commenters stressed that following Commission staff guidance on age-screening remains a reasonable practice for teen or general audience site operators seeking to comply with the Rule.⁸⁷The Commission has concluded that no changes to the Rule are needed in response to operators' age-screening practices.

Footnotes:

⁸⁴ Aftab at 5; WLF at 5.

⁸⁵ DMA 2 at 4; Time Warner at 6.

⁸⁶ WLF at 5.

⁸⁷ DMA 2 at 4; Time Warner at 6. One commenter reported that age-screening in the shopping area of its general audience Web site was preventing adults who enter an age under 13 from completing their purchase. Mattel at 2-3. As discussed in the text, age-screening is designed for general audience Web sites or portions of Web sites that may appeal to children. The shopping areas of Web sites are unlikely to attract children because making a purchase online generally requires a credit card, which most children do not have. The Commission therefore has not advocated that operators of general audience Web sites, like the commenter, ask age-screening questions on the shopping areas of their sites.

d. Other Definitions

Few comments were submitted about the definitions of other terms used in the Rule. Two commenters suggested that the term "internal use" is not adequately defined.⁸⁸The Rule does not define the term "internal use," but it does define "disclosure" to include releasing personal information collected from a child, except to a person providing internal support for the operations of the Web site.⁸⁹The Rule also explicitly provides that persons providing internal support cannot use the information for any other purpose.⁹⁰The Rule's Statement of Basis and Purpose further explains that "support for the internal operations of the Web site" can include providing technical support, servers, or services such as chat and e-mail.⁹¹

Footnotes:

⁸⁸ Privo at 5; EPIC at 2.

⁸⁹ 16 CFR 312.2.

⁹⁰ Id.

⁹¹ See 64 FR 59890-91.

The commenters that asked that "internal use" of information be defined specifically sought clarification as to whether sharing information among corporate affiliates constitutes an internal use or a disclosure. The Rule's Statement of Basis and Purpose explains that determining whether an operator's sharing of information with another entity is an internal use or a disclosure depends on the receiving entity's relationship to the information. Sharing information with another entity can constitute an internal use of the information only if it is solely to facilitate internal support services for the operator and the entity does not use the information for any other purpose.⁹²Sharing for any other use, whether or not the other entity is a corporate affiliate, constitutes a disclosure.⁹³The Commission concludes that no modification to the Rule is necessary.

Footnotes:

⁹² Id . at 59890, 59891. The Rule's Statement of Basis and Purpose incorporates by reference a set of factors that can be used to help define an entity's relationship to collected information, including ownership, control, payment, use, and maintenance of the information, as well as any pre-existing contractual relationships. Id. at 59891, citing 64 FR 22750, 22752 (Apr. 27, 1999). See also COPPA FAQs, question 47, at http://www.ftc.gov/privacy/coppafaqs.htm.

⁹³ Id.

Another commenter suggested that the Commission expand the Rule's definition of "operator" to include individuals operating noncommercial Web sites and nonprofit entities operating Web sites.⁹⁴COPPA expressly applies only to operators of Web sites and online services "operated for commercial purposes" and excludes "any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45)."⁹⁵The Rule includes the statutory language of COPPA,⁹⁶so the Commission cannot modify the definition.

Footnotes:

⁹⁴ Reguin.

⁹⁵ 15 U.S.C. 6502(2).

⁹⁶ 16 CFR 312.2. The Commission staff has provided guidance encouraging all operators to practice fair information principles with their visitors, http://www.ftc.gov/privacy/coppafaqs.htm#teen, and many nonprofit Web sites do voluntarily comply with COPPA and the Rule because they want to protect children's safety and privacy. In addition, Federal policy requires all federal Web sites to provide their child visitors with COPPA protections. Memorandum for the Heads of Executive Departments and Agencies , M-00-13 (June 22, 2000), available at http://www.whitehouse.gov/omb/memoranda/m00-13.html .

Finally, one commenter sought clarification of certain statutory terms set forth in COPPA, such as "online contact information," "personal information," "retrievable form," and "recontact."⁹⁷To provide businesses and consumers with additional guidance, the Commission has provided more specific articulations of some of COPPA's statutory terms in the Rule and the Rule's Statement of Basis and Purpose. For example, the commenter asked the Commission to clarify whether certain types of information not specifically listed in COPPA's definition of "personal information," such as IP addresses, unique identifiers, birthdates, or photographs, do constitute "personal information." The Rule's definition of "personal information" includes "a persistent identifier * * * associated with individually identifiable information" as well as a photograph when combined with other information that permits contacting the individual.⁹⁸The Commission concludes that no additional clarification of the particular terms identified by this commenter is necessary.

Footnotes:

⁹⁷ Chapin.

⁹⁸ 16 CFR 312.2.

For the reasons discussed above, the Commission concludes that no modifications to the Rule's current definitions are necessary.

2. Section 312.4: Notice

Section 312.4 of the Rule requires operators to provide notice of their information practices to parents. These notices must inform parents about their information practices, including what information they collect from children online, how they use the information, and their disclosure practices for such information. The Commission requested comment on whether the notice requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it.

