Children's Online Privacy Protection Rule
Final Rule Amendments.
The Commission amends the Children's Online Privacy Protection Rule (“COPPA Rule” or “Rule”), consistent with the requirements of the Children's Online Privacy Protection Act, to clarify the scope of the Rule and strengthen its protections for children's personal information, in light of changes in online technology since the Rule went into effect in April 2000. The final amended Rule includes modifications to the definitions of operator, personal information, and Web site or online service directed to children. The amended Rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion.
4 actions from April 5th, 2010 to December 2011
April 5th, 2010
July 12th, 2010
- ANPRM Extended Comment Period End
September 26th, 2011
- Review Comments
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- Statement of Basis and Purpose
- I. Overview and Background
- A. Overview
- B. Background
- II. Modifications to the Rule
- A. Section 312.2: Definitions
- 1. Definition of Collects or Collection
- a. Collects or Collection, Paragraph (1)
- b. Collects or Collection, Paragraph (2)
- c. Collects or Collection, Paragraph (3)
- 2. Definition of Disclose or Disclosure
- 3. Definition of Online Contact Information
- 4. Definitions of Operator and Web Site or Online Service Directed to Children
- a. Strict Liability for Child-Directed Content Sites: Definition of Operator
- b. Operators Collecting Personal Information Through Child-Directed Sites and Online Services: Moving to an Actual Knowledge Standard
- 5. Definition of Personal Information
- a. Screen or User Names
- c. Photographs, Videos, and Audio Files
- d. Geolocation Information
- 6. Definition of Release of Personal Information
- 7. Definition of Web Site or Online Service Directed to Children
- B. Section 312.4: Notice
- 1. Direct Notice to a Parent
- 2. Notice on the Web Site or Online Service
- C. Section 312.5: Parental Consent
- 1. Electronic Scans and Video Verification
- 2. Government-Issued Identification
- 3. Credit Cards
- 4. Alternative Online Payment Systems
- 5. Electronic or Digital Signatures
- 6. Platform Methods of Parental Consent
- 7. The Sliding Scale (“Email Plus”) Method
- 8. Voluntary Process for Commission Approval of Parental Consent Mechanisms
- 9. Safe Harbor Approval of Parental Consent Mechanisms
- 10. Exceptions to Prior Parental Consent
- a. Section 312.5(c)(1)
- b. Section 312.5(c)(2)
- c. Section 312.5(c)(3) (One-Time Use Exception)
- d. Section 312.5(c)(4) (Multiple Use Exception)
- e. Section 312.5(c)(5) (Child Safety Exception)
- f. Section 312.5(c)(6) (Security of the Site or Service Exception)
- g. Section 312.5(c)(7) (Persistent Identifier Used To Support Internal Operations Exception)
- h. Section 312.5(c)(8) (Operator Covered Under Paragraph (2) of Definition of Web Site or Online Service Directed to Children Collects a Persistent Identifier From a Previously Registered User)
- D. Section 312.8: Confidentiality, Security, and Integrity of Personal Information Collected From Children
- E. Section 312.10: Data Retention and Deletion Requirements
- F. Section 312.11: Safe Harbors
- III. Final Regulatory Flexibility Act Analysis
- A. Need for and Objectives of the Final Rule Amendments
- B. Significant Issues Raised by Public Comments, Summary of the Agency's Assessment of These Issues, and Changes, if Any, Made in Response to Such Comments
- (1) Definitions
- Definition of Collects or Collection
- Definitions of Operator and Web Site or Online Service Directed to Children
- Definition of Online Contact Information
- Definition of Personal Information
- a. Screen or User Names
- b. Persistent Identifiers and Support for Internal Operations
- c. Photographs, Videos, and Audio Files
- d. Geolocation Information
- Definition of Web Site or Online Service Directed to Children
- (2) Section 312.4: Notice
- Direct Notice to a Parent
- Notice on the Web Site or Online Service
- (3) Section 312.5: Parental Consent
- (4) Section 312.8: Confidentiality, Security, and Integrity of Personal Information Collected From Children
- (5) Section 312.10: Data Retention and Deletion Requirements
- (6) Section 312.11: Safe Harbors
- C. Description and Estimate of the Number of Small Entities Subject to the Final Rule or Explanation Why No Estimate Is Available
- D. Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Final Rule Amendments, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Rule and the Type of Professional Skills That Will Be Necessary To Comply
- E. Steps the Agency Has Taken To Minimize Any Significant Economic Impact on Small Entities, Consistent With the Stated Objectives of the Applicable Statute
- IV. Paperwork Reduction Act
- A. Practical Utility
- (1) Disclosure Requirements
- (2) Reporting Requirements
- B. Explanation of Estimated Incremental Burden Under the Final Rule Amendments
- Existing Operators
- New Operators
- C. Recordkeeping
- D. Disclosure Hours
- (1) New Operators' Disclosure Burden
- (2) Existing Operators' Disclosure Burden
- E. Reporting Hours
- F. Labor Costs
- (1) Disclosure
- (2) Reporting
- G. Non-Labor/Capital Costs
- List of Subjects in 16 CFR Part 312
- PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE
- Dissenting Statement of Commissioner Maureen K. Ohlhausen
DATES: Back to Top
The amended Rule will become effective on July 1, 2013.
ADDRESSES: Back to Top
The complete public record of this proceeding will be available at www.ftc.gov. Requests for paper copies of this amended Rule and Statement of Basis and Purpose (“SBP”) should be sent to: Public Reference Branch, Federal Trade Commission, 600 Pennsylvania Avenue NW., Room 130, Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Back to Top
Phyllis H. Marcus or Mamie Kresses, Attorneys, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580, (202) 326-2854 or (202) 326-2070.
SUPPLEMENTARY INFORMATION: Back to Top
Statement of Basis and Purpose Back to Top
I. Overview and Background Back to Top
This document states the basis and purpose for the Commission's decision to adopt certain amendments to the COPPA Rule that were proposed and published for public comment on September 27, 2011 (“2011 NPRM”),  and supplemental amendments that were proposed and published for public comment on August 6, 2012 (“2012 SNPRM”).  After careful review and consideration of the entire rulemaking record, including public comments submitted by interested parties, and based upon its experience in enforcing and administering the Rule, the Commission has determined to adopt amendments to the COPPA Rule. These amendments to the final Rule will help to ensure that COPPA continues to meet its originally stated goals to minimize the collection of personal information from children and create a safer, more secure online experience for them, even as online technologies, and children's uses of such technologies, evolve.
The final Rule amendments modify the definitions of operator to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors; Web site or online service directed to children to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service; Web site or online service directed to children to allow a subset of child-directed sites and services to differentiate among users, and requiring such properties to provide notice and obtain parental consent only for users who self-identify as under age 13; personal information to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services; and support for internal operations to expand the list of defined activities.
The Rule amendments also streamline and clarify the direct notice requirements to ensure that key information is presented to parents in a succinct “just-in-time” notice; expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent; create three new exceptions to the Rule's notice and consent requirements; strengthen data security protections by requiring operators to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information; require reasonable data retention and deletion procedures; strengthen the Commission's oversight of self-regulatory safe harbor programs; and institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.
The COPPA Rule, 16 CFR part 312, issued pursuant to the Children's Online Privacy Protection Act (“COPPA” or “COPPA statute”), 15 U.S.C. 6501 et seq., became effective on April 21, 2000. The Rule imposes certain requirements on operators of Web sites or online services directed to children under 13 years of age, and on operators of other Web sites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, “operators”). Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age.  The Rule also requires operators to keep secure the information they collect from children, and prohibits them from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities.  The Rule contains a “safe harbor” provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule's protections. 
The Commission initiated review of the COPPA Rule in April 2010 when it published a document in the Federal Register seeking public comment on whether the rapid-fire pace of technological changes to the online environment over the preceding five years warranted any changes to the Rule.  The Commission's request for public comment examined each aspect of the COPPA Rule, posing 28 questions for the public's consideration.  The Commission also held a public roundtable to discuss in detail several of the areas where public comment was sought. 
The Commission received 70 comments from industry representatives, advocacy groups, academics, technologists, and individual members of the public in response to the April 5, 2010 request for public comment.  After reviewing the comments, the Commission issued the 2011 NPRM, which set forth several proposed changes to the COPPA Rule.  The Commission received over 350 comments in response to the 2011 NPRM.  After reviewing these comments, and based upon its experience in enforcing and administering the Rule, in the 2012 SNPRM, the Commission sought additional public comment on a second set of proposed modifications to the Rule.
The 2012 SNPRM proposed modifying the definitions of both operator and Web site or online service directed to children to allocate and clarify the responsibilities under COPPA when independent entities or third parties, e.g., advertising networks or downloadable software kits (“plug-ins”), collect information from users through child-directed sites and services. In addition, the 2012 SNPRM proposed to further modify the definition of Web site or online service directed to children to permit Web sites or online services that are directed both to children and to a broader audience to comply with COPPA without treating all users as children. The Commission also proposed modifying the definition of screen or user name to cover only those situations where a screen or user name functions in the same manner as online contact information. Finally, the Commission proposed to further modify the revised definitions of support for internal operations and persistent identifiers. The Commission received 99 comments in response to the 2012 SNPRM.  After reviewing these additional comments, the Commission now announces this final amended COPPA Rule.
II. Modifications to the Rule Back to Top
A. Section 312.2: Definitions
1. Definition of Collects or Collection
a. Collects or Collection, Paragraph (1)
In the 2011 NPRM, the Commission proposed amending paragraph (1) to change the phrase “requesting that children submit personal information online” to “requesting, prompting, or encouraging a child to submit personal information online.” The proposal was to clarify that the Rule covers the online collection of personal information both when an operator requires it to participate in an online activity, and when an operator merely prompts or encourages a child to provide such information.  The comments received divided roughly equally between support of and opposition to the proposed change to paragraph (1). Those in favor cited the increased clarity of the revised language as compared to the existing language. 
