Skip to Content

Proposed Rule

Request for Public Comment on the Federal Trade Commission’s Implementation of the Children’s Online Privacy Protection Rule

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Trade Commission.

ACTION:

Request for public comment.

SUMMARY:

The Federal Trade Commission (“FTC” or “Commission”) requests public comment on its implementation of the Children’s Online Privacy Protection Act (“COPPA” or “the Act”), through the Children’s Online Privacy Protection Rule (“COPPA Rule” or “the Rule”),. The Commission requests comment on the costs and benefits of the Rule, as well as on whether it, or certain sections, should be retained, eliminated, or modified. All interested persons are hereby given notice of the opportunity to submit written data, views, and arguments concerning the Rule.

DATES:

Written comments must be received by June 30, 2010.

ADDRESSES:

Interested parties are invited to submit written comments electronically or in paper form, by following the instructions in the Invitation To Comment part of the “SUPPLEMENTARY INFORMATION” section below. Comments in electronic form should be submitted by using the following weblink: (https://public.commentworks.com/​ftc/​2010copparulereview) (and following the instructions on the web-based form). Comments in paper form should be mailed or delivered to the following address: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex E), 600 Pennsylvania Avenue, NW, Washington, DC 20580, (202) 326-2252.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Phyllis Marcus, (202) 326-2854, or Mamie Kresses, (202) 326-2070, Attorneys, Federal Trade Commission, Division of Advertising Practices, Federal Trade Commission, Washington, D.C. 20580.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Section I. Background

The COPPA Rule, issued pursuant to the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501, et seq., became effective on April 21, 2000. The Rule imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, “operators”).[1] Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. Further, the Rule contains a “safe harbor” provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.[2]

Section II. Rule Review

COPPA and § 312.11 of the Rule required the Commission to initiate a review no later than five years after the Rule’s effective date to evaluate the Rule’s implementation. The Commission commenced this mandatory review on April 21, 2005. After receiving and considering extensive public comment on the Rule, the Commission determined in March 2006 to retain the COPPA Rule without change.[3] However, the Commission believes that changes to the online environment over the past five years, including but not limited to children’s increasing use of mobile technology to access the Internet, warrant reexamining the Rule at this time.

In this notice, the Commission poses its standard regulatory review questions to determine whether the Rule should be retained, eliminated, or modified. In addition, the Commission identifies several areas where public comment would be especially useful. First, the Commission asks whether the Rule’s current definitions are sufficiently clear and comprehensive, or whether they might warrant modification or expansion, consistent with the COPPA statute. Among other questions, the Commission asks for comment on the application of the definition of “Internet” to mobile communications, interactive television, interactive gaming, and similar activities. Further, the Commission asks whether the Rule’s definition of “personal information” should be expanded to include other items of information that can be collected from children online and are not currently specified in the Rule, such as persistent IP addresses, mobile geolocation information, or information collected in connection with online behavioral advertising.

The Commission also seeks comment on the use of automated systems for reviewing children’s web submissions (e.g., those that filter out any personally identifiable information prior to posting). In addition, the Commission asks whether change is warranted as to the Rule provisions on protecting the confidentiality and security of personal information, the right of parents to review or delete personal information, and the prohibition against conditioning a child’s participation on the collection of personal information. Finally, the Commission seeks comment about its role in administering the Rule’s safe harbor provisions.

Section III. Questions Regarding the COPPA Rule

The Commission invites members of the public to comment on any issues or concerns they believe are relevant or appropriate to the Commission’s review of the COPPA Rule, and to submit written data, views, facts, and arguments addressing the Rule. All comments should be filed as prescribed in the Invitation To Comment part of the “SUPPLEMENTARY INFORMATION” section below, and must be received by June 30, 2010. The Commission is particularly interested in comments addressing the following questions:

A. General Questions for Comment

1. Is there a continuing need for the Rule as currently promulgated? Why or why not?

a. Since the Rule was issued, have changes in technology, industry, or economic conditions affected the need for or effectiveness of the Rule?

b. What are the aggregate costs and benefits of the Rule?

c. Does the Rule include any provisions not mandated by the Act that are unnecessary or whose costs outweigh their benefits? If so, which ones and why?Start Printed Page 17090

2. What effect, if any, has the Rule had on children, parents, or other consumers?

a. Has the Rule benefitted children, parents, or other consumers? If so, how?

b. Has the Rule imposed any costs on children, parents, or other consumers? If so, what are these costs?

c. What changes, if any, should be made to the Rule to increase its benefits, consistent with the Act’s requirements? What costs would these changes impose?

