Skip to Content

Proposed Rule

Children's Online Privacy Protection Rule: Request for Comments

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 21107

AGENCY:

Federal Trade Commission.

ACTION:

Request for public comment.

SUMMARY:

As required by law, the Federal Trade Commission (the “FTC” or “Commission”) requests public comment on its implementation of the Children's Online Privacy Protection Act (“COPPA” or “the Act”), 15 U.S.C. 6501-6508, through the Children's Online Privacy Protection Rule (“COPPA Rule” or “the Rule”). The COPPA Rule imposes certain requirements on operators of Web sites or online services directed to children under 13 years of age and other Web sites or online services that have actual knowledge that they are collecting personal information from a child under 13 years of age. The Commission requests comment on the costs and benefits of the Rule as well as on whether it should be retained, eliminated, or modified. The Commission also requests comment concerning the Rule's effect on: practices relating to the collection and disclosure of information relating to children; children's ability to obtain access to information of their choice online; and the availability of Web sites directed to children. At the end of the FTC's review, the agency will submit a report to Congress assessing the implementation of the Rule. All interested persons are hereby given notice of the opportunity to submit written data, views, and arguments concerning the Rule. As explained in a separate document being published elsewhere in this issue of the Federal Register, the Commission is also issuing a final amendment to the Rule to extend the sliding scale mechanism, which allows Web site operators to use e-mail with additional verification steps to obtain verifiable parental consent for the collection of personal information from children for internal use by the Web site operator, until the conclusion of this broader review.

DATES:

Comments must be received by June 27, 2005.

ADDRESSES:

Comments should refer to “COPPA Rule Review 2005, Project No. P054505” to facilitate the organization of comments. A comment filed in paper form should include this reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex C), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing confidential material must be filed in paper form, must be clearly labeled “Confidential,” and must comply with Commission Rule 4.9(c).[1]

Comments filed in electronic form should be submitted by clicking on the following Web link: https://secure.commentworks.com/​ftccopparulereview/​ and following the instructions on the Web-based form. To ensure that the Commission considers an electronic comment, you must file it on the Web-based form at the https://secure.commentworks.com/​ftccopparulereview/​ Web link. You may also visit http://www.regulations.gov to read this request for public comment and may file an electronic comment through that Web site. The Commission will consider all comments that regulations.gov forwards to it.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov/​privacy/​privacyinitiatives/​childrens_​lr.html. As a matter of discretion, the FTC makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Karen Muoio, (202) 326-2491, or Rona Kelner, (202) 326-2752, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Mail Drop NJ-3212, Washington, DC 20580.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

On October 21, 1998, Congress issued COPPA, which prohibits certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet.[2] Pursuant to COPPA's requirements, the Commission issued its final Rule implementing COPPA on October 20, 1999.[3] Effective as of April 21, 2000, the Rule imposes certain requirements on operators of Web sites or online services directed to children under 13 years of age, and on operators of other Web sites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, “operators”).[4]

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary to participate in such activity. Further, the Rule provides a safe harbor for operators following Commission-approved self-regulatory guidelines, and instructions on how to get such guidelines approved.

When the Commission issued the Rule in 1999, it adopted a sliding scale approach to parental consent.[5] Under such an approach, the measures required for parental consent depend on how a Web site operator uses children's information. The Commission adopted this approach because of the concern that it was not feasible to require more technologically advanced methods of consent for internal uses of information. To reflect that technology may change, this approach was scheduled to sunset in 2002. In 2002, after a public comment process, the Commission extended it until April 21, 2005.[6] In January 2005, the Commission sought public comment concerning whether to make the sliding scale approach permanent.[7] The Commission has concluded that further evaluation of the sliding scale in the broader context of the Commission's Start Printed Page 21108Rule review would be appropriate.[8] Therefore, in a separate document being published elsewhere in this issue of the Federal Register, the Commission is also issuing a final amendment to the Rule to extend the sliding scale mechanism pending further review.[9]

II. Rule Review

The Children's Online Privacy Protection Act and Section 312.11 of the Rule require that the Commission initiate a review no later than April 21, 2005, to evaluate the Rule's implementation. The Act and Section 312.11 of the Rule mandate that this review specifically consider the Rule's effect on: (1) Practices relating to the collection and disclosure of information relating to children; (2) children's ability to obtain access to information of their choice online; and (3) the availability of Web sites directed to children. The Act and Section 312.11 also require that the Commission report to Congress on the results of this review.