Several commenters opposed the revised language of paragraph (1). For example, the National Cable and Telecommunications Association (“NCTA”) expressed concern that the revised language suggests that “COPPA obligations are triggered even without the actual or intended collection of personal information.”  NCTA asked the Commission to clarify that “prompting” or “encouraging” does not trigger COPPA unless an operator actually collects personal information from a child. 
The Rule defines collection as “the gathering of any personal information from a child by any means,” and the terms “prompting” and “encouraging” are merely exemplars of the means by which an operator gathers personal information from a child.  This change to the definition of collects or collection is intended to clarify the longstanding Commission position that an operator that provides a field or open forum for a child to enter personal information will not be shielded from liability merely because entry of personal information is not mandatory to participate in the activity. It recognizes the reality that such an operator must have in place a system to provide notice to and obtain consent from parents to deal with the moment when the information is “gathered.”  Otherwise, once the child posts the personal information, it will be too late to obtain parental consent.
After reviewing the comments, the Commission has decided to modify paragraph (1) of the definition of collects or collection as proposed in the 2011 NPRM.
b. Collects or Collection, Paragraph (2)
Section 312.2(b) of the Rule defines “collects or collection” to cover enabling children to publicly post personal information (e.g., on social networking sites or on blogs), “except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator's records.”  This exception, often referred to as the “100% deletion standard,” was designed to enable sites and services to make interactive content available to children, without providing parental notice and obtaining consent, provided that all personal information was deleted prior to posting. 
The 2010 FRN sought comment on whether to change the 100% deletion standard, whether automated systems used to review and post child content could meet this standard, and whether the Commission had provided sufficient guidance on the deletion of personal information.  In response, several commenters urged a new standard, arguing that the 100% deletion standard, while well-intentioned, was an impediment to operators' implementation of sophisticated automated filtering technologies that may actually aid in the detection and removal of personal information. 
In the 2011 NPRM, the Commission stated that the 100% deletion standard set an unrealistic hurdle to operators' implementation of automated filtering systems that could promote engaging and appropriate online content for children, while ensuring strong privacy protections by design. To address this, the Commission proposed replacing the 100% deletion standard with a “reasonable measures” standard. Under this approach, an operator would not be deemed to have collected personal information if it takes reasonable measures to delete all or virtually all personal information from a child's postings before they are made public, and also to delete such information from its records.” 
Although the Institute for Public Representation raised concerns about the effectiveness of automated filtering techniques,  most comments were resoundingly in favor of the “reasonable measures” standard. For example, one commenter stated that the revised language would enable the use of automated procedures that could provide “increased consistency and more effective monitoring than human monitors,”  while another noted that it would open the door to “cost-efficient and reliable means of monitoring children's communications.”  Several commenters noted that the proposed reasonable measures standard would likely encourage the creation of more rich, interactive online content for children.  Another commenter noted that the revised provision, by offering greater flexibility for technological solutions, should help minimize the burden of COPPA on children's free expression. 
The Commission is persuaded that the 100% deletion standard should be replaced with a reasonable measures standard. The reasonable measures standard strikes the right balance in ensuring that operators have effective, comprehensive measures in place to prevent public online disclosure of children's personal information and ensure its deletion from their records, while also retaining the flexibility operators need to innovate and improve their mechanisms for detecting and deleting such information. Therefore, the final Rule amends paragraph (2) of the definition of collects or collection to adopt the reasonable measures standard proposed in the 2011 NPRM.
c. Collects or Collection, Paragraph (3)
In the 2011 NPRM, the Commission proposed to modify paragraph (3) of the Rule's definition of collects or collection to clarify that it includes all means of passively collecting personal information from children online, irrespective of the technology used. The Commission sought to accomplish this by removing from the original definition the language “or use of any identifying code linked to an individual, such as a cookie.” 
The Commission received several comments supporting,  and several comments opposing,  this proposed change. Those opposing the change generally believed that this change somehow expanded the definition of personal information. As support for their argument, these commenters also referenced the Commission's proposal to include persistent identifiers within the definition of personal information.
The Commission believes that paragraph (3), as proposed in the 2011 NPRM, is sufficiently understandable. The paragraph does nothing to alter the fact that the Rule covers only the collection of personal information. Moreover, the final Rule's exception for the limited use of persistent identifiers to support internal operations—312.5(c)(7)—clearly articulates the specific criteria under which an operator will be exempt from the Rule's notice and consent requirements in connection with the passive collection of a persistent identifier.  Accordingly, the Commission adopts the definition of collects or collection as proposed in the 2011 NPRM.
2. Definition of Disclose or Disclosure
In the 2011 NPRM, the Commission proposed making several minor modifications to Section 312.2 of the Rule's definition of disclosure, including broadening the title of the definition to disclose or disclosure to clarify that in every instance in which the Rule refers to instances where an operator “disclose[s]” information, the definition of disclosure shall apply.  In addition, the Commission proposed moving the definitions of release of personal information and support for the internal operations of the Web site or online service contained within the definition of disclosure to make them stand-alone definitions within Section 312.2 of the Rule. 
One commenter asked the Commission to modify paragraph (2) of the proposed definition by adding an opening clause linking it to the definition of collects or collection.  While this commenter did not state its reasons for the proposed change, the Commission believes that the language of paragraph (2) is sufficiently clear so as not to warrant making the change suggested. Therefore, the Commission modifies the definition of disclosure or disclosure as proposed in the 2011 NPRM.
3. Definition of Online Contact Information
Section 312.2 of the Rule defines online contact information as “an email address or any other substantially similar identifier that permits direct contact with a person online.” The 2011 NPRM proposed clarifications to the definition to flag that the term broadly covers all identifiers that permit direct contact with a person online and to ensure consistency between the definition of online contact information and the use of that term within the definition of personal information.  The proposed revised definition identified commonly used online identifiers, including email addresses, instant messaging (“IM”) user identifiers, voice over Internet protocol (“VOIP”) identifiers, and video chat user identifiers, while also clarifying that the list of identifiers was non-exhaustive and would encompass other substantially similar identifiers that permit direct contact with a person online.  The Commission received few comments addressing this proposed change.
One commenter opposed the modification, asserting that IM, VOIP, and video chat user identifiers do not function in the same way as email addresses. The commenter's rationale for this argument was that not all IM identifiers reveal the IM system in use, which information is needed to directly contact a user.  The Commission does not find this argument persuasive. While an IM address may not reveal the IM program provider in every instance, it very often does. Moreover, several IM programs allow users of different messenger programs to communicate across different messaging platforms. Like email, instant messaging is a communications tool that allows people to communicate one-to-one or in groups B sometimes in a faster, more real-time fashion than through email. The Commission finds, therefore, that IM identifiers provide a potent means to contact a child directly.
Another commenter asked the Commission to expand the definition of online contact information to include mobile phone numbers. The commenter noted that, given the Rule's coverage of mobile apps and web-based text messaging programs, operators would benefit greatly from collecting a parent's mobile phone number (instead of an email address) in order to initiate contact for notice and consent.  The Commission recognizes that including mobile phone numbers within the definition of online contact information could provide operators with a useful tool for initiating the parental notice process through either SMS text or a phone call. It also recognizes that there may be advantages to parents for an operator to initiate contact via SMS text B among them, that parents generally have their mobile phones with them and that SMS text is simple and convenient.  However, the statute did not contemplate mobile phone numbers as a form of online contact information, and the Commission therefore has determined not to include mobile phone numbers within the definition.  Thus, the final Rule adopts the definition of online contact information as proposed in the 2012 SNPRM.
4. Definitions of Operator and Web Site or Online Service Directed to Children
In the 2012 SNPRM, the Commission proposed modifying the definitions of both operator and Web site or online service directed to children to allocate and clarify the responsibilities under COPPA when independent entities or third parties, e.g., advertising networks or downloadable plug-ins, collect information from users through child-directed sites and services. Under the proposed revisions, the child-directed content provider would be strictly liable for personal information collected by third parties through its site. The Commission reasoned that, although the child-directed site or service may not own, control, or have access to the personal information collected, such information is collected on its behalf due to the benefits it receives by adding more attractive content, functionality, or advertising revenue. The Commission also noted that the primary-content provider is in the best position to know that its site or service is directed to children, and is appropriately positioned to give notice and obtain consent.  By contrast, if the Commission failed to impose obligations on the content providers, there would be no incentive for child-directed content providers to police their sites or services, and personal information would be collected from young children, thereby undermining congressional intent. The Commission also proposed imputing the child-directed nature of the content site to the entity collecting the personal information only if that entity knew or had reason to know that it was collecting personal information through a child-directed site. 
Most of the comments opposed the Commission's proposed modifications. Industry comments challenged the Commission's statutory authority for both changes and the breadth of the language, and warned of the potential for adverse consequences. In essence, many industry comments argued that the Commission may not apply COPPA where independent third parties collect personal information through child-directed sites,  and that even if the Commission had some authority, exercising it would be impractical because of the structure of the “online ecosystem.”  Many privacy and children's advocates agreed with the 2012 SNPRM proposal to hold child-directed content providers strictly liable, but some expressed concern about holding plug-ins and advertising networks to a lesser standard. 
For the reasons discussed below, the Commission, with some modifications to the proposed Rule language, will retain the strict liability standard for child-directed content providers that allow other online services to collect personal information through their sites. The Commission will deem a plug-in or other service to be a covered co-operator only where it has actual knowledge that it is collecting information through a child-directed site.
a. Strict Liability for Child-Directed Content Sites: Definition of Operator
Implementing strict liability as described above requires modifying the current definition of operator. The Rule, which mirrors the statutory language, defines operator in pertinent part, as “any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes, including any person offering products or services for sale through that Web site or online service, involving commerce * * *” 
In the 2012 SNPRM, the Commission proposed adding a proviso to that definition stating that personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.