3. What impact, if any, has the Rule had on operators?

a. Has the Rule provided benefits to operators? If so, what are these benefits?

b. Has the Rule imposed costs on operators, including costs of compliance in time or monetary expenditures? If so, what are these costs?

c. What changes, if any, should be made to the Rule to reduce the costs imposed on operators, consistent with the Act’s requirements? How would these changes affect the Rule’s benefits?

4. How many small businesses are subject to the Rule? What costs (types and amounts) do small businesses incur in complying with the Rule? How has the Rule otherwise affected operators that are small businesses? Have the costs or benefits of the Rule changed over time with respect to small businesses? What regulatory alternatives, if any, would decrease the Rule’s burden on small businesses, consistent with the Act’s requirements?

5. Does the Rule overlap or conflict with any other federal, state, or local government laws or regulations? How should these overlaps or conflicts be resolved, consistent with the Act’s requirements?

a. Are there any unnecessary regulatory burdens created by overlapping jurisdiction? If so, what can be done to ease the burdens, consistent with the Act’s requirements?

b. Are there any gaps where no federal, state, or local government law or regulation has addressed a problematic practice relating to children’s online privacy? Could or should any such gaps be remedied by a modification to the Rule?

B. Definitions

6. Do the definitions set forth in § 312.2 of the Rule accomplish COPPA’s goal of protecting children’s online privacy and safety?

7. Are the definitions in § 312.2 clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements?

8. Should the definitions of “collects or collection” and/or “disclosure” be modified in any way to take into account online technologies and/or Internet activities and features that have emerged since the Rule was enacted or that may emerge in the future? For instance, how will the use of centralized authentication methods (e.g., OpenId) affect individual websites’ COPPA compliance efforts?

9. The Rule considers personal information to have been “collected” where an operator enables children to make personal information publicly available through a chat room, message board, or other means, except where the operator “deletes” all individually identifiable information from postings by children before they are made public and deletes such information from the operator’s records.

a. Are there circumstances in which an operator using an automated system of review and/or posting meets the deletion exception to the definition of collection?

b. Does the Rule’s current definition of “delete” provide sufficient guidance to operators about how to handle the removal of personal information?

10. Should the definition of “collection” be modified or clarified to include other means of collection of personal information from children that are not specifically enumerated in the Rule’s current definition?

11. What are the implications for COPPA enforcement raised by technologies such as mobile communications, interactive television, interactive gaming, or other similar interactive media, consistent with the Act’s definition of “Internet”?

12. The Rule defines “personal information” as individually identifiable information about an individual collected online, and enumerates such items of information. Do the items currently enumerated as “personal information” need to be clarified or modified in any way, consistent with the Act?

13. Section 1302(8)(F) of the Act provides the Commission with discretion to include in the definition of “personal information” any identifier that it determines would permit the physical or online contacting of a specific individual.

a. Do operators, including network advertising companies, have the ability to contact a specific individual, either physically or online, using one or more pieces of information collected from children online, such as user or screen names and/or passwords, zip code, date of birth, gender, persistent IP addresses, mobile geolocation information, information collected in connection with online behavioral advertising, or other emerging categories of information? Are operators using such information to contact specific individuals?

b. Should the definition of “personal information” in the Rule be expanded to include any such information?

14. Are providers of downloadable software collecting information from children that permits the physical or online contacting of a specific individual?

15. Should the Rule define “the physical or online contacting of a specific individual,” “website,” “online service,” or any other term not currently defined? If so, how should such terms be defined, consistent with the Act’s requirements?