Two commenters submitted comments on the Rule's notice provision. The first commenter noted the importance of providing parents with contact information for the operator, so they can discuss and attempt to resolve any concerns with the operator.⁹⁹The commenter did not seek any changes to the Rule's notice provision.

Footnotes:

⁹⁹ CUNA 2 at 1-2.

The second commenter stated that it was unclear whether the Rule requires a general audience Web site operator with actual knowledge that it has collected personal information from a child to post a privacy notice on its site.¹⁰⁰Section 312.4(b) of the Rule sets forth the requirements for posting a privacy notice on a Web site, including which operators must post a privacy notice online.¹⁰¹According to the Rule, "an operator of a Web site or online service directed to children must post a link to a notice of its information practices with regard to children * * *"¹⁰²In addition, "[a]n operator of a general audience website or online service that has a separate children's area or site must post a link to a notice of its information practices with regard to children* * *."¹⁰³The Rule therefore does not otherwise require that operators post privacy notices, including general audience site operators that have actual knowledge that they have collected personal information from children. For the above reasons, the Commission concludes that no modification to the Rule's notice requirement is necessary.

Footnotes:

¹⁰⁰ Microsoft at 2-3.

¹⁰¹ 16 CFR 312.4.

¹⁰² 16 CFR 312.4(b).

¹⁰³ Id.

3. Section 312.5: Verifiable Parental Consent

a. General Issues

Section 312.5 of the Rule requires operators to obtain verifiable parental consent before collecting, using, or disclosing any personal information from children, including making any material change to information practices to which the parent previously consented. The Commission requested comment on whether the consent requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to the requirement. The Commission further asked whether it is reasonable for an operator to use a credit card to verify a parent's identity. The Commission also offered an additional opportunity for the public to comment on the Rule's sliding scale approach to obtaining verifiable parental consent.

1. Parental Opt-Out From Disclosure to Third Parties

One commenter asked how operators that provide online communication services such as e-mail accounts, bulletin boards, and chat rooms can comply with Section 312.5(a)(2) of the Rule.¹⁰⁴This section mandates that parents must be given the option to allow an operator to collect a child's personal information (such as by registering a child for an e-mail or chat account) but not disclose the information collected to third parties.¹⁰⁵The commenter noted that the Rule defines "disclosure" to include "making personal information collected * * * publicly available in identifiable form," such as through an e-mail account or chat room.¹⁰⁶Specifically, the commenter contended that "a parent cannot realistically consent only to the use of his or her child's personal information and not to the disclosure of such information by these [online communications] services."¹⁰⁷

Footnotes:

¹⁰⁴ Microsoft at 4.

¹⁰⁵ 16 CFR 312.2.

¹⁰⁶ Microsoft at 4, citing 16 CFR 312.2.

¹⁰⁷ Id.

Commission staff guidance addresses this point. "The Rule only requires parental choice as to disclosures to third parties. You don't have to offer parents choice regarding the collection of personal information necessary for chat or a message board; but prior parental consent is still required before permitting children to participate in chat rooms or message boards that enable them to make their personal information publicly available."¹⁰⁸For example, when an e-mail provider obtains verifiable parent consent for registering a child for an e-mail account, the operator must let the parent opt out from any disclosures, by the operator, of information collected during the registration process. The Commission concludes that no modification to the Rule is required.

Footnotes:

¹⁰⁸ COPPA FAQs, question 37, available at http://www.ftc.gov/privacy/coppafaqs.htm#consent. See also 64 FR at 59899, note 166.

2. Using a Credit Card To Obtain Verifiable Parental Consent

The Rule sets forth a nonexclusive list of approved methods to obtain verifiable parental consent, including the use of a credit card in connection with a transaction.¹⁰⁹In light of reports that companies are marketing credit cards to minors,¹¹⁰the Commission specifically requested comment on the continued use of credit cards as a means of obtaining verifiable parental consent.

Footnotes:

¹⁰⁹ 16 CFR 312.5(b).

¹¹⁰ See, e.g. , articles at http://www.bankrate.com/brm/news/cc/20000508.asp; http://www.commercialalert.org/blog/archives/2005/02/marketing_credi.html; http://www.fool.com/news/commentary/2004/commentary04092804.htm (all last accessed 12/07/05).

The majority of commenters on this issue stated that even if a small percentage of children may possess credit cards, using a credit card with a transaction is a reasonable and trustworthy method to obtain verifiable parental consent.¹¹¹No information was submitted demonstrating to what extent credit cards are issued to children under 13.¹¹²Commenters, however, emphasized that granting credit requires the formation of a legally enforceable contract between the creditor and the debtor, which has resulted in credit cards being issued almost exclusively to adults.¹¹³Moreover, even if credit cards are being issued to children under 13, the same principles of contract law would require the credit cards to be linked to a supervisory adult's account.¹¹⁴Through this link, parents can set controls on and monitor the account, ensuring that the children cannot use the credit cards without permission.¹¹⁵

Footnotes:

¹¹¹ DMA 2 at 4, 5; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6-8; Nickelodeon at 10-11; Scholastic at 2; Time Warner at 2.

¹¹² DMA 2 at 4; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6; Scholastic at 2; Time Warner at 7.