Industry, particularly online content publishers, including app developers, criticized this proposed change.  Industry comments argued that the phrase “on whose behalf” in the statute applies only to agents and service providers,  and that the Commission lacks the authority to interpret the phrase more broadly to include any incidental benefit that results when two parties enter a commercial transaction.  Many commenters pointed to an operator's post-collection responsibilities under COPPA, e.g., mandated data security and affording parents deletion rights, as evidence that Congress intended to cover only those entities that control or have access to the personal information. 
Commenters also raised a number of policy objections. Many argued that child-directed properties, particularly small app developers, would face unreasonable compliance costs and that the proposed revisions might choke off their monetization opportunities,  thus decreasing the incentive for developers to create engaging and educational content for children.  They also argued that a strict liability standard is impractical given the current online ecosystem, which does not rely on close working relationships and communication between content providers and third parties that help monetize that content.  Some commenters urged the Commission to consider a safe harbor for content providers that exercise some form of due diligence regarding the information collection practices of plug-ins present on their site. 
Privacy organizations generally supported imposing strict liability on content providers. They agreed with the Commission's statement in the 2012 SNPRM that the first-party content provider is in a position to control which plug-ins and software downloads it integrates into its site and that it benefits by allowing information collection by such third parties.  They also noted how unreasonable it would be for parents to try to decipher which entity might actually be collecting data through the child-directed property. 
Finally, many commenters expressed concern that the language describing “on whose behalf” reaches so broadly as to cover not only child-directed content sites, but also marketplace platforms such as Apple's iTunes App Store and Google's Android market (now Google Play) if they offered child-directed apps on their platforms.  These commenters urged the Commission to revise the language of the Rule to exclude such platforms.
After considering the comments, the Commission retains a strict liability standard for child-directed sites and services that allow other online services to collect personal information through their sites.  The Commission disagrees with the views of commenters that this is contrary to Congressional intent or the Commission's statutory authority. The Commission does not believe Congress intended the loophole advocated by many in industry: Personal information being collected from children through child-directed properties with no one responsible for such collection.
Nor is the Commission persuaded by comments arguing that the phrase “on whose behalf” must be read extremely narrowly, encompassing only an agency relationship. Case law supports a broader interpretation of that phrase.  Even some commenters opposed to the Commission's interpretation have acknowledged that the Commission's proposal is based on “an accurate recognition that online content monetization is accomplished through a complex web of inter-related activities by many parties,” and have noted that to act on behalf of another is to do what that person would ordinarily do herself if she could.  That appears to be precisely the reason many first-party content providers integrate these services. As one commenter pointed out, content providers “have chosen to devote their resources to develop great content, and to let partners help them monetize that content. In part, these app developers and publishers have made this choice because collecting and handling children's data internally would require them to take on liability risk and spend compliance resources that they do not have.”  Moreover, content-providing sites and services often outsource the monetization of those sites “to partners” because they do not have the desire to handle it themselves. 
In many cases, child-directed properties integrate plug-ins to enhance the functionality or content of their properties or gain greater publicity through social media in an effort to drive more traffic to their sites and services. Child-directed properties also may obtain direct compensation or increased revenue from advertising networks or other plug-ins. These benefits to child-directed properties are not merely incidental; as the comments point out, the benefits may be crucial to their continued viability. 
The Commission recognizes the potential burden that strict liability places on child-directed content providers, particularly small app developers. The Commission also appreciates the potential for discouraging dynamic child-directed content. Nevertheless, when it enacted COPPA, Congress imposed absolute requirements on child-directed sites and services regarding restrictions on the collection of personal information; those requirements cannot be avoided through outsourcing offerings to other operators in the online ecosystem. The Commission believes that the potential burden on child-directed sites discussed by the commenters in response to the 2012 SNPRM will be eased by the more limited definition of persistent identifiers, the more expansive definition of support for internal operations adopted in the Final Rule, and the newly-created exception to the Rule's notice and parental consent requirements that applies when an operator collects only a persistent identifier and only to support the operator's internal operations. 
The Commission considered including the “due-diligence” safe harbor for child-directed content providers that many of the comments proposed.  Nevertheless, as many other comments pointed out, it cannot be the responsibility of parents to try to pierce the complex infrastructure of entities that may be collecting their children's personal information through any one site.  For child-directed properties, one entity, at least, must be strictly responsible for providing parents notice and obtaining consent when personal information is collected through that site. The Commission believes that the primary-content site or service is in the best position to know which plug-ins it integrates into its site, and is also in the best position to give notice and obtain consent from parents.  Although the Commission, in applying its prosecutorial discretion, will consider the level of due diligence a primary-content site exercises, the Commission will not provide a safe harbor from liability.
When it issued the 2012 SNPRM, the Commission never intended the language describing “on whose behalf” to encompass platforms, such as Google Play or the App Store, when such stores merely offer the public access to someone else's child-directed content. In these instances, the Commission meant the language to cover only those entities that designed and controlled the content, i.e., the app developer or site owner. Accordingly, the Commission has revised the language proposed in the 2012 SNPRM to clarify that personal information will be deemed to be collected on behalf of an operator where it benefits by allowing another person to collect personal information directly from users of such operator's site or service, thereby limiting the provision's coverage to operators that design or control the child-directed content.  Accordingly, the Final Rule shall state that personal information is collected or maintained on behalf of an operator when it is collected or maintained by an agent or service provider of the operator; or the operator benefits by allowing another person to collect personal information directly from users of such operator's Web site or online service.
b. Operators Collecting Personal Information Through Child-Directed Sites and Online Services: Moving to an Actual Knowledge Standard
In the 2012 SNPRM, the Commission proposed holding responsible as a co-operator any site or online service that “knows or has reason to know” it is collecting personal information through a host Web site or online service directed to children. Many commenters criticized this standard. Industry comments contended that such a standard is contrary to the statutory mandate that general audience services be liable only if they have actual knowledge they are collecting information from a child.  They further argued that the standard is vague because it is impossible to determine what type of notification would provide a “reason to know.” Thus, the commenters argued that the standard triggers a duty to inquire.  In addition, commenters stated that even after inquiring, it might be impossible to determine which sites are truly directed to children (particularly in light of the Commission's revised definition of Web site directed to children to include those sites that are likely to attract a disproportionate percentage of children under 13).  Conversely, many privacy advocates believed it is necessary to impose some duty of inquiry, or even strict liability, on the entity collecting the personal information. 
After considering the comments, the Commission has decided that while it is appropriate to hold an entity liable under COPPA for collecting personal information on Web sites or online services directed to children, it is reasonable to hold such entity liable only where it has actual knowledge that it is collecting personal information directly from users of a child-directed site or service. In striking this balance by moving to an actual knowledge standard, the Commission recognizes that this is still contrary to the position advocated by many industry comments: That a plug-in or advertising network that collects personal information from users of both general audience and child-directed sites must be treated monolithically as a general audience service, liable only if it has actual knowledge that it is collecting personal information from a specific child.  However, the COPPA statute also defines Web site or online service directed to children to include “that portion of a commercial Web site or online service that is targeted to children.” Where an operator of an otherwise general audience site or online service has actual knowledge it is collecting personal information directly from users of a child-directed site, and continues to collect that information, then, for purposes of the statute, it has effectively adopted that child-directed content as its own and that portion of its service may appropriately be deemed to be directed to children. 
Commenters urged that, whatever standard the Commission ultimately adopts, it provide guidance as to when a plug-in or advertising network would be deemed to have knowledge that it is collecting information through a child-directed site or service.  Knowledge, by its very nature, is a highly fact-specific inquiry. The Commission believes that the actual knowledge standard it is adopting will likely be met in most cases when: (1) A child-directed content provider (who will be strictly liable for any collection) directly communicates the child-directed nature of its content to the other online service; or (2) a representative of the online service recognizes the child-directed nature of the content. The Commission does not rule out that an accumulation of other facts would be sufficient to establish actual knowledge, but those facts would need to be analyzed carefully on a case-by-case basis.
5. Definition of Personal Information
a. Screen or User Names
The Rule defines personal information as including “a screen name that reveals an individual's email address.”  In the 2011 NPRM, the Commission proposed to modify this definition to include “a screen or user name where such screen or user name is used for functions other than or in addition to support for the internal operations of the Web site or online service.”  The Commission intended this change to address scenarios in which a screen or user name could be used by a child as a single credential to access multiple online properties, thereby permitting him or her to be directly contacted online, regardless of whether the screen or user name contained an email address. 
Some commenters expressed concern that the Commission's screen-name proposal would unnecessarily inhibit functions that are important to the operation of child-directed Web sites and online services.  In response to this concern, the 2012 SNPRM proposed covering screen names as personal information only in those instances in which a screen or user name rises to the level of online contact information. In such cases, the Commission reasoned, a screen or user name functions much like an email address, an instant messaging identifier, or “any other substantially similar identifier that permits direct contact with a person online.” 
The Commission received a number of comments in support of this change from industry associations and advocacy groups.  Commenters recognized the change as providing operators with the flexibility to use screen or user names both for internal administrative purposes and across affiliated sites, services, or platforms without requiring prior parental notification or verifiable parental consent. 
A number of commenters, however, despite clear language otherwise in the 2012 SNPRM, continued to express concern that the Commission's proposed revision would limit operators' use of anonymized screen names in place of children's real names in filtered chat, moderated interactive forums, or as log-in credentials providing users with seamless access to content across multiple platforms and devices.  Some of these commenters urged the Commission to refine the definition further, for example, by explicitly recognizing that the use of screen names for activities such as moderated chat will not be deemed as permitting “direct contact” with a child online and therefore will not require an operator using anonymous screen names to notify parents or obtain their consent.  Others suggested a return to the Commission's original definition of screen or user names, i.e., only those that reveal an individual's online contact information (as newly defined).  Yet others hoped to see the Commission carve out from the definition of screen or user name uses to support an operator's internal operations (such as using screen or user names to enable moderated or filtered chat and multiplayer game modes). 