C. Notice

16. Section 312.4 of the Rule sets out the requirements for the content and delivery of operators’ notices of their information practices with regard to children.

a. Are the requirements in this Part clear and appropriate? If not, how can they be improved?

b. Should the notice requirements be clarified or modified in any way to reflect changes in the types or uses of children’s information collected by operators or changes in communications options available between operators and parents?

D. Parental Consent

17. Section 312.5 of the Rule requires operators to obtain verifiable parental consent before collecting, using, and/or disclosing personal information from children, including consent to any material change to practices to which the parent previously consented. This Part further requires operators to make reasonable efforts to obtain this consent, which efforts are reasonably calculated to ensure that the person providing consent is the child’s parent, taking into consideration available technology.

a. Has the consent requirement been effective in protecting children’s online privacy and safety?

b. What data exists on: (1) operators’ use of parental consent mechanisms; (2) parents’ awareness of the Rule’s parental consent requirements; or (3) parents’ response to operators’ parental consent requests?

18. Section 312.5(b)(2) of the Rule provides a non-exhaustive list of approved methods to obtain verifiable parental consent, including: providing a consent form to be signed by the parent and returned to the operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free number staffed by trained personnel; using a digital Start Printed Page 17091certificate that uses public key technology; and using email accompanied by a PIN/password obtained through one of the other enumerated verification methods.

a. To what extent are operators using each of the enumerated methods? Please provide as much specific data as possible, including the costs and benefits associated with each method described.

b. Are there additional methods to obtain verifiable parental consent, based on current or emerging technological changes, that should be added to § 312.5 of the Rule? What are the costs and benefits of these additional methods?

c. Should any of the currently enumerated methods to obtain verifiable parental consent be removed from the Rule? If so, please explain which one(s) and why.

d. Are there methods for delivering a signed consent form, other than postal mail or facsimile, that would meet the Rule’s standards for verifiable parental consent? Should these be specified in the Rule?

e. Are there current or emerging forms of payment, other than the use of a credit card in connection with a transaction, that would meet the Rule’s standards for verifiable parental consent? Should these be specified in the Rule?

f. The Rule permits use of a credit card in connection with a transaction to serve as a form of verifiable parental consent. Is there data available on the proliferation of credit cards, debit cards, or gift cards among children under 13 years of age? What challenges, if any, does children’s use of credit, debit, and/or gift cards pose for Rule compliance or enforcement?

g. Are there current or emerging forms of oral communication, other than the use of a toll-free telephone number staffed by trained personnel, that would meet the Rule’s standards for verifiable parental consent? Should these be specified in the Rule?

19. Section 312.5(b)(2) also sets forth a mechanism that operators can use to obtain verifiable parental consent for uses of information other than “disclosures” (the “email plus mechanism”). The email plus mechanism permits the use of an email coupled with additional steps to provide assurances that the person providing consent is the parent, including sending a confirmatory email to the parent following receipt of consent or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. In 2006, the Commission announced that it would retain the email plus mechanism indefinitely. See (http://www.ftc.gov/​os/​fedreg/​2006/​march/​060315childrens-online-privacy-rule.pdf).

a. Does the email plus mechanism remain a viable form of verifiable parental consent for operators’ internal uses of information?

b. Are there other current or emerging forms of communications, not enumerated in § 312.5(b)(2), that would meet the Rule’s standards for verifiable parental consent for operators’ internal uses of information? Are any changes or modifications to this Part warranted?

E. Exceptions to Verifiable Parental Consent

20. COPPA and § 312.5(c) of the Rule set forth five exceptions to the prior parental consent requirement. Are the exceptions in § 312.5(c) clear? If not, how can they be improved, consistent with the Act’s requirements?

