Skip to Content

Proposed Rule

Request for Public Comment on the Federal Trade Commission's Implementation of the Children's Online Privacy Protection Rule

This document has a comment period that ends in 62 days. (10/23/2019) Submit a formal comment

Read the 12 public comments

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Trade Commission.

ACTION:

Regulatory review; request for public comment.

SUMMARY:

The Federal Trade Commission (“FTC” or “Commission”) requests public comment on its implementation of the Children's Online Privacy Protection Act (“COPPA” or “the Act”), through the Children's Online Privacy Protection Rule (“COPPA Rule” or “the Rule”).

DATES:

Written comments must be received on or before October 23, 2019. The Commission will hold a public workshop to review the COPPA Rule on October 7, 2019.

ADDRESSES:

Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “COPPA Rule Review, 16 CFR part 312, Project No. P195404,” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024.

The workshop will be held at the Constitution Center, 400 7th Street SW, Washington, DC. It is free and open to the public, and members of the public who wish to participate but cannot attend can view a live webcast at ftc.gov.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Kristin Cohen (202-326-2276) or Peder Magee (202-326-3538), Division of Privacy and Identity Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

The Commission typically reviews its Rules every ten years to ensure that they have kept up with changes in the marketplace, technology, and business models. Although the Commission's last COPPA Rule review ended in 2013, the Commission is conducting its ten-year review early because of questions that have arisen about the Rule's application to the educational technology sector, to voice-enabled connected devices, and to general audience platforms that host third-party child-directed content. In addition to requesting comment on these issues, the Commission requests comment on the costs and benefits of the Rule, as well as on whether certain sections should be retained, eliminated, or modified. All interested persons are hereby given notice of the opportunity to submit written data, views, and arguments concerning the Rule.

The COPPA Rule, issued pursuant to COPPA, 15 U.S.C. 6501, et seq., became Start Printed Page 35843effective on April 21, 2000, and was revised on January 17, 2013. The Rule imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, “operators”).[1] Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. Further, the Rule contains a “safe harbor” provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule's protections.

II. Rule Review

COPPA and § 312.11 of the original Rule required the Commission to initiate a review no later than five years after the Rule's effective date to evaluate the Rule's implementation. The Commission commenced this mandatory review on April 21, 2005. After receiving and considering extensive public comment on the Rule, the Commission determined in March 2006 to retain the COPPA Rule without change.[2] In 2010, however, due to changes in the online environment for children, the Commission undertook an extensive Rule review, which culminated in the amendments to the Rule adopted on January 17, 2013.[3] The online environment for children continues to evolve at a rapid pace, including, for example, the significant increase in education technology in the classroom and social media and platforms with third-party content appealing to children. The Commission believes these changes warrant another reexamination of the Rule at this time.

In this document, the Commission poses its standard regulatory review questions to determine whether the Rule should be retained, eliminated, or modified. The Commission also asks whether the 2013 revisions to the Rule have resulted in stronger protections for children and more meaningful parental control over the collection of personal information from children, and whether the revisions have had any negative consequences. It further poses specific questions about the existing sections of the Rule, including:

  • Definitions,
  • Requirement that operators post notices of their privacy practices,
  • Methods of obtaining verifiable parental consent before collecting children's information,
  • Security requirements,
  • Parental right to review or delete children's information, and
  • Safe harbor provisions.

In addition to these questions, the Commission seeks comment on the application of the Rule to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed third-party content. Specifically, the Commission requests comment on whether exceptions to parental consent are warranted for: (1) The use of education technology where the school provides consent for the collection of personal information from the child (see Question 23); or (2) the collection of audio files as a replacement for text, where the audio files are promptly deleted (see Question 24), in line with the enforcement policy statement issued by the Commission.[4]

Additionally, the Commission seeks comment on whether there are circumstances in which general audience platforms with third-party, child-directed content should be able to rebut the presumption that all users interacting with that content are children (see Question 25). If allowed to rebut this presumption, operators of general audience platforms could, in certain circumstances, collect personal information from users on their sites that they determine are age 13 or older.

Finally, the Commission seeks comment on whether the COPPA Rule should be amended to better address websites and online services that may not meet the current definition of “website or online service directed to children,” but that have large number of child users (see Question 15). For example, should the definition of “website or online service directed to children” be amended, consistent with the statute, to cover these types of websites and, if so, what type of changes would be required? Are there other proposed amendments, consistent with the statute, for the Commission to consider to ensure children using these sites and services receive COPPA protections?