¹¹³ DMA 2 at 4; MPAA 2 at 7-8; Nickelodeon at 10; Scholastic at 2; Time Warner at 7-8.

¹¹⁴ DMA 2 at 4; MPAA 2 at 6; Nickelodeon at 10; Time Warner at 7.

¹¹⁵ CUNA 2 at 2; NFCU 2 at 1.

In addition, the Rule's requirement that the credit card be used in connection with a transaction provides extra reliability because parents obtain a transaction record that gives them additional notice of the consent provided.¹¹⁶Parents thus are notified of the purported consent, and can withdraw it if improperly given.¹¹⁷The Commission is satisfied that no change in circumstances has invalidated using a credit card with a transaction to obtain verifiable parental consent.¹¹⁸

Footnotes:

¹¹⁶ MPAA 2 at 6.

¹¹⁷ DMA 2 at 5; MPAA 2 at 7.

¹¹⁸ The Commission expresses no view about the legal ramifications of using a credit card transaction as a proxy for age generally, a tangential issue raised by some commenters. Mattel 2 at 5; MPAA at 7-8; Nickelodeon at 10-11; Scholastic at 2; Time Warner at 8.

One commenter requested clarification on whether the Rule would permit using a credit card to obtain verifiable parental consent without a concomitant transaction.¹¹⁹The Rule provides: "Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."¹²⁰Some methods can confirm that the credit card number provided is consistent with numbers that issuers assign to their credit cards, but this does not provide reasonable assurance that the number provided is for an actual credit card. Other methods can confirm that the credit card number is the number of an actual credit card, but does not provide reasonable assurance that the card belongs to the child's parent. The Commission therefore concludes that these methods are not reasonably calculated to ensure that it was the parent who provided consent. In addition, unless the operator conducts a transaction in connection with the consent, no record is formed notifying the parent of the purported consent and offering an opportunity to revisit that consent.¹²¹The Commission concludes that no modification is warranted to the Rule provision treating the use of a credit card in connection with a transaction as one method of obtaining verifiable parental consent.¹²²

Footnotes:

¹¹⁹ ESRB at 2.

¹²⁰ 16 CFR 312.5(b)(1).

¹²¹ DMA 2 at 5.

¹²² Previous FTC staff guidance suggested that operators might not always be prohibited from using a credit card without a transaction to obtain consent. Such guidance will be clarified to reflect the Commission's determination that such a method currently does not constitute verifiable parental consent. See COPPA FAQs, question 34, at http://www.ftc.gov/privacy/coppafaqs.htm#consent.

3. The E-Mail Exceptions to Prior Parental Consent

The Commission next requested comment on the Rule's exceptions to prior parental consent (the "e-mail exceptions" to prior parental consent). In limited circumstances, COPPA and Section 312.5(c) of the Rule allow operators to collect the online contact information of the child, and sometimes parent, before obtaining verifiable parental consent.¹²³Such circumstances include when the operator seeks to obtain parental consent, wants to respond once to a child's specific request (such as a homework help question), or wants to respond multiple times to a child's specific request (such as an electronic newsletter).¹²⁴

Footnotes:

¹²³ 15 U.S.C. 6503(b)(2); 16 CFR 312.5(c).

¹²⁴ Id.

Two commenters stated that the e-mail exceptions are useful in allowing operators to continue to provide interactive content to children online. One stated: "The ability to use COPPA's 'e-mail exceptions' to parental consent has enabled us to offer meaningful children's content and preserve the interactivity of the medium, while still protecting privacy."¹²⁵The commenter noted that the e-mail exceptions enable not only online activities popular with children, such as contests, online newsletters, and electronic postcards, but also sending direct notices and requests for consent to parents.¹²⁶

Footnotes:

¹²⁵ Nickelodeon at 1.

¹²⁶ Id. at 5.

Another commenter suggested that the Rule should prohibit operators from collecting any information from children, even just an e-mail address, without parental consent. However, the commenter neither provided any basis for eliminating the e-mail exceptions nor offered any alternative way to provide direct notice and obtain parental consent.¹²⁷The Commission concludes for these reasons that no modification to the e-mail exceptions to prior parental consent is necessary.

Footnotes:

¹²⁷ Domentech at 6.

b. The Sliding Scale Approach To Obtaining Verifiable Parental Consent

In its April 2005 FRN, the Commission gave the public an additional opportunity to comment on the Rule's sliding scale approach to obtaining verifiable parental consent. The Rule provides that "[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."¹²⁸Prior to issuing the Rule, the Commission studied extensively the state of available parental consent technologies.¹²⁹In July 1999, the Commission held a workshop on parental consent, which revealed that more reliable electronic methods of verification were not widely available or affordable.¹³⁰

Footnotes:

¹²⁸ 16 CFR 312.5(b)(1).

¹²⁹ See, e.g. , public comments received on initial rulemaking (1999), available at http://www.ftc.gov/privacy/comments/index.html .

¹³⁰ See FTC news release announcing workshop and transcript of workshop, available at http://www.ftc.gov/opa/1999/06/kidswork.htm and http://www.ftc.gov/privacy/chonlpritranscript.pdf .