The Commission sees no need to qualify further the proposed description of screen or user name. The description identifies precisely the form of direct, private, user-to-user contact the Commission intends the Rule to cover—i.e.,“online contact [that] can now be achieved via several methods besides electronic mail.”  The Commission believes the description permits operators to use anonymous screen and user names in place of individually identifiable information, including use for content personalization, filtered chat, for public display on a Web site or online service, or for operator-to-user communication via the screen or user name. Moreover, the definition does not reach single log-in identifiers that permit children to transition between devices or access related properties across multiple platforms. For these reasons, the Commission modifies the definition of personal information, as proposed in the 2012 SNPRM, to include “a screen or user name where it functions in the same manner as online contact information, as defined in this Section.”
b. Persistent Identifiers and Support for Internal Operations
Persistent identifiers have long been covered by the COPPA Rule, but only where they are associated with individually identifiable information.  In the 2011 NPRM, and again in the 2012 SNPRM, the Commission proposed broader Rule coverage of persistent identifiers.
First, in the 2011 NPRM, the Commission proposed covering persistent identifiers in two scenarios—(1) where they are used for functions other than or in addition to support for the internal operations of the Web site or online service, and (2) where they link the activities of a child across different Web sites or online services.  After receiving numerous comments on the proposed inclusion of persistent identifiers within the definition of personal information,  the Commission refined its proposal in the 2012 SNPRM.
In the Commission's refined proposal in the 2012 SNPRM, the definition of personal information would include a persistent identifier “that can be used to recognize a user over time, or across different Web sites or online services, where such persistent identifier is used for functions other than or in addition to support for the internal operations of the Web site or online service.”  The Commission also proposed to set forth with greater specificity the types of permissible activities that would constitute support for internal operations.  The proposed revision to this latter definition was intended to accomplish three goals: (1) To incorporate into the Rule text many of the types of activities—user authentication, maintaining user preferences, serving contextual advertisements,  and protecting against fraud or theft—that the Commission initially discussed as permissible in the 2011 NPRM; (2) to specifically permit the collection of persistent identifiers for functions related to site maintenance and analysis, and to perform network communications that many commenters viewed as crucial to their ongoing operations;  and (3) to make clear that none of the information collected may be used or disclosed to contact a specific individual, including through the use of behavioral advertising. 
Most of the commenters who responded to the 2012 SNPRM opposed the Commission's refinement. Many continued to argue, as they had done in response to the 2011 NPRM, that because persistent identifiers only permit contact with a device, not a specific individual, the Commission was exceeding its statutory authority by defining them as personal information.  Others argued strenuously for the benefits to children, parents, operators, and commerce of collecting anonymous information on, and delivering advertisements to, unknown or unnamed users.  Some commenters maintained that, to comply with COPPA's notice and consent requirements in the context of persistent identifiers, sites would be forced to collect more personal information on their users, contrary to COPPA's goals of data minimization. 
Because the proposed definition of persistent identifiers ran hand-in-hand with the proposed carve-out for permissible activities, most commenters also opined on the proposed scope of the definition of support for internal operations.  Unsurprisingly, these commenters urged the Commission to broaden the definition either to make the list of permissible activities non-exhaustive,  or to clarify that activities such as ensuring legal and regulatory compliance, intellectual property protection, payment and delivery functions, spam protection, statistical reporting, optimization, frequency capping, de-bugging, market research, and advertising and marketing more generally would not require parental notification and consent on COPPA-covered sites or services.  Other commenters expressed confusion about which entities operating on or through a property could take advantage of the support for internal operations exemption.  Children's advocacy groups, by contrast, expressed fear that the proposed definition was already “so broad that it could exempt the collection of many persistent identifiers used to facilitate targeted marketing.” 
Several commenters supported the Commission's premise that the collection of certain persistent identifiers permits the physical or online contacting of a specific individual, but asked the Commission to take a different tack to regulating such identifiers. Rather than cover all persistent identifiers and then carve out permissible uses, these commenters suggested a simpler approach: the Commission should apply the Rule only to those persistent identifiers used for the purposes of contacting a specific child, including through online behavioral advertising. 
The Commission continues to believe that persistent identifiers permit the online contacting of a specific individual. As the Commission stated in the 2011 NPRM, it is not persuaded by arguments that persistent identifiers only permit the contacting of a device.  This interpretation ignores the reality that, at any given moment, a specific individual is using that device. Indeed, the whole premise underlying behavioral advertising is to serve an advertisement based on the perceived preferences of the individual user. 
Nor is the Commission swayed by arguments noting that multiple individuals could be using the same device. Multiple people often share the same phone number, the same home address, and the same email address, yet Congress still classified these, standing alone, as “individually identifiable information about an individual.”  For these reasons, and the reasons stated in the 2011 NPRM, the Commission will retain persistent identifiers within the definition of personal information.
However, the Commission recognizes that persistent identifiers are also used for a host of functions that have little or nothing to do with contacting a specific individual, and that these uses are fundamental to the smooth functioning of the Internet, the quality of the site or service, and the individual user's experience. It was for these reasons that the Commission proposed to expand the definition of support for internal operations in the 2012 SNPRM.
The Commission has determined to retain the approach suggested in the 2011 NPRM and refined in the 2012 SNPRM, with certain revisions. First, the final Rule modifies the proposed definition of persistent identifier to cover “a persistent identifier that can be used to recognize a user over time and across different Web sites or online services.” This modification takes into account concerns several commenters raised that using a persistent identifier within a site or service over time serves an important function in conducting site performance assessments and supporting intra-site preferences.  However, in this context, not every Web site or service with a tangential relationship will be exempt—the term “different” means either sites or services that are unrelated to each other, or sites or services where the affiliate relationship is not clear to the user. 
Second, the Commission has determined that the carve-out for use of a persistent identifier to provide support for the internal operations of a Web site or online service is better articulated as a separate exception to the Rule's requirements. For this reason, it has amended Section 312.5(c) (“Exceptions to prior parental consent”) to add a new exception providing that where an operator collects only a persistent identifier for the sole purpose of providing support for its internal operations, the operator will have no notice or consent obligations under the Rule. This is a change in organization, rather than a substantive change, from the Commission's earlier proposals.
In addition, in response to the arguments made in a number of comments, the Commission has further modified the 2012 SNPRM proposed definition of support for internal operations to add frequency capping of advertising and legal or regulatory compliance to the permissible uses enumerated therein.  The Commission declines to add certain other language proposed by commenters, such as intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, or de-bugging, because it believes that these functions are sufficiently covered by the definitional language permitting activities that “maintain or analyze” the functions of the Web site or service, or protect the “security or integrity” of the site or service. Under this revised definition, most of the activities that commenters cite to as important to permitting the smooth and optimal operation of Web sites and online services will be exempt from COPPA coverage.
The Commission also is cognizant that future technical innovation may result in additional activities that Web sites or online services find necessary to support their internal operations. Therefore, the Commission has created a voluntary process—new Section 312.12(b)—whereby parties may request Commission approval of additional activities to be included within the definition of support for internal operations. Any such request will be placed on the public record for notice and comment, and the Commission will act on it within 120 days.
The final amended language makes clear that operators may only engage in activities “necessary” to support the covered functions. The Commission agrees with commenter EPIC that “[t]he presence of the word `necessary' [in the statute] * * * indicates that the use of persistent identifiers is to be limited to the above activities, and that these activities are to be narrowly construed.”  Moreover, operators may not use persistent identifiers that fall within the Rule's definition of personal information for any purposes other than those listed within the definition of support for internal operations. Accordingly, the Rule will require operators to obtain parental consent for the collection of persistent identifiers where used to track children over time and across sites or services. Without parental consent, operators may not gather persistent identifiers for the purpose of behaviorally targeting advertising to a specific child. They also may not use persistent identifiers to amass a profile on an individual child user based on the collection of such identifiers over time and across different Web sites in order to make decisions or draw insights about that child, whether that information is used at the time of collection or later. 
Several commenters sought clarification of whether a party's status as a first party or a third party would affect its ability to rely upon the support for internal operations definition.  To the extent that a child-directed content site or service engages service providers to perform functions encompassed by the definition of support for internal operations, those functions will be covered as support for the content-provider's internal operations. If a third party collecting persistent identifiers is deemed an operator under the Rule (e.g., because it has actual knowledge it is collecting personal information from users of a child-directed site or service, or it has actual knowledge it is collecting personal information from a child through a general audience site or service), that operator may rely on the Rule's support for internal operations definition when it uses persistent identifier information for functions that fall within it.
c. Photographs, Videos, and Audio Files
The Rule's existing definition of personal information includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.” Given the prevalence and popularity of posting photos, videos, and audio files online, in the 2011 NPRM, the Commission reevaluated the privacy and safety implications of such practices as they pertain to children. The Commission determined that the inherently personal nature of photographs, and the fact that they may contain information such as embedded geolocation data, or can be paired with facial recognition technology, makes them identifiers that “permit the physical or online contacting of a specific individual.”  The Commission found the same risks attendant with the online uploading of video and audio files.  Accordingly, the Commission proposed creating a new category within the definition of personal information covering a photograph, video, or audio file where such file contains a child's image or voice.
Some commenters supported this proposal. For example, the Institute for Public Representation, on behalf of a group of children's privacy advocates, stated that “[b]ecause photographs, videos, and audio files can convey large amounts of information about children that can make them more vulnerable to behavioral advertising, and possibly put their personal safety at risk as well, these types of information should be included in the definition of personal information.” 
Several commenters criticized the Commission's proposal, claiming that the effect would limit children's participation in online activities involving “user-generated content.”  Several commenters issued blanket statements that photos, videos, and audio files, in and of themselves, do not permit operators to locate or contact a child.  Other commenters stated that the Commission's proposal is premature, arguing that facial recognition technologies are only in their nascent stages.  Finally, several commenters argued that the Commission should narrow the scope of its proposal, exempting from coverage photos, videos, or audio files that have been prescreened to remove any metadata or other individually identifiable information.  Others asked the Commission to carve out from coverage photos or videos where used to support internal operations of a site or service.  Commenter WiredSafety urged the Commission to adopt a standard that would permit operators to blur images of children before uploading them, thereby reducing the risks of exposure. 