III. Questions Regarding the COPPA Rule

The Commission invites members of the public to comment on any issues or concerns they believe are relevant or appropriate to the Commission's review of the COPPA Rule, and to submit written data, views, facts, and arguments addressing the Rule. All comments should be filed as prescribed in the ADDRESSES section of this document, and must be received by October 23, 2019. If your comment proposes any modifications to the Rule, please also address whether your proposed modification may conflict with the statutory provisions of COPPA and, if so, whether you propose seeking legislative changes to the Act. The Commission is particularly interested in comments addressing the following questions:

A. General Questions for Comment

1. Is there a continuing need for the Rule as currently promulgated? Why or why not?

a. Since the Rule was issued, have changes in technology, industry, or economic conditions affected the need for or effectiveness of the Rule?

b. What are the aggregate costs and benefits of the Rule?

c. Does the Rule include any provisions not mandated by the Act that are unnecessary or whose costs outweigh their benefits? If so, which ones and why?

2. What effect, if any, has the Rule had on children, parents, or other consumers?

a. Has the Rule benefited children, parents, or other consumers? If so, how?

b. Has the Rule imposed any costs on children, parents, or other consumers? If so, what are these costs?

c. What changes, if any, should be made to the Rule to increase its benefits, consistent with the Act's requirements? What costs would these changes impose?

3. What impact, if any, has the Rule had on operators?

a. Has the Rule provided benefits to operators? If so, what are these benefits?

b. Has the Rule imposed costs on operators, including costs of compliance in time or monetary expenditures? If so, what are these costs?

c. What changes, if any, should be made to the Rule to reduce the costs imposed on operators, consistent with the Act's requirements? How would these changes affect the Rule's benefits?Start Printed Page 35844

4. How many small businesses are subject to the Rule? What costs (types and amounts) do small businesses incur in complying with the Rule? How has the Rule otherwise affected operators that are small businesses? Have the costs or benefits of the Rule changed over time with respect to small businesses? What about small businesses that control and process large sets of data? What regulatory alternatives, if any, would decrease the Rule's burden on small businesses, consistent with the Act's requirements?

5. Does the Rule overlap or conflict with any other federal, state, or local government laws or regulations? How should these overlaps or conflicts be resolved, consistent with the Act's requirements?

a. Are there any unnecessary regulatory burdens created by overlapping jurisdiction? If so, what can be done to ease the burdens, consistent with the Act's requirements?

b. Are there any gaps where no federal, state, or local government law or regulation has addressed a problematic practice relating to children's online privacy? Could or should any such gaps be remedied by a modification to the Rule?

6. Has the Rule affected practices relating to the collection and disclosure of information relating to children online? If so, how?

7. Has the Rule affected children's ability to access information of their choice online? If so, how?

8. Has the Rule affected the availability of websites or online services directed to children? If so, how?

a. Has the number or type of websites or online services directed to children changed since the Rule became effective? If so, how? Did the Rule cause these changes?

b. Approximately how many new websites and online services are created each year that are directed to children?

B. Definitions

9. Do the definitions set forth in § 312.2 of the Rule accomplish COPPA's goal of protecting children's online privacy and safety?

10. Are the definitions in § 312.2 clear and appropriate? If not, how can they be improved, consistent with the Act's requirements?

11. The 2013 COPPA Rule amendments made several modifications to the definitions under the Rule, including to the terms “Collects or collection,” “Online contact information,” “Operator,” “Personal information,” “Support for the internal operations of the website or online service,” and “website or online service directed to children.” Have these revised definitions resulted in stronger protections for children's online privacy and safety? Have they had any negative consequences that require revision?

12. The 2013 revised COPPA Rule amended the definition of “Personal information” to include, among other items, a “persistent identifier that can be used to recognize a user over time and across different websites or online services.” Has this revision resulted in stronger privacy protection for children? Has it had any negative consequences?

13. Should the Commission consider further revision to the definition of “Personal information”? Are there additional categories of information that should be expressly included in this definition, such as genetic data, fingerprints, retinal patterns, or other biometric data? What about personal information that is inferred about, but not directly collected from, children? What about other data that serve as proxies for personal information covered under this definition? Does this type of information permit the physical or online contacting of a specific individual?

14. Should the definition of “Support for the internal operations of the website or online service” be modified? Are there practices in addition to behavioral targeting and profiling that should be expressly excluded from the definition? Should additional activities be expressly permitted under the definition? For example, should the definition expressly include advertising attribution? Advertising attribution is the method used to determine whether a particular advertisement led the user to take a particular step, such as downloading an app.