21. Section 312.5(c)(3) of the Rule requires that operators who collect children’s online contact information for the sole purpose of communicating directly with a child after the child has specifically requested such communication must provide parents with notice and the opportunity to opt-out of the operator’s further use of the information (the “multiple contact” exception).

a. To what extent are operators using the multiple contact exception to communicate or engage with children on an ongoing basis? Are operators relying on the multiple contact exception to collect more than just online contact information from children?

b. Should the multiple contact exception be clarified or modified in any way, consistent with the Act’s requirements, to take into account any changes in the manner in which operators communicate or engage with children?

c. Under this Part, acceptable notice mechanisms include sending the opt-out notice by postal mail or to the parent’s email address. Should § 312.5(c)(3) be modified to remove postal mail as a means of delivering an opt-out notice to parents?

d. Should § 312.5(c)(3) be otherwise clarified or modified in any way to reflect current or emerging technological changes that have or may expand options for the online contacting of children or options for communications between operators and parents?

22. Section 312.5(c)(4) of the Rule requires an operator who collects a child’s name and online contact information to the extent reasonably necessary to protect the safety of a child participant in the website or online service to use reasonable efforts to provide a parent notice and the opportunity to opt-out of the operator’s use of such information. Such information must only be used to protect the child’s safety, cannot be used to re-contact the child or any other purpose, and may not be disclosed.

a. To what extent, and under what circumstances, do operators use § 312.5(c)(4) to protect children’s safety?

b. Are the requirements of § 312.5(c)(4) clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements?

23. Section 312.5(c)(5) of the Rule permits operators to collect a child’s name and online contact information to protect the security or integrity of the site, take precautions against liability, respond to judicial process, or to provide information to law enforcement agencies or in connection with a public safety investigation.

a. To what extent, and under what circumstances, do operators use § 312.5(c)(5)?

b. Are the requirements of § 312.5(c)(5) clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements? For example, should § 312.5(c)(5) of the Rule be clarified to allow operators to collect and maintain a child’s name and/or online contact information for the purpose of preventing future attempts at registration?

F. Right of a Parent to Review and/or Have Personal Information Deleted

24. Section 312.6(a) of the Rule requires operators to give parents, upon their request: (1) a description of the specific types of personal information collected from children; (2) the opportunity to refuse to permit the further use or collection of personal information from the child and to direct the deletion of the information; and (3) a means of reviewing any personal information collected from the child. In the case of a parent who wishes to review the personal information collected from the child, § 312.6(a)(3) of the Rule requires operators to provide a means of review that ensures that the requestor is a parent of that child (taking into account available technology) and is not unduly burdensome to the parent.

a. To what extent are parents exercising their rights under § 312.6(a)(1) to obtain from operators a description of the specific types of personal information collected from children?

b. To what extent are parents exercising their rights under § 312.6(a)(2) to refuse to permit the Start Printed Page 17092further use or collection of personal information from the child and to direct the deletion of the information?

c. To what extent are parents exercising their rights under § 312.(a)(3) to review any personal information collected from the child?

d. Do the costs and burdens to operators or parents differ depending on whether a parent seeks a description of the information collected, access to the child’s information, or to have the child’s information deleted?

e. Is it difficult for operators to ensure, taking into account available technology, that a requester seeking to review the personal information collected from a child is a parent of that child?

f. Should § 312.6(a)(3) enumerate the methods an operator may use to ensure that a requestor seeking to review the personal information collected from a child is a parent of that child? Should these methods be consistent with the verification methods enumerated currently or in the future in § 312.5(b)(2) of the Rule?

g. Are the requirements of § 312.6 clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements?

G. Prohibition Against Conditioning a Child’s Participation on Collection of Personal Information

25. COPPA and § 312.7 of the Rule prohibit operators from conditioning a child’s participation in an activity on disclosing more personal information than is reasonably necessary to participate in such activity.

a. Do operators take this requirement into account when shaping their online offerings to children?

b. Has the prohibition been effective in protecting children’s online privacy and safety?

c. Is § 312.7 of the Rule clear and adequate? If not, how could it be improved, consistent with the Act’s requirements?

H. Confidentiality, Security and Integrity of Personal Information

26. Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child.

a. Have operators implemented sufficient safeguards to protect the confidentiality, security, and integrity of personal information collected from a child?

b. Is § 312.8 of the Rule clear and adequate? If not, how could it be improved, consistent with the Act’s requirements?