In determining to adopt the sliding scale approach in 1999, the Commission balanced the costs imposed by the method of obtaining parental consent and the risks associated with the intended uses of information.¹³¹Because of the limited availability and affordability of the more reliable methods of obtaining consent-including electronic methods of verification-the Commission found that these methods should be required only when obtaining consent for uses of information posing the greatest risks to children, such as chat, e-mail accounts, and message boards.¹³²Accordingly, the Commission implemented the sliding scale approach, noting that it would "provide[] operators with cost-effective options until more reliable electronic methods became available and affordable, while providing parents with the means to protect their children."¹³³

Footnotes:

¹³¹ 64 FR 59901-02.

¹³² Id.

¹³³ Id.

The sliding scale approach allows an operator, when collecting personal information only for its internal use, to obtain verifiable parental consent through an e-mail from the parent, so long as the e-mail is coupled with additional steps. Such additional steps include: obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call, or sending a delayed confirmatory e-mail to the parent after receiving consent.¹³⁴The purpose of the additional steps is to provide greater assurance that the person providing the consent is, in fact, the parent.

Footnotes:

¹³⁴ Id. CARU, a Commission-approved COPPA safe harbor program, expressed concern that operators may not understand that an additional step is required.

In contrast, for uses of personal information that involve disclosing the information to the public or third parties, the Rule requires operators to use more reliable methods of obtaining verifiable parental consent. These methods include: using a print-and-send form that can be faxed or mailed back to the Web site operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the above methods.¹³⁵As noted in the Rule's Statement of Basis and Purpose, these more reliable methods of obtaining parental consent are justified because "the record shows that disclosures to third parties are among the most sensitive and potentially risky uses of children's personal information."¹³⁶

Footnotes:

¹³⁵ 16 CFR 312.5(b)(2).

¹³⁶ 64 FR 59899.

When it issued the Rule, the Commission anticipated that the sliding scale approach would be necessary only in the short term because more reliable methods of obtaining verifiable parental consent would become widely available and affordable.¹³⁷Accordingly, the approach originally was set to expire two years after the Rule went into effect.¹³⁸However, when public comment in 2002 revealed that the expected progress in available technology had not occurred, the Commission extended the approach three more years.¹³⁹

Footnotes:

¹³⁷ 64 FR 59902.

¹³⁸ 16 CFR 312.5(b)(2).

¹³⁹ 67 FR 18818.

With the sliding scale approach set to expire on April 21, 2005, the Commission again sought comment on it in its January 2005 NPR.¹⁴⁰The NPR noted that the expected progress in available technology apparently still had not transpired and requested comment on a proposed amendment making the sliding scale approach a permanent feature of the Rule. The Commission also requested comment on: (1) The current and anticipated availability and affordability of more secure electronic mechanisms or infomediaries for obtaining parental consent; (2) the effect of the sliding scale approach on the incentive to develop and deploy more secure electronic mechanisms; (3) the effect of the sliding scale approach on operators' incentives to disclose children's personal information to third parties or the public; and (4) any evidence the sliding scale approach is being misused or not working effectively.

Footnotes:

¹⁴⁰ 70 FR 2580.

The vast majority of the commenters responding to the NPR stated that the development and deployment of secure electronic verification technologies did not appear to be on the horizon. However, because some commenters questioned the effectiveness of and need for the sliding scale approach, the Commission decided it would be beneficial to accept additional comments during the regulatory review comment period. To allow for such additional comments, the Commission eliminated the sliding scale approach's sunset date from the Rule, thereby extending the approach.¹⁴¹

Footnotes:

¹⁴¹ 70 FR at 21106.

Having reviewed the comments submitted in response to the January 2005 NPR and the April 2005 NPR, the Commission concludes that more secure electronic mechanisms and infomediary services for obtaining verifiable parental consent are not yet widely available at a reasonable cost. The Commission therefore has decided to extend the sliding scale approach indefinitely, while continuing to monitor technological developments. As discussed below, the Commission believes that this flexible approach will allow parents and operators to continue to rely on a familiar and efficient tool and allow the Rule to reflect changes in technology.

1. The Availability and Cost of More Secure Methods of Verification

a. Electronic Verification Technology

Most of the commenters that specifically addressed the sliding scale approach stated that secure electronic mechanisms have not developed to the point where they are widely available and affordable.¹⁴²In addition, the anticipated date for the development and deployment of such technologies on a widespread and affordable basis cannot be predicted with any reasonable certainty.¹⁴³For example, the Software Information Industry Association, the principal and worldwide trade association of the software code and digital content industry, stated that:

Footnotes:

¹⁴² ADVO at 1; Aftab at 5; AAAA at 2; CARU at 2; CASRO at 3-5; CMOR; CUNA at 2; CUNA 2 at 2; DMA at 4; DMA 2 at 6; EPIC at 2; EPIC 2 at 3; ITLG at 1; Masterfoods; Mattel at 1; Mattel 2 at 4; MPAA at 6; NCTA at 2; NFCU at 1; NCFU 2 at 1-2; Nickelodeon at 8; PG; SIIA at 1; Scholastic at 2; Time Warner 3-4; TRUSTe at 2; U.S. ISPA at 1; WLF at 6-7.