The Commission does not dispute that uploading photos, videos, and audio files can be entertaining for children. Yet, it is precisely the very personal nature of children's photographic images, videos, and voice recordings that leads the Commission to determine that such files meet the standard for “personal information” set forth by Congress in the COPPA statute. That is, in and of themselves, such files “permit the physical or online contacting of a specific individual.”  As the Privacy Rights Clearinghouse stated, “[a]s facial recognition advances, photos and videos have the potential to be analyzed and used to target and potentially identify individuals.”  Given these risks, the Commission continues to believe it is entirely appropriate to require operators who offer young children the opportunity to upload photos, videos, or audio files containing children's images or voices to obtain parental consent beforehand.  Therefore, the Commission adopts the modification of the definition of personal information regarding photos, videos, and audio files as proposed in the 2011 NPRM, without qualification.
d. Geolocation Information
In the 2011 NPRM, the Commission stated that, in its view, existing paragraph (b) of the definition of personal information already covered any geolocation information that provides precise enough information to identify the name of a street and city or town.  However, because geolocation information can be presented in a variety of formats (e.g., coordinates or a map), and in some instances can be more precise than street name and name of city or town, the Commission proposed making geolocation information a stand-alone category within the definition of personal information. 
Similar to the comments raised in response to the 2010 FRN, a number of commenters opposed this change. These commenters argued that anonymous, technical geolocation information, without the addition of any other identifier, was insufficient to contact an individual child.  The Internet Commerce Coalition stated that in identifying geolocation information “sufficient to identify a street name and name of city or town” as personal information, the Commission has missed the key to what makes an address “personal,” namely the street number.  Accordingly, such commenters asked the Commission to clarify that geolocation information will only be deemed personal information if, when combined with some other information or identifier, it would permit contacting an individual. 
These commenters overlook that the COPPA statute does not require the submission of a street number to make address information “personal.” Nor is it limited to home address, primary residence, or even a static address. Rather, Congress chose to use the words “or other physical address, including street name and name of city or town.”  This word choice not only permits the inclusion of precise mobile (i.e., moving) location information, it may very well mandate it.  As commenter Consumers Union stated, “[s]ince a child's physical address is already considered personal information under COPPA, geolocation data, which provides precise information about a child's whereabouts at a specific point in time, must also necessarily be covered.” 
In addition, the Commission disagrees with those commenters who state that geolocation information, standing alone, does not permit the physical or online contacting of an individual within the meaning of COPPA.  Just as with persistent identifiers, the Commission rejects the notion that precise geolocation information allows only contact with a specific device, not the individual using the device. By that same flawed reasoning, a home or mobile telephone number would also only permit contact with a device.
Several commenters asked the Commission to refine the Rule's coverage of geolocation so that it targets particular uses. Commenter CTIA, citing photo-sharing services as an example, asked that geolocation information embedded in metadata (as often is the case with digital photographs) be excluded from the Rule's coverage.  Arguing that there should be a legal difference between using geolocation information for convenience or to protect a child's safety and to market to a child, commenter kidSAFE Seal Program suggested that geolocation data only be considered “personal information” when it is being used for marketing purposes.  Finally, commenter TRUSTe asked that the Commission amend the definition to cover “precise geolocation data that can be used to identify a child's actual physical location at a given point in time.” 
The Commission sees no basis for making the suggested revisions. With respect to excluding geolocation information in metadata, the Commission notes that in the 2011 NPRM, it specifically cited such geolocation metadata as one of the bases for including photographs of children within the definition of personal information.  With respect to the comment from kidSAFE Seal Program, the statute does not distinguish between information collected for marketing as opposed to convenience; therefore, the Commission finds no basis for making such a distinction for geolocation information. Finally, the Commission sees little to no practical distinction between “geolocation data that can be used to identify a child's actual physical location at a given point in time” and geolocation information “sufficient to identify street name and name of a city or town,” and it prefers to adhere to the statutory language. Accordingly, the Commission modifies the definition of personal information as proposed in the 2011 NPRM, and covered operators will be required to notify parents and obtain their consent prior to collecting geolocation information from children.
6. Definition of Release of Personal Information
In the 2011 NPRM, the Commission proposed to define the term release of personal information separately from the definition of disclosure, since the term applied to provisions of the Rule that did not solely relate to disclosures.  The Commission also proposed technical changes to clarify that the term “release of personal information” addresses business-to-business uses of personal information, not public disclosures, of personal information.  The Commission received little comment on this issue and therefore adopts the proposed changes.
7. Definition of Web Site or Online Service Directed to Children
In the 2012 SNPRM, the Commission proposed revising the definition of Web site or online service directed to children to allow a subset of sites falling within that category an option not to treat all users as children. The proposed revision was sparked by a comment from The Walt Disney Company that urged the Commission to recognize that sites and services directed to children fall along a continuum and that those sites targeted to both children and others should be permitted to differentiate among users. Noting that Disney's suggestion in large measure reflected the prosecutorial discretion already applied by the Commission in enforcing COPPA, the Commission proposed revisions to implement this concept. The Commission received numerous comments on this proposal. Although many commenters expressed support for the concept, the proposed implementing language was criticized.
Paragraphs (a) and (b) of the SNPRM's proposed revisions sought to define the subset of sites directed to children that would still be required to treat all users as children: those that knowingly target children under 13 as their primary audience, and those that, based on the overall content of the site, are likely to attract children under 13 as their primary audience. Paragraph (c) sought to describe those child-directed sites that would be permitted to age-screen to differentiate among users—namely those sites that, based on overall content, are likely to draw a disproportionate number of child users.
Although most commenters concurred that operators intentionally targeting children as their primary audience should be covered as Web sites directed to children,  some worried about the precise contours of the term “primary audience” and sought guidance as to percentage thresholds.  Some commenters also opposed any interpretation of COPPA that required child-directed Web sites to presume all users are children. 
Many commenters argued that the Commission exceeded its authority by defining Web site or online service directed to children based on criteria other than the sites' intent to target children. These commenters argued that Congress, by defining Web sites directed to children as those “targeted” to children, was imposing a subjective intent requirement.  The Commission disagrees. The Commission believes that if Congress had wanted to require subjective intent on the part of an operator before its site or service could be deemed directed to children, it would have done so explicitly.  Intent cannot be the only scenario envisioned by Congress whereby a site would be deemed directed to children.  Certainly, a Web site or online service that has the attributes, look, and feel of a property targeted to children under 13 will be deemed to be a site or service directed to children, even if the operator were to claim that was not its intent.
Paragraph (c) sought to describe those child-directed sites that would be permitted to age-screen to differentiate among users, namely those sites that, based on overall content, are likely to draw a disproportionate number of child users. While a handful of comments supported this definition,  for the most part, it was criticized by a spectrum of interests. On one side were advocates such Common Sense Media, EPIC, and the Institute for Public Representation. These advocates argued that recognizing a category of sites and services directed to mixed-audiences, targeted both to young children and others, would undercut the other revisions the Commission has proposed, thereby lessening privacy protections for children.  Such advocates also argued that the proposed category might create incentives, or loopholes, for operators that currently provide child-directed Web sites or services to claim their online properties are covered by paragraph (c) of the definition and become exempt from COPPA by age-gating. 
On the other side were a number of commenters who feared that the proposal would significantly expand the range of Web sites and online services that fall within the ambit of COPPA's coverage, including both teen-oriented and general-audience sites and services that incidentally appeal to children as well as adults. Much of this fear appears to have been driven by the specific language the Commission proposed; that is, sites or services that, based on their overall content, were “likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population.” Some argued that the use of the term “disproportionate” is vague,  potentially unconstitutional,  unduly expansive,  or otherwise constitutes an unlawful shift from the statute's actual knowledge standard for general audience sites to one of constructive knowledge.  Many worried that the Commission's proposal would lead to widespread age-screening, or more intensive age-verification, across the entire body of Web sites and online services located on the Internet.  Other commenters suggested that the Commission implement this approach through a safe harbor, not by revising a definition. 
The comments reflect a misunderstanding of the purpose and effect of the change proposed in the 2012 SNPRM. The Commission did not intend to expand the reach of the Rule to additional sites and services, but rather to create a new compliance option for a subset of Web sites and online services already considered directed to children under the Rule's totality of the circumstances standard.
To make clear that it will look to the totality of the circumstances to determine whether a site or service is directed to children (whether as its primary audience or otherwise), the Commission has revised and reordered the definition of Web site or online service directed to children as follows. Paragraph (1) of the definition contains the original Rule language setting forth several factors the Commission will consider in determining whether a site or service is directed to children. In addition, paragraph (1) amends this list of criteria to add musical content, the presence of child celebrities, and celebrities who appeal to children, as the Commission originally proposed in the 2011 NPRM.  Although some commenters expressed concern that these additional factors might capture general audience sites,  produce inconsistent results,  or be overly broad (since musicians and celebrities often appeal both to adults and children),  the Commission believes that these concerns are unfounded. The Commission reiterates that these factors are some among many that the Commission will consider in assessing whether a site or service is directed to children, and that no single factor will predominate over another in this assessment.
Paragraph (2) of the definition sets forth the actual knowledge standard for plug-ins or ad networks, as discussed in Part II.A.4.b herein, whereby a plug-in, ad network, or other property is covered as a Web site or online service directed to children under the Rule when it has actual knowledge that it is collecting personal information directly from users of a child-directed Web site or online service.
The Commission amends paragraph (3) of the definition to clarify when a child-directed site would be permitted to age-screen to differentiate among users. This paragraph codifies the Commission's intention to first apply its “totality of the circumstances” standard to determine whether any Web site or online service falling under paragraph (3) is directed to children. The Commission then will assess whether children under age 13 are the primary audience for the site or service. Paragraph (3) codifies that a site or service that is directed to children, but that does not target children as its primary audience, may use an age screen in order to apply all of COPPA's protections only to visitors who self-identify as under age 13. As the Commission stated in the 2012 SNPRM, at that point, the operator will be deemed to have actual knowledge that such users are under 13 and must obtain appropriate parental consent before collecting any personal information from them and must also comply with all other aspects of the Rule. 