The Commission also reviews each of its rules at least once every ten years to determine whether they should be retained, eliminated, or modified in light of changes in the marketplace or technology. The FTC has not conducted a regulatory review of the Rule since it became effective in 2000. The Commission therefore has determined to pose its standard regulatory review questions at this time to determine whether the Rule should be retained, eliminated, or modified. The Commission also has determined that it would be beneficial to seek comments—in addition to those already received—on the effectiveness of and need for the sliding scale approach to obtaining verifiable parental consent.

The Commission's experience in administering the Rule has raised four additional issues on which public comment would be especially useful. First, the Commission has been made aware of concerns about the factors used to determine whether a Web site is directed at children. Currently, such factors include the subject matter of the site, visual or audio content, age of models, language used, target audience of advertising or promotional materials, and empirical evidence regarding audience composition or intended audience. The Commission therefore seeks comment on whether the factors should be clarified or supplemented.

Second, the Commission requests comment on an issue that has arisen in the context of determining whether a general audience Web site operator has actual knowledge of a child's age. Some operators in the past have collected age information and refused to allow children to participate while informing them that they must be 13 or older to participate. The operators then have allowed children to “back-button,” or return to the entry screen, and enter an older age. The Final Rule's Statement of Basis and Purpose discusses the meaning of “actual knowledge” and, since the inception of the Rule, the Commission has published additional business guidance on the term.[10] The Commission seeks comment on whether the term “actual knowledge” is sufficiently clear and whether Web site operators are encouraging children to back-button and change their age.

Third, the Commission specifically invites comment on the use of credit cards as a means of obtaining verifiable parental consent. Currently the Rule allows operators to obtain verifiable parental consent through the use of a credit card in connection with a transaction. It appears that some companies are now marketing debit cards to children, who may be able to use these cards to circumvent the parental consent requirement. In addition, some operators may be failing to conduct an actual transaction with the credit card, which provides some extra assurance that the person providing consent is the parent. Instead, the operators may be using methods that merely verify that a given credit card number is valid.

Fourth, the Commission seeks comment on the COPPA safe harbor program. The Rule's safe harbor provision allows industry groups and other entities to seek Commission approval of self-regulatory guidelines that implement substantially similar requirements to the Rule that provide the same or greater protections for children. Operators are deemed to be in compliance with the Rule if they comply with a safe harbor program's guidelines. Four safe harbor programs have been approved by the Commission—CARU, TRUSTe, ESRB, and Privo—and the Commission is interested in feedback on the effectiveness of these types of programs.

The Commission therefore seeks public comments relating to the subjects specifically noted in the Act and Section 312.11 of the Rule. It also seeks public comments concerning the costs and benefits of the Rule, including whether any modifications to the Rule are needed in light of changes in technology or in the marketplace. Furthermore, it seeks public comment on four practical issues that have arisen in the course of Rule enforcement. Public comments will assist the Commission in determining whether the Rule needs to be changed and in preparing a report to Congress on the effect of the Rule's implementation.

III. Request for Comments

The Commission invites members of the public to comment on any issues or concerns they believe are relevant or appropriate to the Commission's review of the COPPA Rule, including written data, views, facts, and arguments addressing the Rule. All comments should be filed as prescribed in the ADDRESSES section above, and must be received by June 27, 2005. The Commission is particularly interested in comments addressing the following questions:

A. General Questions for Comment

(1) Are children's online privacy and safety at greater, lesser, or the same risk as existed before COPPA and the Rule? Please explain.

(2) Is there a continuing need for the Rule as currently promulgated? Why or why not?

(a) Since the Rule was issued, have changes in technology, industry, or economic conditions affected the need for or effectiveness of the Rule?

(b) Does the Rule include any provisions, not mandated by the Act, that are unnecessary? If so, which ones are unnecessary and why?

(c) What are the aggregate costs and benefits of the Rule?

(d) Have the costs or benefits of the Rule dissipated over time?

(e) Does the Rule contain provisions, not mandated by the Act, whose costs outweigh their benefits?

(3) What effect, if any, has the Rule had on children, parents, or other consumers?

(a) Has the Rule benefitted children, parents, or other consumers? If so, how?

(b) Has the Rule imposed any costs on children, parents, or other consumers? If so, what are these costs?

(c) What changes, if any, should be made to the Rule to increase its benefits, consistent with the Act's requirements? What costs would these changes impose? Start Printed Page 21109

(4) What impact, if any, has the Rule had on operators?

(a) Has the Rule provided benefits to operators? If so, what are these benefits?

(b) Has the Rule imposed costs, including costs of compliance, on operators? If so, what are these costs?

(c) How many hours does it take initially for an operator to come into compliance with the Rule? How many hours are spent each year for an operator to remain in compliance with the Rule? How much does it cost to comply with the Rule?

(d) What changes, if any, should be made to the Rule to reduce the costs imposed on operators, consistent with the Act's requirements? How would those changes affect the Rule's benefits?