¹⁴³ CASRO at 5-6; DMA at 4; MPAA at 2; SIIA at 3; Time Warner at 3-4; U.S. ISPA at 3.

In reviewing developments over the last several years, there are no clear signals that the anticipated verification technology-technology that must be low-cost, widely deployed and acceptable to consumer end users-is likely to be economically and widely available in the consumer market in the foreseeable future.¹⁴⁴

Footnotes:

¹⁴⁴ SIIA at 3.

The comments received suggest that extending the sliding scale approach will not discourage technological innovation or undermine the global development of secure electronic verification technologies.¹⁴⁵One commenter noted that the sliding scale approach does not prevent companies from using secure electronic technologies now or in the future.¹⁴⁶Although three commenters suggested that extending the sliding scale approach may discourage the development of secure verification technologies, none explained how or to what extent children's privacy and parental consent issues would have such an effect.¹⁴⁷

Footnotes:

¹⁴⁵ CARU at 2; Mattel at 1.

¹⁴⁶ MPAA at 6.

¹⁴⁷ CASRO at 6; Mehdikdani at 3; Privo at 7.

Several commenters discussed the state of electronic verification technology in detail and noted the lack of widely available, cost effective, and consumer friendly verification technologies.¹⁴⁸In particular, commenters discussed how digital signatures, digital certificates, public key infrastructure, P3P, and other electronic technologies have not developed as anticipated.¹⁴⁹For example, the Motion Picture Association of America ("MPAA") said that "the range of digital signature technologies are either too costly for consumers ( e.g. , biometric verification systems), not able to confirm the identity of users ( e.g. , P3P), or not widely deployed ( e.g. , encryption key systems)."¹⁵⁰The MPAA further stated that encryption key technology is only effective at confirming which computer has transmitted consent and cannot independently identify whether the user is a parent or a child.¹⁵¹No commenters presented evidence that the state of these technologies-or their usefulness in obtaining parental consent-has improved since the inception of the Rule.

Footnotes:

¹⁴⁸ Aftab at 5; CASRO at 3-5; Mattel 2 at 4; MPAA at 5-6; SIIA at 3; Time Warner at 3-4; U.S. ISPA at 2-3.

¹⁴⁹ Id.

¹⁵⁰ MPAA at 5.

¹⁵¹ Id. at 5-6.

The United States Internet Service Provider Association, which represents major Internet service providers and network providers, explained that widespread public key infrastructure solutions have not developed due to the lack of an appropriate legal regime: "there is no easily identifiable certification authority that will take on the liability for verifying identities in an open, public system."¹⁵²The group also stated that reliable public key solutions are difficult to achieve because "certification standards are insufficiently developed and precise to assure reliable interoperability of the various subtly different implementations of a given standard * * * that inevitably appear in the open Internet environment."¹⁵³

Footnotes:

¹⁵² US ISPA at 3.

¹⁵³ Id.

The Platform for Privacy Preferences Project ("P3P"), developed by the World Wide Web Consortium, is a technology that enables Web sites to express their privacy practices in a standard, machine-readable format. P3P-enabled browsers can "read" privacy practices automatically and compare them to a consumer's own set of privacy preferences. The technology is designed to give consumers a simple, automated way to gain more control over the use of their personal information on Web sites they visit.¹⁵⁴While P3P technology can offer individuals more control over how their personal information is used or disclosed online, it is not employed widely by consumers.¹⁵⁵Even if it were widely used, the automated P3P platform would not facilitate the notice and consent required by COPPA. To give verifiable parental consent under COPPA, a parent must be informed about specific information and then provide an appropriate form of verifiable parental consent. P3P cannot ensure either that a parent has been informed or that the person providing consent is the child's parent. Moreover, parents' privacy preferences for themselves might not be the same as for their children.

Footnotes:

¹⁵⁴ See World Wide Web Consortium Recommendation for the Platform for Privacy Preferences 1.0 (P3P1.0) Specification, available at http://www.w3.org/TR/P3P/#Introduction.

¹⁵⁵ CASRO at 4-5; MPAA at 5.

Other commenters agreed that digital signature, digital certificate, and other digital verification technologies are not currently viable options for obtaining parental consent because they have not developed sufficiently and are not widely accessible to consumers.¹⁵⁶One commenter also noted that the cost of these technologies may be prohibitive for both businesses and consumers to use in obtaining parental consent.¹⁵⁷

Footnotes:

¹⁵⁶ CARU at 2; Mattel at 1; Mehdikdani at 1; NCTA at 2.

¹⁵⁷ MPAA at 6.

Finally, commenters also noted that, to the extent these electronic verification technologies have improved, the advances have been in business-to-business, not business-to-consumer, applications.¹⁵⁸For example, digital signature and digital certificate technologies, which can provide reliable electronic verification of a signer's identity, are sometimes employed in commercial transactions, but have not advanced to the point of being a viable alternative for obtaining verifiable parental consent.¹⁵⁹Public key infrastructure solutions, which provide a means for encrypting and decrypting information, also seem to be marketed almost exclusively for business-to-business applications.¹⁶⁰

Footnotes:

¹⁵⁸ CASRO at 4-5; MPAA at 5; US ISPA at 2.