The Commission retains its longstanding position that child-directed sites or services whose primary target audience is children must continue to presume all users are children and to provide COPPA protections accordingly.  Some commenters contend that the Commission should permit this presumption to be rebutted, even on sites primarily targeting children, by the use of a simple age screen that distinguishes child users from other users.  Although the Commission is now permitting this on sites or services that target children only as a secondary audience or to a lesser degree, the Commission believes adopting this standard for all child-directed sites would virtually nullify the statutory distinction between “actual knowledge” sites and those directed to children, creating a de facto actual knowledge standard for all operators. 
Finally, paragraph (4) of the definition restates the statutory proviso that a site or service will not be deemed to be child-directed where it simply links to a child-directed property.
B. Section 312.4: Notice
1. Direct Notice to a Parent
In the 2011 NPRM, the Commission proposed refining the Rule requirements for the direct notice to ensure a more effective “just-in-time” message to parents about an operator's information practices.  As such, the Commission proposed to reorganize and standardize the direct notice requirement to set forth the precise items of information that must be disclosed in each type of direct notice the Rule requires. The proposed revised language of § 312.4 specified, in each instance where the Rule requires direct notice, the precise information that operators must provide to parents regarding the items of personal information the operator already has obtained from the child (generally, the parent's online contact information either alone or together with the child's online contact information); the purpose of the notification; action that the parent must or may take; and what use, if any, the operator will make of the personal information collected. The proposed revisions also were intended to make clear that each form of direct notice must provide a hyperlink to the operator's online notice of information practices. 
In general, commenters supported the Commission's proposed changes as providing greater clarity and simplicity to otherwise difficult-to-understand statements.  These changes were viewed as especially important in an era of children's intense engagement with mobile applications accessed through a third-party app store and where an online notice might not be as readily accessible.  Only one commenter objected to the concept of placing greater emphasis on the direct, rather than the online, notice, stating that the changes would unduly necessitate lengthy direct notices and would prove overwhelming for parents and challenging to implement in the mobile environment. 
The Commission also proposed adding a paragraph setting out the contours of a new direct notice in situations where an operator voluntarily chooses to collect a parent's online contact information from a child in order to provide parental notice about a child's participation in a Web site or online service that does not otherwise collect, use, or disclose children's personal information. The Commission's proposal for a voluntary direct notice in situations where an operator does not otherwise collect, use, or disclose personal information from a child garnered very little attention. Only one commenter sought clarification of the specific language the Commission proposed. 
Several commenters urged the Commission to use the occasion of the Rule review to develop a model COPPA direct notice form that operators voluntarily could adopt,  to mandate that such notifications be optimized for the particular devices on which they are displayed,  or to implement a Web site rating system.  The Commission believes that these suggestions are better suited as “best practices”  rather than as additions to the text of the Rule.
The Commission has determined to retain in the final Rule the modifications proposed in the 2011 NPRM. However, the Commission has reorganized the paragraphs to provide a better flow and guidance for operators, and has clarified that the voluntary direct notice provision described above is, indeed, voluntary for operators who choose to use it. 
2. Notice on the Web Site or Online Service
In the 2011 NPRM, the Commission proposed several changes to the Rule's online notice requirement. First, the Commission proposed requiring all operators collecting, using, or disclosing information on a Web site or online service to provide contact information, including, at a minimum, the operator's name, physical address, telephone number, and email address.  This proposal marked a change from the existing Rule's proviso that such operators could designate one operator to serve as the point of contact.
With the exception of the Institute for Public Representation,  commenters who spoke to the issue opposed mandating that the online notice list all operators. Some objected to the sheer volume of potentially confusing information this would present to parents,  and stated that the proposal provided no additional consumer benefit to parents, given that the existing Rule implies that the single operator designee should be prepared to “respond to all inquiries from parents concerning the operators' privacy policies and use of children's information.”  Some also spoke to the burden on the primary operator of having to maintain a current list of all applicable operators' contact information,  and expressed confusion as to which operators needed to be listed. 
The Commission believes that a requirement for the primary operator to provide specific, current, contact information for every operator that collects information on or through its Web site or service has the potential to confuse parents, for whom such online notices are intended to be accessible and useful. After considering the comments, the Commission has determined to retain the Rule's “single operator designee” proviso; that is, an operator will be required to list all operators collecting or maintaining personal information from children through the Web site or online service, but need only list the contact information for the one operator who will be responsible for responding to parents' inquiries.
In the 2011 NPRM, the Commission also proposed eliminating the Rule's current lengthy—yet potentially under-inclusive—recitation of an operator's information collection, use, and disclosure practices in favor of a simple statement of: (1) What information the operator collects from children, including whether the Web site or online service enables a child to make personal information publicly available; (2) how the operator uses such information; and (3) the operator's disclosure practices for such information.  As a part of this revision, the Commission proposed removing the required statement that the operator may not condition a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.  This proposal was opposed by the Institute for Public Representation, which views the statement as a way to educate parents as to whether or not the operator actually complies with data minimization principles.  This organization also asked the Commission to require operators to disclose information to parents on how the data they collect is secured from potential breaches.  The Commission has considered this input but nevertheless adopts both of these changes in the final Rule.
The Commission sees great value for parents of streamlined online notices and continues to believe that the removal of extraneous information from such notices will further this goal.  Accordingly, the Commission modifies the Rule as proposed in the 2011 NPRM to remove an operator's recitation in its online notice that it will not condition a child's participation on the provision of more information than is necessary. Again, however, the substantive requirement of § 312.7 remains in place.  In addition, and again in the interest of streamlining the online notices, the Commission declines to require operators to explain the measures they take to protect children's data. Nevertheless, the Rule's enhanced provisions on confidentiality and data security will help protect data collected from children online.
Finally, focusing on the part of the Commission's proposal that would require operators of general audience sites or services that have separate children's areas to post links to their notices of children's information practices on the home or landing page or screen of the children's area, the Toy Industry Association asked the Commission to forgo mandating links in any location where mobile apps can be purchased or downloaded because, in their view, changing commercial relationships may make it difficult to frequently update privacy policies in apps marketplaces.  The final amended Rule does not mandate the posting of such information at the point of purchase but rather on the app's home or landing screen. However, the Commission does see a substantial benefit in providing greater transparency about the data practices and interactive features of child-directed apps at the point of purchase and encourages it as a best practice. 
C. Section 312.5: Parental Consent
A central element of COPPA is its requirement that operators seeking to collect, use, or disclose personal information from children first obtain verifiable parental consent.  “Verifiable parental consent” is defined in the statute as “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure, described in the notice.”  Accordingly, the Rule requires that operators must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated in light of available technology to ensure that the person providing consent is the child's parent. § 312.5(b)(1).
The Rule sets forth a non-exhaustive list of methods that meet the standard of verifiable parental consent.  Specifically, paragraph (b)(2) states that methods to obtain verifiable parental consent that satisfy the requirements of the paragraph include: Providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using email accompanied by a PIN or password obtained through one of the verification methods listed in the paragraph. 
Participants at the Commission's June 2, 2010 COPPA roundtable  and commenters to the 2010 FRN generally agreed that, while no one method provides complete certainty that the operator has reached and obtained consent from a parent, the methods listed in the Rule continue to have utility for operators and should be retained. 
A number of commenters urged the Commission to expand the list of acceptable mechanisms to incorporate newer technologies, or to otherwise modernize or simplify the Rule's mechanisms for parental consent.  Suggested methods of obtaining parental consent included sending a text message to the parent's mobile phone number,  offering online payment services other than credit cards,  offering parental controls in gaming consoles,  offering a centralized parental consent mechanism or parental opt-in list,  and permitting electronic signatures. 
In the 2011 NPRM, the Commission announced its determination that the record was sufficient to justify certain proposed mechanisms, but insufficient to adopt others. The 2011 NPRM proposed several significant changes to the mechanisms of verifiable parental consent set forth in paragraph (b) of § 312.5, including: Adding several newly recognized mechanisms for parental consent; eliminating the sliding scale approach to parental consent; and adding two new processes for evaluation and pre-clearance of parental consent mechanisms.
1. Electronic Scans and Video Verification
In the 2011 NPRM, the Commission proposed including electronically scanned versions of signed parental consent forms and the use of video verification methods among the Rule's non-exhaustive list of acceptable consent mechanisms. The proposal received support from several commenters, including Yahoo!, the DMA, kidSAFE Seal Program, the NCTA, and Facebook.  Other commenters expressed reservations about whether these new methods would offer practical, economical, or scalable solutions for operators. 
As stated in the 2011 NPRM, the Commission finds that electronic scans and video conferencing are functionally equivalent to the written and oral methods of parental consent originally recognized by the Commission in 1999. It does not find the concerns of some commenters, that operators are not likely to widely adopt these methods, a sufficient reason to exclude them from the Rule. The list of consent mechanisms is not exhaustive and operators remain free to choose the ones most appropriate to their individual business models. Therefore, Section 312.5(b) of the final Rule includes electronic scans of signed consent forms and video-conferencing as acceptable methods for verifiable parental consent.
2. Government-Issued Identification
The Commission also proposed in the 2011 NPRM to allow operators to collect a form of government-issued identification—such as a driver's license, or a segment of the parent's Social Security number—from the parent, and to verify the parent's identity by checking this identification against databases of such information, provided that the parent's identification is deleted from the operator's records promptly after such verification is complete. Some operators already use this method of obtaining parental consent, and it is one of several available verification methods offered by the COPPA safe harbor program Privo.  In the NPRM, the Commission stated its recognition that information such as Social Security number, driver's license number, or another record of government-issued identification is sensitive data.  In permitting operators to use government-issued identification as an approved method of parental verification, the Commission emphasized the importance of limiting the collection of such identification information to only those segments of information needed to verify the data.  For example, the Commission noted that the last four digits of a person's Social Security number are commonly used by verification services to confirm a person's identity.  The Commission also stated its belief that the requirement that operators immediately delete parents' government-issued identification information upon completion of the verification process provides further protection against operators' unnecessary retention, use, or potential compromise of such information. Commenters in favor of adding this mechanism pointed out that using available technology to check a driver's license number or partial Social Security number reasonably ensures that the person providing consent is the parent. 