(e) Are there regulatory alternatives to the Rule that might impose fewer costs yet still meet with the Act's and the Rule's objective of protecting children's online privacy and safety?

(5) How many small businesses are subject to the Rule? What costs (types and amounts) do small businesses incur in complying with the Rule? How has the Rule otherwise affected operators that are small businesses? Have the costs or benefits of the Rule changed over time with respect to small businesses? What regulatory alternatives, if any, would decrease the Rule's burden on small businesses, consistent with the Act's requirements?

(6) Does the Rule overlap or conflict with other federal, state, or local government laws or regulations? If so, what are these laws and regulations? How does the Rule overlap or conflict with them? How should these overlaps and conflicts be resolved, consistent with the Act's requirements?

(a) To what extent have state attorneys general or other federal agencies brought actions under the Rule?

(b) Are there any unnecessary regulatory burdens created by overlapping jurisdiction? If so, what can be done to ease the burdens, consistent with the Act's requirements?

(c) Are there any gaps where no federal, state, or local government law or regulation has addressed a problematic practice relating to children's online privacy?

(7) Has the Rule affected practices relating to the collection and disclosure of information relating to children online? If so, how?

(8) Has the Rule affected children's ability to obtain access to information of their choice online? If so, how?

(9) Has the Rule affected the availability of Web sites or online services directed to children? If so, how?

(a) Has the number or type of Web sites or online services directed to children changed since the Rule became effective? If so, how? Did the Rule cause these changes?

(b) Approximately how many new Web sites and online services are created each year that are directed to children?

B. Definitions

(10) Do the definitions set forth in Section 312.2 of the Rule accomplish COPPA's goal of protecting children's online privacy and safety?

(11) Are the definitions in Section 312.2 clear and appropriate? If not, how can they be improved, consistent with the Act's requirements?

(12) Does Section 312.2 correctly articulate the factors to consider in determining whether a Web site or online service is directed to children? If not, what additional factors should be considered? Do any of the current factors need to be clarified? If so, how? Please note that any suggested modifications to this Section must be consistent with the Act's requirements.

(13) The Final Rule's Statement of Basis and Purpose, 64 FR 59888 (Nov. 3, 1999), and subsequent business guidance by the Commission have discussed when an operator or online service will be deemed to have “actual knowledge” that it has collected information from a child. Is the term “actual knowledge” sufficiently clear? If not, how can the term be clarified further, consistent with the Act's requirements? In addition, does the situation where children intentionally submit an incorrect age older than 12 on general audience Web sites continue to raise Rule enforcement issues? If so, how can this situation be addressed, consistent with the Act's requirements?

(14) Are there additional definitions that should be added to the Rule? If so, what terms should be defined and how should they be defined, consistent with the Act's requirements?

C. Notice

(15) Section 312.4 of the Rule requires operators to provide notice of their information practices both online and directly to parents. These notices must inform parents about what information operators collect from children, how operators use such information, and their disclosure practices for such information.

(a) Has the notice requirement been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits of the notice requirement outweigh its costs? Please explain.

(c) What changes, if any, should be made to the notice requirement, including modifying the information required to be disclosed, consistent with the Act's requirements? What are the costs and benefits of these changes?

D. Verifiable Parental Consent

(16) Section 312.5 of the Rule requires operators to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including any material change to practices to which the parent previously consented.

(a) Has the consent requirement been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits of the consent requirements outweigh their costs to operators? Please explain.

(c) What changes, if any, should be made to the consent requirement, consistent with the Act's requirements? What are the costs and benefits of these changes?

(d) Is the use of a credit card in combination with a transaction a reasonable means of verifying whether the person providing consent is the child's parent? Is the use of a credit card without a transaction a reasonable means of verifying whether the person providing consent is the child's parent? What about the use of a credit card without a transaction but with an additional step, such as verification of a mailing address or the use of a PIN number, to verify that a parent is providing consent? Please explain. Does the availability of credit or debit cards to children under 13 years of age affect your analysis? If so, how?

(e) Section 312.5(c) sets forth five exceptions to the verifiable parental consent requirement. Do the benefits of the Rule's exceptions to prior parental consent outweigh their costs?

(17) Section 312.5 of the Rule currently permits operators that collect children's personal information online for only internal uses to obtain verifiable parental consent via an e-mail plus additional steps to ensure that the person providing consent is, in fact, the child's parent (the so-called “sliding scale” approach).[11]

(a) Are secure electronic mechanisms now widely available to facilitate verifiable parental consent at a reasonable cost? Please include comments on the following:

(i) Digital signature technology; Start Printed Page 21110

(ii) Digital certificate technology;

(iii) Other digital credentialing technology;

(iv) P3P technology; and

(v) Other secure electronic technologies.