¹⁵⁹ CASRO at 4; MPAA at 5.

¹⁶⁰ MPAA at 5; U.S. ISPA at 3.

b. The Availability and Cost of Infomediary Services

Commenters likewise submitted information about whether infomediary services are widely available and affordable. Infomediary services act as middlemen in obtaining verifiable parental consent for Web sites and can offer options such as driver's license and social security number verification. Several commenters noted that infomediary services to facilitate obtaining verifiable parental consent are not widely available and affordable.¹⁶¹

Footnotes:

¹⁶¹ CASRO at 5; ITLG at 1; PG.

One commenter, Privo Inc., an infomediary service recently approved as a COPPA safe harbor program, stated that such services are already widely available at a reasonable cost, but cited only one example, itself.¹⁶²Privo's comment did not indicate how many clients have used its service, although another commenter stated that it has used Privo's service.¹⁶³This commenter expressed support for Privo's registration process; however, it did not contend that infomediary services are otherwise widely available.¹⁶⁴

Footnotes:

¹⁶² Privo at 6. Privo did note that it has "processed hundreds of thousands of online registrations requiring verifiable parental consent."

¹⁶³ Schwab Learning at 1.

¹⁶⁴ Id.

The comments received did not demonstrate that infomediary services are affordable or would be widely used. Privo's comment did not provide any information about the start-up and monthly costs for operators that use its service, although it stated that it "currently does not charge more than $1 per verification, and often much less."¹⁶⁵Other commenters, in contrast, stated that the costs of obtaining verifiable parental consent through more verifiable means, like infomediary services, are higher than what many small and medium-size operators can afford to pay.¹⁶⁶Moreover, one commenter stated that parents are willing to grant consent to an operator with a recognizable brand name, but would be unlikely to "embrace infomediary technology" because it involves granting consent to an entity with which the parents have little or no experience.¹⁶⁷Consequently, the Commission finds that more secure electronic verification technologies and infomediary services to facilitate obtaining parental consent do not appear to be, currently or foreseeably, widely available at a reasonable cost.¹⁶⁸

Footnotes:

¹⁶⁵ Privo at 6.

¹⁶⁶ CARU at 2; DMA at 5; ITLG at 1; MPAA at 3-4; see also PG; SIIA at 3.

¹⁶⁷ Mattel 2 at 4.

¹⁶⁸ One commenter stated that more research is required to better understand the role of infomediaries but did not explain what specifically needs to be studied. CDD at 2.

2. The Effectiveness of the Sliding Scale Approach

The Commission concludes that, over the course of five years, the sliding scale approach has proven to be an effective method for protecting children's privacy without hindering the development of children's online content.¹⁶⁹Several commenters noted that there have been few complaints by parents about the sliding scale approach.¹⁷⁰Although some commenters suggested that the e-mail plus mechanism, permitted for internal use of information collected from children, is unreliable, they did not provide any examples where children's privacy has been violated.¹⁷¹One commenter was concerned that operators may not understand that an additional follow-up step is required in addition to the consent e-mail itself.¹⁷²

Footnotes:

¹⁶⁹ Comments that support the Commission's conclusion include: ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; DMA at 2; Mattel 2 at 4; MPAA at 2; NCTA at 1; PG; Scholastic at 2; SIIA at 3; Time Warner at 3-4; US ISPA at 3; WLF at 4, 6.

¹⁷⁰ ALA; CARU at 2; CASRO at 7; CoSN; DMA at 4; Mattel at 2; Mattel 2 at 4; MPAA at 3; NCTA at 2; Scholastic at 2; WLF at 7. These comments are consistent with the FTC staff's enforcement experience.

¹⁷¹ E.g. , Acampora; Privo at 2, 4-5; Villamil at 3; Vogel at 1-2. Some commenters appear to be under the misimpression that the Rule permits operators to obtain consent through a single e-mail, without more. E.g., Abbate and 47 other commenters who submitted form letters.

¹⁷² CARU at 2. The commenter did not suggest any particular language that might further clarify the language, which identifies such steps as "sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call." 16 CFR 312.5(b)(2).

Some comments received in response to the January 2005 NPR suggested that making the sliding scale approach permanent may foster the development of appropriate children's online content.¹⁷³These commenters noted that the sliding scale approach enables Web sites to provide interactive content for children without requiring operators to institute more costly parental consent mechanisms that could have the unintended effect of reducing children's content on the Internet.¹⁷⁴The commenters suggested that making the sliding scale approach permanent may encourage companies to make the types of investments in children's content that they may have hesitated to make in the past given the temporary nature of the sliding scale approach.¹⁷⁵

Footnotes:

¹⁷³ ADVO at 1; AAAA at 1; CoSN 2 at 1; DMA at 4-5; MPAA at 4; Nickelodeon at 1-2, 8; SIIA at 3.

¹⁷⁴ ADVO at 1; AAAA at 1; DMA at 4-5; MPAA at 4; SIIA at 3.

¹⁷⁵ Id.; Nickelodeon at 8.