15. Does § 312.2 correctly articulate the factors to consider in determining whether a website or online service is directed to children? Do any of the current factors need to be clarified? Are there additional factors that should be considered? For example, should the definition be amended, consistent with the statute, to better address websites and online services that do not include traditionally child-oriented activities, but that have large numbers of child users? If so, what types of changes to the definition should be considered? Are there other proposed amendments, consistent with the statute, for the Commission to consider to ensure children using these types of websites and online services receive COPPA protections?

16. Has the 2013 addition, found in part (3) of the definition of “website or online service directed to children,” which permits those sites that do not target children as their primary audience to age screen users, resulted in stronger protections for children's privacy? Should the Rule be more specific about the appropriate methods for determining the age of users?

17. What are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, chatbots, or other similar interactive media?

C. Notice

18. Section 312.4 of the Rule sets out the requirements for the content and delivery of operators' notices of their information practices with regard to children.

a. Are the requirements in this Section clear and appropriate? If not, how can they be improved? Should the Rule, for example, more clearly state that an operator's direct notice should include not just the types of personal information collected, but also how the operator intends to use the personal information that is collected? Should the Rule require the notice to include information about the categories of third parties, such as advertisers, that may make use of the information collected? The Rule's direct notice requirement found in § 312.4(c) presupposes that the operator has collected the parent's online contact information. Should the Rule more clearly state the content of direct notices where the operator does not collect a parent's online contact information?

b. Should the notice requirements be clarified or modified in any way to reflect changes in the types or uses of children's information collected by operators or changes in communications options available between operators and parents?

D. Parental Consent

19. Section 312.5 of the Rule requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, including consent to any material change to practices to which the parent previously consented. This Section further requires operators to make reasonable efforts to obtain this consent, and the efforts must be reasonably calculated to ensure that the person providing consent is the child's parent, taking into consideration available technology.

a. Has the consent requirement been effective in protecting children's online privacy and safety?

b. What data exist on: (1) Operators' use of parental consent mechanisms; (2) Start Printed Page 35845parents' awareness of the Rule's parental consent requirements; or (3) parents' response to operators' parental consent requests?

20. Section 312.5(b)(2) of the Rule provides a non-exhaustive list of approved methods to obtain verifiable parental consent, including: Providing a consent form to be signed by the parent and returned to the operator; requiring a parent to use a credit card, debit card, or other online payment system in connection with a monetary transaction; having a parent call a toll-free number staffed by trained personnel; having a parent connect to trained personnel via video-conference; and verifying a parent's identity by checking a form of government-issued identification against databases of such information. In addition, pursuant to the process set forth in § 312.12(a), the Commission has approved the use of knowledge-based authentication [5] and facial recognition technology.[6] Section 312.5(b)(2) also sets forth a mechanism that operators can use to obtain verifiable parental consent for uses of information other than “disclosures” (the “email plus mechanism”). The email plus mechanism permits the use of an email coupled with additional steps to provide assurances that the person providing consent is the parent, including sending a confirmatory email to the parent following receipt of consent or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.

a. To what extent are operators using each of the enumerated methods? Please provide as much specific data as possible, including the costs and benefits associated with each method described.

b. Are there additional methods to obtain verifiable parental consent, based on current or emerging technological changes, which should be added to § 312.5 of the Rule? What are the costs and benefits of these additional methods?

c. Should any of the currently enumerated methods to obtain verifiable parental consent be removed from the Rule? If so, please explain which one(s) and why.

d. Should the Commission consider any changes to the Rule to encourage the development of new methods of parental consent?

E. Exceptions to Verifiable Parental Consent

21. COPPA and § 312.5(c) of the Rule set forth eight exceptions to the prior parental consent requirement. Are the exceptions in § 312.5(c) clear and appropriate? If not, how can they be improved, consistent with the Act's requirements?

22. Should the Commission consider additional exceptions to parental consent, consistent with the Act's requirements?

23. In the Statement of Basis and Purpose to the 1999 COPPA Rule, the Commission noted that the Rule “does not preclude schools from acting as intermediaries between operators and schools in the notice and consent process, or from serving as the parents' agent in the process.” [7] Since that time, there has been a significant expansion of education technology used in classrooms. Should the Commission consider a specific exception to parental consent for the use of education technology used in the schools? Should this exception have similar requirements to the “school official exception” found in the Family Educational Rights and Privacy Act (“FERPA”),[8] and as described in Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices? [9] If the Commission were to amend the COPPA Rule to include such an exception:

a. Should the Rule specify who at the school can provide consent?