I. Safe Harbors

27. Section 312.10 of the Rule provides that an operator will be deemed in compliance with the Rule’s requirements if the operator complies with Commission-approved self-regulatory guidelines (the “safe harbor” process).

a. Has the safe harbor process been effective in enhancing compliance with the Rule?

b. Should the criteria for Commission approval of a safe harbor program be modified in any way to strengthen the standards currently enumerated in § 312.10(b)?

c. Should § 312.10 be modified to include a requirement that approved safe harbor programs undergo periodic reassessment by the Commission? If so, how often should such assessments be required?

d. Should § 312.10(b)(4) of the Rule, regarding the Commission’s discretion to initiate an investigation or bring an enforcement action against an operator participating in a safe harbor program, be clarified or modified in any way?

e. Should any other changes be made to the criteria for approval of self-regulatory guidelines, or to the safe harbor process, consistent with the Act’s requirements?

J. Statutory Requirements

28. Does the commenter propose any modifications to the Rule that may conflict with the statutory provisions of the COPPA Act? For any such proposed modification, does the commenter propose seeking legislative changes to the Act?

Section IV. Invitation to Comment

All persons are hereby given notice of the opportunity to submit written data, views, facts, and arguments pertinent to this rule review. Written comments must be received on or before June 30, 2010, and may be submitted electronically or in paper form. Comments should refer to “COPPA Rule Review, P104503” to facilitate the organization of comments. Please note that your comment - including your name and your state - will be placed on the public record of this proceeding, including on the publicly accessible FTC website, at (http://www.ftc.gov/​os/​publiccomments.shtm).

Because comments will be made public, they should not include any sensitive personal information, such as any individual’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, comments should not include any “[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential. . . ,” as provided in Section 6(f) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c).[4]

Because paper mail addressed to the FTC is subject to delay due to heightened security screening, please consider submitting your comments in electronic form. Comments filed in electronic form should be submitted by using the following weblink: (https://public.commentworks.com/​ftc/​2010copparulereview) (and following the instructions on the web-based form). To ensure that the Commission considers an electronic comment, you must file it at (https://public.commentworks.com/​ftc/​2010copparulereview). If this document appears at (http://www.regulations.gov/​search/​Regs/​home.html#home), you may also file an electronic comment through that website. The Commission will consider all comments that regulations.gov forwards to it. You may also visit the FTC website at (http://www.ftc.gov) to read the document and the news release describing it.

A comment filed in paper form should include the “COPPA Rule Review, P104503” reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex E), 600 Pennsylvania Avenue, NW, Washington, DC 20580. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to Start Printed Page 17093delay due to heightened security precautions.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives, whether filed in paper or electronic form. Comments received will be available to the public on the FTC website, to the extent practicable, at (http://www.ftc.gov/​os/​publiccomments.shtm). As a matter of discretion, the Commission makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC website. More information, including routine uses permitted by the Privacy Act may be found in the FTC’s privacy policy, at (http://www.ftc.gov/​ftc/​privacy.shtm).

Section V. Communications by Outside Parties to Commissioners or Their Advisors

Written communications and summaries of transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner’s advisor will be placed on the public record.[5]

Start List of Subjects

List of Subjects in 16 CFR Part 312

End List of Subjects Start Authority

Authority: 15 U.S.C. §§ 6501-6508. By direction of the Commission.

End Authority Start Signature

Donald S. Clark,

Secretary.

End Signature End Supplemental Information

Footnotes

2.  See 16 CFR Part 312.10; 64 FR at 59906-59908, 59915.

Back to Citation

3.  See 71 FR 13247 (Mar. 15, 2006).

Back to Citation

4.  The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission’s General Counsel, consistent with applicable law and the public interest. See FTC Rule 4.9(c), 16 C.F.R. 4.9(c).

Back to Citation

[FR Doc. 2010-7549 Filed 4-2-10; 10:31 am]

BILLING CODE 6750-01-S