Nearly all commenters agreed that use of the sliding scale approach is justified because collecting children's personal information only for internal use continues to present a low risk to children.¹⁷⁶Even when an operator obtains consent through the e-mail plus mechanism, such information is protected because the operator must comply with the Rule's mandate to "establish and maintain reasonable procedures to protect the confidentiality, security, and integrity" of that information.¹⁷⁷In addition, commenters noted that disclosing children's personal information continues to pose a greater risk to children than keeping it internal.¹⁷⁸Some commenters stated that the low cost of the e-mail plus mechanism will encourage operators to not disclose children's information to third parties,¹⁷⁹which furthers one of COPPA's stated goals of protecting children's online safety.¹⁸⁰Two commenters even suggested that, given the lesser risks posed by operators' internal uses of information, the Commission should eliminate the prior parental consent requirement for such operators and require them only to provide parents with direct notice and an opportunity to opt-out of the maintenance and use of their child's information.¹⁸¹

Footnotes:

¹⁷⁶ ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; CoSN; CUNA at 1-2; ICUL; Mattel at 1; NFCU at 1; PG; SIIA at 4; US ISPA at 3. But cf. Privo at 5; Villamil at 1, 3; Vogel at 1, 2 (stating that internal use and disclosure are equally risky).

¹⁷⁷ 16 CFR 312.8.

¹⁷⁸ ADVO at 1; AAAA at 1; Brewer; CARU at 2; CoSN; CUNA at 1-2; DMA at 2-3; ICUL; Mattel at 1; NFCU at 1; PG; SIIA at 4; US ISPA at 3.

¹⁷⁹ ADVO at 1; ALA 2 at 2; CASRO at 6; CUNA at 2; NFCU at 1; TRUSTe at 2.

¹⁸⁰ ADVO at 1; CUNA at 2; NFCU at 1.

¹⁸¹ CARU at 2; Mattel at 2.

The Commission concludes that the effectiveness of the sliding scale approach warrants its continued use without modification.

3. The Commission's Decision To Extend the Sliding Scale on an Indefinite Basis

Several commenters argued that the sliding scale approach should be made permanent rather than extending it for a finite period of time. They stressed the benefits of greater regulatory certainty, including providing a consistent standard that operators can rely on in deciding how to structure their activities and encouraging investments in children's content with some assurance about the law's requirements for parental consent mechanisms.¹⁸²Some commenters additionally noted that many operators have made significant investments in implementing the sliding scale and that abandoning the regime without an equally viable, cost-effective alternative may adversely affect these companies, particularly the small ones.¹⁸³

Footnotes:

¹⁸² DMA at 5; MPAA at 2; NCTA at 2; PG; SIIA at 3.

¹⁸³ CASRO at 6; CARU at 2; ITLG at 1; Mattel at 1; MPAA at 3; NCTA at 2.

Based on the public comments received, and its own experience in administering the Rule, the Commission concludes that the risk to children's privacy from an operator collecting personal information only for its internal use remains relatively low. The Commission also determines that more secure electronic technologies and infomediary services that might be used to obtain parental consent for internal use of personal information from children are not widely available at a reasonable cost. Further, the Commission concludes that the sliding scale approach has worked well and its continued use may foster the development of children's online content.

In light of the unpredictability of technological advancement and the benefits of decreasing regulatory uncertainty, the Commission has determined to retain the sliding scale indefinitely while it continues to evaluate developments. As one commenter noted, nothing precludes the Commission from revisiting the issue at an appropriate point in the future.¹⁸⁴If warranted by future developments, the Commission will seek comment on amending the Rule to change the sliding scale mechanism.

Footnotes:

¹⁸⁴ CUNA at 2.

4. Section 312.6: Parental Access

Section 312.6 of the Rule requires operators to give a parent, upon request: (1) A description of the types of personal information collected from children ( e.g. , "We collect full name and e-mail address from children"); (2) the opportunity for the parent to refuse to permit the further use or collection of personal information from his or her child and direct the deletion of the information; and (3) a means of reviewing any actual personal information collected from his or her child ( e.g. , "We have collected the following information from your child: Mary Smith, msmith@domain.com"). The Commission asked if these requirements are effective, if their benefits outweigh their costs, and what changes, if any, should be made.

The Commission received one comment related to a parent's right to direct the operator to delete the child's personal information.¹⁸⁵The commenter indicated that operators may want to retain children's personal information in certain situations, ranging from private contractual obligations to active law enforcement investigations, irrespective of a parent's direction to delete the information.¹⁸⁶The commenter then suggested that the Commission should draft a list of exceptions to the Rule's deletion requirement to address these situations.¹⁸⁷

Footnotes:

¹⁸⁵ 16 CFR 312.6(a)(2).

¹⁸⁶ Microsoft at 3.

¹⁸⁷ Id.