(b) Are infomediary services now widely available to facilitate verifiable parental consent at a reasonable cost?

(c) When are secure electronic mechanisms and/or infomediary services for obtaining verifiable parental consent anticipated to become available at a reasonable cost? To what extent would the Commission's decision to eliminate, make permanent, or extend the sliding scale mechanism affect the incentive to develop and deploy these means of obtaining verifiable parental consent?

(d) What effect would eliminating the sliding scale have on the information collection and use practices of Web site operators? For example, would the elimination of the sliding scale mechanism encourage Web site operators to collect children's personal information for uses other than the operators' own internal use because the cost of obtaining parental consent would be the same for internal as well as external uses?

(e) Is there any evidence that the sliding scale mechanism is being misused, or is not working effectively?

(f) Should the sliding scale mechanism be extended? If so, why and for how long?

(g) Should the sliding scale mechanism be eliminated? If so, why?

(h) Should the sliding scale mechanism be made permanent? If so, why?

E. Right of Parent To Review Personal Information Provided by a Child

(18) Section 312.6 of the Rule requires operators to give parents, upon their request: (1) A description of the specific types of personal information collected from children; (2) the opportunity for the parent to refuse to permit the further use or collection of personal information from the child and direct the deletion of the information; and (3) a means of reviewing any personal information collected from the child.

(a) Have these requirements been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits of these requirements outweigh their costs?

(c) What changes, if any, should be made to these requirements, consistent with the Act's requirements? What are the costs and benefits of these changes?

F. Prohibition Against Conditioning a Child's Participation on Collection of Personal Information

(19) Section 312.7 of the Rule prohibits operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in such activity.

(a) Has the prohibition been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits of the prohibition outweigh its costs? Please explain.

(c) What changes, if any, should be made to the prohibition, consistent with the Act's requirements? What are the costs and benefits of these changes?

G. Confidentiality, Security, and Integrity of Personal Information Collected From a Child

(20) Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child.

(a) Has this requirement been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits to consumers of this requirement outweigh its costs?

(c) What changes, if any, should be made to this requirement, consistent with the Act's requirements? What are the costs and benefits of these changes?

(d) Is the requirement that operators establish and maintain “reasonable procedures” to protect children's information sufficiently clear? If not, how could it be clarified, consistent with the Act's requirements?

H. Safe Harbors

(21) Section 312.10 of the Rule provides that an operator will be deemed in compliance with the Rule's requirements if the operator complies with Commission-approved self-regulatory guidelines.

(a) Has the safe harbor approach been effective in protecting children's online privacy and safety? If so, how?

(b) Do the benefits of the safe harbor approach outweigh its costs?

(c) What changes, if any, should be made to the safe harbor approach, consistent with the Act's requirements? What are the costs and benefits of these changes?

IV. Communications by Outside Parties to Commissioners or Their Advisors

Written communications and summaries of transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner's advisor will be placed on the public record.[12]

Start List of Subjects

List of Subjects in 16 CFR Part 312

End List of Subjects Start Authority

Authority: 15 U.S.C. 6501-6508.

End Authority Start Signature

By direction of the Commission.

Donald S. Clark,

Secretary.

End Signature End Supplemental Information

Footnotes

1.  The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).

Back to Citation

5.  The Commission adopted the sliding scale as part of the Rule in 1999 after receiving public comments and conducting a July 1999 public workshop on consent methods. These comments and a transcript of the workshop are located at http://www.ftc.gov/​privacy/​comments/​ index.html and http://www.ftc.gov/​privacy/​ chonlpritranscript.pdf, respectively.

Back to Citation

8.  All comments received in response to the January 2005 Notice of Proposed Rulemaking and Request for Comment are located at http://www.ftc.gov/​os/​publiccomments.htm.

Back to Citation

9.  For purposes of this review, the Commission will continue to consider all comments submitted in response to its January 2005 Notice of Proposed Rulemaking and Request for Comment; accordingly, previous commenters need not resubmit their comments.

Back to Citation

10.  The Children's Online Privacy Protection Rule: Not Just for Kids' Sites, available online at http://www.ftc.gov/​bcp/​conline /pubs/alerts/coppabizalrt.htm.

Back to Citation

11.  The questions posed in this subpart duplicate the questions asked in the January 2005 Notice of Proposed Rulemaking and Request for Comment, 70 FR 2580. The Commission will reconsider all comments previously submitted in response to that request, so no resubmission is necessary.

Back to Citation

[FR Doc. 05-8160 Filed 4-21-05; 8:45 am]

BILLING CODE 6750-01-P