Other commenters expressed concern that allowing operators to collect sensitive government identification information from parents raises serious privacy implications.  Many commenters opined that the serious risks to parents' privacy outweighed the benefits of the proposal.  Some further argued that normalizing the use of this sensitive data for such a purpose would diminish users' alertness against identity theft schemes and other potentially nefarious uses. 
As the federal agency at the forefront of improving privacy protections for consumers, the Commission is sensitive to the privacy concerns raised by the comments. The Commission is also aware that both operators and parents benefit from having a choice of several acceptable methods for verifiable parental consent. Moreover, the Commission is not compelling any operator to use this method. The Commission believes that, on balance, government-issued ID provides a reliable and simple means of verifying that the person providing consent is likely to be the parent, and that the requirement that operators delete such data immediately upon verification substantially minimizes the privacy risk associated with that collection. Therefore, the Commission adopts this method among the Rule's non-exhaustive list of acceptable consent methods. 
3. Credit Cards
The 2011 NPRM also proposed including the term “monetary” to modify “transaction” in connection with use of a credit card to verify parental consent. This added language was intended to make clear the Commission's long-standing position that the Rule limits use of a credit card as a method of parental consent to situations involving actual monetary transactions.  The Commission received one comment specifically addressing this proposed language; EPIC supported the change as correctly limiting the circumstances under which credit cards can be used as verification. The final Rule incorporates this change, stating “credit card in connection with a monetary transaction.” 
4. Alternative Online Payment Systems
At the outset of the Rule review, the Commission sought comment on whether to consider modifying the Rule to include alternative online payment systems, in addition to credit cards, as an acceptable means of verifying parental consent in connection with a monetary transaction. The Commission stated in the 2011 NPRM that, at such time, the record was insufficient to support a proposal to permit the use of alternative online payment systems for this purpose. The NPRM also indicated that the Commission was mindful of the potential for children's easy access to, and use of, alternative forms of payments (such as gift cards, debit cards, and online accounts). Thus, the Commission welcomed further discussion of the risks and benefits of using electronic payment methods as a consent mechanism.
Several commenters to the 2011 NPRM asked the Commission to reconsider its position that online payment systems are not yet reliable enough to provide verifiable parental consent, arguing that certain online payment options can meet the same stringent criteria as credit cards.  In particular, Scholastic stressed the importance to operators, particularly in the context of digital apps and other downloadable content, of providing customers the flexibility to use various convenient electronic payment methods. Scholastic urged the Commission to amend the Rule to provide that payment methods other than credit cards, such as debit cards and electronic payment systems, can satisfy the Rule's consent mechanism requirements if they provide separate notification of each discrete monetary transaction to the primary account holder. 
The Commission, upon review of all of the relevant comments, is persuaded that it should allow the use of other payment systems, in addition to credit cards, provided that any such payment system can meet the same stringent criteria as a credit card. As Scholastic articulated in its comment, the Rule should allow operators to use any electronic or online payment system as an acceptable means of obtaining verifiable parental consent in connection with a monetary transaction where (just as with a credit card) the payment system is used in conjunction with a direct notice meeting the requirements of § 312.4(c) and the operator provides notification of each discrete monetary transaction to the primary account holder. Accordingly, § 312.5(b)(2) of the final Rule includes the following language “requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder.”
5. Electronic or Digital Signatures
In response to the 2010 FRN, several commenters recommended that the Commission accept electronic or digital signatures as a form of verifiable consent.  In the 2011 NPRM, the Commission concluded that the term “electronic signature” has many meanings, ranging from “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record,”  to an electronic image of the stylized script associated with a person. The Commission determined that electronic signatures, without more indicia of reliability, were problematic in the context of COPPA's verifiable parental consent requirement.  The NPRM welcomed further comment on how to enhance the reliability of these convenient methods.
In commenting on the 2011 NPRM, several commenters asked the FTC to reconsider the utility of electronic signatures in the online world.  The Commission has determined not to include electronic or digital signatures within the non-exhaustive list of acceptable consent mechanisms provided for in § 312.5, given the great variability in the reliability of mechanisms that may fall under this description. For instance, the Commission believes that simple digital signatures, which only entail the use of a finger or stylus to complete a consent form, provide too easy a means for children to bypass a site or service's parental consent process, and thus do not meet the statutory standard of “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.”  However, the Rule would not prohibit an operator's acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult, such as an icon, certificate, or seal of authenticity that accompanies the signature. At the same time, the Commission does not seek to limit or proscribe other types of digital signatures that may also meet the statutory standard. For these reasons, digital or electronic signatures are not included within the Rule's non- exhaustive list of parental consent mechanisms.
6. Platform Methods of Parental Consent
In response to the 2010 FRN, several commenters asked the Commission to consider whether, and in what circumstances, parental control features in game consoles, and presumably other devices, could be used to provide notice to parents and obtain verified consent under COPPA.  In the 2011 NPRM, the Commission acknowledged that parental control features can offer parents a great deal of control over a child's user experience and can serve as a complement to COPPA's parental consent requirements. However, the Commission concluded that, at that time, it did not appear that any such systems were adequately designed to comply with COPPA, and that the record was insufficient for it to determine whether a hypothetical parental consent mechanism would meet COPPA's verifiable parental consent standard. The Commission, in the 2011 NPRM, encouraged continued exploration of the concept of using parental controls in gaming consoles and other devices to notify parents and obtain their prior verifiable consent. 
In response to both the 2011 NPRM and the 2012 SNPRM, numerous stakeholders, including several platform providers, Web site and app developers, and child and privacy advocates, asked the Commission to consider modifications to the Rule to make clear that operators can choose to use a common mechanism—administered by a platform, gaming console, device manufacturer, COPPA safe harbor program,  or other entity—for the purpose of providing notice and obtaining parental consent for multiple operators simultaneously. 
Commenters offered a variety of proposals. For instance, several commenters envisioned that platform providers could provide a general notice and obtain consent to collect personal information for those purposes specified in the general notice, and that app developers wanting to collect or use information in ways differing from the general notice would need to independently provide a second separate notice to parents and obtain their consent.  Facebook proposed that operators may also use such common consent mechanisms to meet other COPPA obligations, such as providing parental access to children's data collected by operators.  The Walt Disney Company proposed two possible mechanisms: a “ ‘Kids Privacy Portal'—through which parents can express privacy preferences in one place for multiple online activities,” or a joint agreement between the platform operator and application providers “that determines how data will be collected and used, and how parents exercise control.”  The Entertainment Software Association (“ESA”) proposed a similar program for video game platforms whereby consoles or hand-held device makers could leverage their existing parental controls technologies. 
Commenters cited several potential benefits of common consent mechanisms, including: (1) Encouraging the development of interactive content for children by easing the burden individualized notice and consent places on operators, especially in the context of mobile apps  ; (2) focusing parental attention on one streamlined notice rather than on multiple, confusing, notices  ; and (3) promoting privacy by eliminating the need for each of these other operators to separately collect online contact information from the child in order to obtain parental consent.  The Center for Democracy and Technology acknowledges that, while not all parents may want to delegate to platforms the authority to get consent on behalf of individual operators, “others may want to empower their kids to share and obtain information through certain applications without being forced to sign off on every interaction with a new web service.” 
The Commission believes that common consent mechanisms, such as a platform, gaming console, or a COPPA safe harbor program, hold potential for the efficient administration of notice and consent for multiple operators. A well-designed common mechanism could benefit operators (especially smaller ones) and parents alike if it offers a proper means for providing notice and obtaining verifiable parental consent, as well as ongoing controls for parents to manage their children's accounts.  The Commission believes that such methods could greatly simplify operators' and parents' abilities to protect children's privacy.
Despite the potential benefits, the Commission declines, at this time, to adopt a specific provision for the following reasons. First, even without an express reference in the Rule to such a process, nothing forecloses operators from using a common consent mechanism so long as it meets the Rule's basic notice and consent requirements.  Second, the Commission did not specifically seek comment on this precise issue; nor has it proposed any language in either the NPRM or the SNPRM to address this point. Accordingly, the Commission is reluctant to adopt specific language without the benefit of notice and comment on such language to explore all potential legal and practical challenges of using a common consent mechanism.  Finally, the Commission believes that parties interested in using a common consent mechanism have the option to participate in the voluntary Commission approval process set forth in Section 312.5(3) of the final Rule.  That process would enable the Commission to evaluate, and other interested parties to publicly comment upon, such proposals in an effort to bring to market sound and practical solutions that will serve a broad base of operators.
7. The Sliding Scale (“Email Plus”) Method
In conducting the Rule review, the Commission sought comment on whether the sliding scale set forth in § 312.5(b)(2) remains a viable approach to verifiable parental consent.  Under the sliding scale, an operator, when collecting personal information only for its internal use, may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step.  Such an additional step has included obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent.  The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent. This consent method is often called “email plus.” 
In adopting the sliding scale approach in 1999, the Commission recognized that the email plus method was not as reliable as the other enumerated methods of verifiable parental consent.  However, it believed that this lower cost option was acceptable as a temporary option, in place until the Commission determined that more reliable (and affordable) consent methods had adequately developed.  In 2006, the Commission extended use of the sliding scale indefinitely, stating that the agency would continue to monitor technological developments and modify the Rule should an acceptable electronic consent technology develop. 
Email plus has enjoyed wide appeal among operators, who credit its simplicity.  The Commission sought comment in response to the 2010 FRN and at the June 2010 public roundtable on whether to retain email plus in the final Rule. Numerous commenters to the 2010 FRN, including associations who represent operators, supported the continued retention of this method as a low-cost means to obtain parents' consent.  At the same time, several commenters, including safe harbor programs and proponents of new parental consent mechanisms, challenged the method's reliability, given that operators have no real way of determining whether the email address a child provides is that of the parent, and there is no requirement that the parent's email response to the operator contain any additional information providing assurance that it is from a parent. 