COPPA mandates, and the Rule requires, that operators satisfy three requests when made by parents upon "proper identification."¹⁸⁸First, operators must provide parents with a description of the types of information collected from children.¹⁸⁹Second, operators must provide parents with "the opportunity at any time to refuse to permit the operator's further use or maintenance in retrievable form" of their child's personal information.¹⁹⁰Third, operators must provide parents with the actual information collected from their child.¹⁹¹Without a change in the Act, the Commission cannot adopt the exceptions from the parental deletion requirement the commenter advocated.¹⁹²The Commission also is not aware of information sufficient to justify recommending that Congress amend the Act to create such exceptions.

Footnotes:

¹⁸⁸ 15 U.S.C. 6503(b)(1)(B).

¹⁸⁹ 15 U.S.C. 6503(b)(1)(B)(i).

¹⁹⁰ 15 U.S.C. 6503(b)(1)(B)(ii).

¹⁹¹ 15 U.S.C. 6503(b)(1)(B)(iii).

¹⁹² The Rule does give operators the right to collect, without parental consent, the name and online contact information of a child "to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety." 16 CFR 312.5(c)(5)(iv).

The commenter also requested that the Commission clarify why operators must verify the identity of a purported parent before disclosing his or her child's personal information, but not verify the identity of a purported parent before deleting the information.¹⁹³In drafting the Rule, the Commission carefully considered what level of identification would be appropriate for these two requirements. Erroneously disclosing a child's actual personal information to a purported parent poses a high risk to that child's privacy because the purported parent receives the actual personal information of the child.¹⁹⁴In contrast, erroneously deleting a child's actual personal information poses a lower risk because the purported parent never receives the information.¹⁹⁵The Commission thus concluded that the former, but not the latter, situation warrants verifying the purported parent's identity.¹⁹⁶After reconsideration, the Commission concludes that no modification to this requirement is warranted.

Footnotes:

¹⁹³ In conducting this verification, operators are required to use the same methods that they must use to obtain verifiable parental consent. 16 CFR 312.6(a)(3)(i).

¹⁹⁴ 64 FR at 59904.

¹⁹⁵ Id. at 59904-05.

¹⁹⁶ 16 CFR 312.6(a)(1) and (2).

5. Section 312.7: Prohibition Against Conditioning a Child's Participation on the Collection of More Personal Information Than Is Necessary

Section 312.7 of the Rule prohibits operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in that activity. The Commission asked whether this prohibition is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The Commission received one comment addressing this provision of the Rule. The commenter raised no concerns and cited this provision as one way in which the Rule has "succeeded in providing more privacy protections and safeguards for both children and their parents."¹⁹⁷The Commission concludes that no changes to this provision are warranted.

Footnotes:

¹⁹⁷ CUNA 2 at 2.

6. Section 312.8: Confidentiality, Security, and Integrity of Personal Information Collected From a Child

Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child. The Commission asked whether this requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The FTC also specifically asked if the term "reasonable procedure" is sufficiently clear. The Commission received no comments addressing this provision of the Rule. The FTC concludes that no modifications to this requirement are necessary.

7. Section 312.10: Safe Harbors

Section 312.10 of the Rule provides that an operator will be deemed in compliance if the operator complies with Commission-approved self-regulatory guidelines. The Commission asked if this "safe harbor" approach is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. In addressing the Rule's safe harbor provision, commenters uniformly lauded the part played by COPPA safe harbors in making successful the Commission's effort to protect children's online safety and privacy.¹⁹⁸In addition, one commenter stated that the COPPA safe harbors "are an important educational resource on children's privacy issues, and serve to heighten awareness of children's privacy issues more generally."¹⁹⁹Another commenter said, "the Safe Harbor program demonstrates the benefits of a self-regulatory scheme and mechanism for industry to maintain high standards with limited government intervention."²⁰⁰

Footnotes:

¹⁹⁸ DMA 2 at 5; ESRB at 3-4; Mattel 2 at 5-6; TRUSTe at 1-3.

¹⁹⁹ DMA 2 at 5.

²⁰⁰ Mattel 2 at 5-6.

One commenter, a COPPA safe harbor, suggested that the Commission encourage greater participation in COPPA safe harbor programs by amending the Rule to provide that "membership in good standing in a Commission-approved safe harbor program is an affirmative defense to an enforcement action" under COPPA.²⁰¹As this commenter recognized, the Rule already provides that operators "in compliance" with an approved safe harbor program "will be deemed to be in compliance" with the Rule and the Commission will consider an operator's participation in a safe harbor program in determining whether to open an investigation or file an enforcement action, and what remedies to seek.²⁰²The commenter did not provide any evidence demonstrating that these current incentives to participate in safe harbor programs are inadequate. The Commission thus concludes that no changes to the safe harbor provision are necessary.

Footnotes:

²⁰¹ TRUSTe at 3.

²⁰² 16 CFR 312.10(a) and 312.10(b)(4).

IV. Conclusion

For the foregoing reasons, the Commission has determined to retain the Children's Online Privacy Protection Rule without modification.

List of Subjects in 16 CFR Part 312

Communications, Computer technology, Consumer protection, Infants and Children, Privacy, Reporting and recordkeeping requirements, Safety, Science and technology, Trade practices, Youth.

By direction of the Commission.

Donald S. Clark,

Secretary.

[FR Doc. 06-2356 Filed 3-14-06; 8:45 am]

BILLING CODE 6750-01-P