b. Should operators be able to use the personal information collected from children to improve the product? Should operators be able to use the personal information collected from children to improve other educational or non-educational products? Should de-identification of the personal information be required for such uses? Is de-identification of such personal information effective at preventing re-identification? What kinds of specific technical, administrative, operational or other procedural safeguards have proved effective at preventing re-identification of de-identified data? Are there instances in which de-identified information has been sold or hacked and then re-identified?

c. Should parents be able to request deletion of personal information collected by operators under such an exception?

d. Should an operator require the school to notify the parent of the operator's information practices and, if so, how should the school provide such notice?

e. Should such an exception result in a preemption of state laws? If so, would that result negatively affect children's privacy?

f. Should the scope of the school's authority to consent be limited to defined educational purposes? Should such purposes be defined, and if so, how? Should operators seeking consent in the school setting be prohibited from using information for particular purposes, such as marketing to students or parents?

24. In 2017, the Commission issued an enforcement policy statement addressing the use of audio files containing a child's voice.[10] The Commission explained that it would not take an enforcement action against an operator for not obtaining parental consent before collecting an audio file with a child's voice when the audio file is collected solely as a replacement for written words, such as to perform a search, so long as the audio file is held for a brief time and used only for that purpose. Should the Commission amend the Rule to specifically include such an exception? If the Commission were to include such an exception, should an operator be able to de-identify these audio files and use them to improve its products? If so, for how long should operators be permitted to retain such de-identified audio files? Is de-identification of audio files effective at preventing re-identification? Are there specific technical, administrative, operational or other procedural safeguards that have proved effective at preventing re-identification of de-identified data? Are there instances in which de-identified information has been sold or hacked and then re-identified?

25. In some circumstances, operators of general audience platforms do not Start Printed Page 35846have COPPA liability for their collection of personal information from users of child-directed content on their platform uploaded by third parties, absent the platforms' actual knowledge that the content is directed to children. Operators of such platforms therefore may have an incentive to avoid gaining actual knowledge of the presence of child-directed content on their platform. To encourage such platforms to take steps to identify and police child-directed content uploaded by others, should the Commission make modifications to the COPPA Rule? For example, should such platforms that identify and police child-directed content be able to rebut the presumption that all users of the child-directed third-party content are children thereby allowing the platform to treat under and over age 13 users differently? [11] Given that most users of a general audience platform are adults, there may be a greater likelihood that adults are viewing or interacting with child-directed content than on traditional child-directed sites. In considering this issue, the Commission specifically requests comment on the following:

a. Would allowing these types of general audience platforms to treat over and under age 13 users differently encourage them to take affirmative steps to identify child-directed content generated by third parties and treat it in accordance with COPPA?

b. Would allowing such a rebuttal of the presumption that all users are children in this context require a Rule change? If so, would such a Rule change be consistent with the Act?

c. If the Commission were to allow such a rebuttal of the presumption that all users of this content are children, what factors should it consider in determining whether the presumption has been rebutted? What methods could a general audience platform use to effectively rebut the presumption that all users of the third-party child-directed content are children?

d. Could a general audience platform hosting third-party, child-directed content effectively rebut this presumption by doing the following:

i. Taking measures reasonably calculated to identify child-directed content generated by third parties for commercial purposes;

ii. Permitting users that identify themselves through a neutral age gate to create an account on the platform;

iii. Taking measures reasonably calculated, in light of available technology, to ensure that if personal information is to be collected from a user accessing child-directed content, the user is the person who created an account and identified as being 13 or older, and not a child in the household, such as through periodic authentication; and

iv. Providing clear and conspicuous notice at the time the user is interacting with child-directed content of its information collection practices, and separately communicating those information practices through out-of-band notices, such as through online contact information provided as part of the account creation process?

The Commission seeks comment on whether these measures, or any others, could effectively rebut the presumption that all users of this child-directed content are children, and also on the ways in which an operator could implement these measures.

e. What, if any, risk is presented by permitting general audience sites to rebut the presumption that all users of child-directed content are children? Would it prove challenging to reliably distinguish between a parent and a child who accesses content while logged in to a parent's account? In considering whether to permit general audience sites to rebut the presumption, should the Commission consider costs and benefits unrelated to privacy, such as whether children may be exposed to age-inappropriate content if they are treated as an adult?