In the 2011 NPRM, the Commission proposed eliminating email plus as a means of obtaining parental consent. The Commission considered whether operators' continued reliance on email plus may have inhibited the development of more reliable methods of obtaining verifiable parental consent. The Commission also made clear that, although internal uses may pose a lower risk of misuse of children's personal information than the sharing or public disclosure of such information, all collections of children's information merit strong verifiable parental consent.
Several commenters supported the Commission's proposal to eliminate email plus. These commenters opined that children can easily circumvent email plus and thus, that it is not sufficiently effective to meet the statutory requirement of being reasonably calculated to ensure that it is the parent providing consent.  Some of these commenters also echoed the Commission's concern that operators' continued reliance on email plus is a disincentive to innovation. 
A majority of the comments, however, strongly urged the Commission to retain email plus.  Several commenters indicated that email plus remains a widely used and valuable tool for communicating with parents and obtaining consent. These commenters maintained that email plus is easy for companies and parents to use, easy to understand, effective, and affordable.  In addition, several commenters expressed concern that other approved methods for obtaining consent would impose significant burdens on operators and parents.  Commenters also questioned whether other methods for verifiable parental consent are any more reliable than email plus.  Finally, several commenters challenged the FTC's assumption that eliminating email plus would spur further innovation in parental consent mechanisms. 
The Commission is persuaded by the weight of the comments that email plus, although imperfect, remains a valued and cost-effective consent mechanism for certain operators. Accordingly, the final Rule retains email plus as an acceptable consent method for operators collecting personal information only for internal use. Nevertheless, the Commission continues to believe that email plus is less reliable than other methods of consent, and is concerned that, twelve years after COPPA became effective, so many operators rely upon what was supposed to be a temporary option. The Commission is also concerned about perpetuating for much longer a distinction between internal and external uses of personal information that the COPPA statute does not make. Thus, the Commission strongly encourages industry to innovate to create additional useful mechanisms as quickly as possible.
8. Voluntary Process for Commission Approval of Parental Consent Mechanisms
Under the Rule, methods to obtain verifiable parental consent “must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.”  The Rule thus provides operators with the opportunity to craft consent mechanisms that meet this standard but otherwise are not enumerated in paragraph (b)(2) of § 312.5. Nevertheless, the recent Rule review process revealed that, whether out of concern for potential liability, ease of implementation, or lack of technological developments, operators have been reluctant to utilize consent methods other than those specifically set forth in the Rule.  As a result, little technical innovation in the area of parental consent has occurred.
To encourage the development of new consent mechanisms, and to provide transparency regarding consent mechanisms that may be proposed, the Commission in the 2011 NPRM proposed establishing a process in the Rule through which parties may, on a voluntary basis, seek Commission approval of a particular consent mechanism. Applicants who seek such approval would be required to present a detailed description of the proposed parental consent mechanism, together with an analysis of how the mechanism meets the requirements of § 312.5(b)(1) of the Rule. The Commission would publish the application in the Federal Register for public comment, and approve or deny the applicant's request in writing within 180 days of its filing.
The NPRM stated the Commission's belief that this new approval process, aided by public input, would allow the Commission to give careful consideration, on a case-by-case basis, to new forms of obtaining consent as they develop in the marketplace. The Commission also noted that the new process would increase transparency by publicizing approvals or rejections of particular consent mechanisms, and should encourage operators who may previously have been tentative about exploring technological advancements to come forward and share them with the Commission and the public.
The Commission received several comments expressing support for the concept of a voluntary Commission approval process for new consent mechanisms.  At the same time, several commenters that supported the concept also opined that the 180-day approval period was too lengthy and would likely to discourage use of the program.  Commenters also expressed concerns that applications for approval would be subject to public comment.  One commenter asked the Commission instead to consider publicly releasing a letter explaining the Commission's decision to approve or disapprove a mechanism and thereby signaling what is an acceptable consent mechanism, without causing undue delay or risking the disclosure of proprietary information. 
One commenter opposed to the voluntary approval process asserted that it would be ultra vires to the COPPA statute and would create a de facto requirement for FTC approval of any new consent mechanisms, thereby discouraging operators from developing or using new means not formally approved by the Commission.  The Commission does not believe that offering operators the opportunity to apply for a voluntary approval process will either de facto create an additional COPPA requirement or chill innovation. This is just one more option available to operators.
The Commission also is persuaded by the comments requesting that it shorten the 180-day approval period. Accordingly, the final Rule's provision for Commission approval of parental consent mechanisms provides that the Commission shall issue a written determination within 120 days of the filing of the request. The Commission anticipates that some commenters will find that this time period also is longer than desired; however, it sets a reasonable time frame in which to solicit public comment and carefully determine whether a consent mechanism is sufficiently well-designed to fulfill the Rule's requirements.
The Commission has determined not to alter the requirement that the proposed mechanisms undergo public review and comment. This is an important component of the approval process. Moreover, just as the Commission has done for COPPA safe harbor applicants, it would permit those entities that voluntarily seek approval of consent mechanisms to seek confidential treatment for those portions of their applications that they believe warrant trade secret protection. In the event an applicant is not comfortable with the Commission's determination as to which materials will be placed on the public record, it will be free to withdraw the proposal from the approval process.
Accordingly, the Commission has amended the Rule to institute this voluntary approval process. For ease of organization, the Commission has created a new section—312.12 (“Voluntary Commission Approval Processes”)—to encompass both this approval process and the process for approval of additional activities under the support for internal operations definition.
9. Safe Harbor Approval of Parental Consent Mechanisms
Several commenters urged the Commission to permit Commission-approved safe harbor programs to serve as laboratories for developing new consent mechanisms.  The Commission stated its agreement in the 2011 NPRM that establishing such a system may aid the pace of development in this area. The Commission also stated that, given the measures proposed to strengthen Commission oversight of safe harbor programs, allowing safe harbors to approve new consent mechanisms would not result in the loosening of COPPA's standards for parental consent. Thus, the 2011 NPRM included a proposed Rule provision stating that operators participating in a Commission-approved safe harbor program may use any parental consent mechanism deemed by the safe harbor program to meet the general consent standard set forth in § 312.5(b)(1). Although one commenter expressed concern that this would lead to a “race to the bottom” by safe harbor programs,  most of the comments were favorable.  Moreover, the Commission believes its added oversight will prevent any “race to the bottom” efforts. Accordingly, the Commission adopts this provision unchanged from its September 2011 proposal.
10. Exceptions to Prior Parental Consent
The COPPA Act and the Rule address five fact patterns under which an operator may collect limited pieces of personal information from children prior to, or sometimes without, obtaining parental consent.  These exceptions permit operators to communicate with the child to initiate the parental consent process, respond to the child once or multiple times, and protect the safety of the child or the integrity of the Web site.  The 2011 NPRM proposed minor changes to the Rule to add one new exception.
a. Section 312.5(c)(1)
The Rule's first exception, § 312.5(c)(1), permits an operator to collect “the name or online contact information of a parent or child” to be used for the sole purpose of obtaining parental consent. In view of the limited purpose of the exception—to reach the parent to initiate the consent process—the Commission proposed in the 2011 NPRM to limit the information collection under this exception to the parent's online contact information only. However, as one commenter pointed out,  the COPPA statute expressly provides that, under this exception, an operator can collect “the name or online contact information of a parent or child.” 
Accordingly, the Commission retains § 312.5(c)(1) allowing for the collection of the name or online contact information of the parent or child in order to initiate the notice and consent process. 
b. Section 312.5(c)(2)
The 2011 NPRM proposed adding one additional exception to parental consent in order to give operators the option to collect a parent's online contact information for the purpose of providing notice to, or updating, the parent about a child's participation in a Web site or online service that does not otherwise collect, use, or disclose children's personal information.  The proposed exception, numbered 312.5(c)(2), provided that the parent's online contact information may not be used for any other purpose, disclosed, or combined with any other information collected from the child. The Commission indicated its belief that collecting a parent's online contact information for the limited purpose of notifying the parent of a child's online activities in a site or service that does not otherwise collect personal information is reasonable and should be encouraged.
The few comments addressing this proposed additional exception generally supported it.  Certain commenters recommended minor clarifications, such as adding language to indicate that the notice is voluntary and that operators can link a parent's email address to the child's account.  Upon consideration of the commenters' suggestions, the Commission has made minor changes to the language of this exception to clarify that its use is voluntary and that operators can use the exception to provide notice and subsequent updates to parents. The Commission did not find that clarification is needed to enable operators to link the parent's email to the child's account. Therefore, § 312.5(c)(2) of the final Rule permits the collection of a parent's online contact information to provide voluntary notice to, and subsequently update the parent about, the child's participation in a Web site or online service that does not otherwise collect, use, or disclose children's personal information, where the parent's contact information is not used or disclosed for any other purpose. 
c. Section 312.5(c)(3) (One-Time Use Exception)
Section 312.5(c)(2) of the Rule provides that an operator is not required to provide notice to a parent or obtain consent where the operator has collected online contact information from a child for the sole purpose of responding on a one-time basis to a child's request, and then deletes the information. The 2011 NPRM proposed a minor change to the language of the one-time use exception, stating that the exception would apply where the operator collected a child's online contact information for such purpose. One commenter pointed out that the Rule language, “online contact information from a child,” is taken directly from the COPPA statute. The commenter also expressed concern that the Commission's proposed change to the language may prevent operators from offering several popular one-time use activities under this exception.  In proposing this minor change, the Commission did not intend to further constrict the permissible uses of online contact information under the one-time-use exception (such as notifications regarding a contest or sweepstakes, homework help, birthday messages, forward-to-a-friend emails, or other similar communications). The Commission is persuaded, therefore, to retain the existing language in § 312.5(c)(3) permitting the collection of online contact information from a