F. Right of a Parent To Review or Have Personal Information Deleted

26. Section 312.6(a) of the Rule requires operators to give parents, upon their request: (1) A description of the specific types of personal information collected from children; (2) the opportunity to refuse to permit the further use or collection of personal information from the child and to direct the deletion of the information; and (3) a means of reviewing any personal information collected from the child. In the case of a parent who wishes to review the personal information collected from the child, § 312.6(a)(3) of the Rule requires operators to provide a means of review that ensures that the requestor is a parent of that child (taking into account available technology) and is not unduly burdensome to the parent.

a. To what extent are parents exercising their rights under § 312.6(a)(1) to obtain from operators a description of the specific types of personal information collected from children?

b. To what extent are parents exercising their rights under § 312.6(a)(2) to refuse to permit the further use or collection of personal information from the child and to direct the deletion of the information?

c. To what extent are parents exercising their rights under § 312.6(a)(3) to review any personal information collected from the child?

d. Do the costs and burdens to operators or parents differ depending on whether a parent seeks a description of the information collected, access to the child's information, or to have the child's information deleted?

e. Is it difficult for operators to ensure, taking into account available technology, that a requester seeking to review the personal information collected from a child is a parent of that child?

f. Do operators use different processes or procedures to respond to parents who exercise rights under § 312.6(a)? Which processes or procedures are easiest for parents to use? Which are the most difficult? Do any mechanisms exist to facilitate the exercise of these rights with more than one operator at a time?

g. Where operators serve as service providers to schools, should parents be able to request the operators to delete personal information collected by them that are education records, such as grades or test scores?

h. Are the requirements of § 312.6 clear and appropriate? If not, how can they be improved, consistent with the Act's requirements?

G. Prohibition Against Conditioning a Child's Participation on Collection of Personal Information

27. COPPA and § 312.7 of the Rule prohibit operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in such activity.

a. Do operators take this requirement into account when shaping their online offerings to children?

b. Has the prohibition been effective in protecting children's online privacy and safety?

c. Is § 312.7 of the Rule clear and appropriate? If not, how could it be improved, consistent with the Act's requirements?

H. Confidentiality, Security, and Integrity of Personal Information

28. Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child, and to release children's personal Start Printed Page 35847information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the personal information, and who provide assurances that they will do so.

a. Have operators implemented sufficient safeguards to protect the confidentiality, security, and integrity of personal information collected from a child?

b. Is § 312.8 of the Rule clear and adequate? If not, how could it be improved, consistent with the Act's requirements? Should the Rule include more specific information security requirements, for example to require encryption of certain personal information?

I. Safe Harbors

29. Section 312.11(g) of the Rule provides that an operator will be deemed in compliance with the Rule's requirements if the operator complies with Commission-approved self-regulatory guidelines (the “safe harbor” process).

a. Has the safe harbor process been effective in enhancing compliance with the Rule?

b. Should the criteria for Commission approval of a safe harbor program currently enumerated in § 312.11(b) be modified in any way? To what extent should the Commission consider the financial structure and incentives of organizations operating safe harbors? Is there any evidence that the corporate structure of a safe harbor program impacts its effectiveness? Should the Commission consider applying any restrictions on the types of organizations that may operate safe harbors?

c. Should § 312.11(g) of the Rule, regarding the Commission's discretion to initiate an investigation or bring an enforcement action against an operator participating in a safe harbor program, be clarified or modified in any way?

d. Should any other changes be made to the criteria for approval of self-regulatory guidelines, consistent with the Act's requirements?

e. Should the Commission consider any changes to the safe harbor monitoring process, including any changes to promote greater transparency?

f. Should the Rule include factors for the Commission to consider in revoking approval for a safe harbor program?

IV. Request for Comment

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before October 23, 2019. Write “COPPA Rule Review, 16 CFR part 312, Project No. P195404,” on the comment. Your comment, including your name and your state, will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comment online. To make sure that the Commission considers your online comment, you must file it at https://www.regulations.gov by following the instructions on the web-based form.

If you file your comment on paper, write “COPPA Rule Review, 16 CFR part 312, Project No. P195404,” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. If possible, please submit your paper comment to the Commission by courier or overnight service.

Because your comments will be placed on the publicly accessible website, https://www.regulations.gov, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as your or anyone else's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “[t]rade secret or any commercial or financial information which . . . is privileged or confidential”—as provided in Section 6(f) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comments to be withheld from the public record. Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at www.regulations.gov—as legally required by FTC Rule 4.9(c)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants the request.

Visit the FTC website to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before October 23, 2019. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

Start Signature

By direction of the Commission.

April J. Tabor,

Acting Secretary.

End Signature End Supplemental Information

Footnotes

2.  See 71 FR 13247 (Mar. 15, 2006).

Back to Citation

3.  See 78 FR 3972 (Jan. 17, 2013).

Back to Citation

4.  See Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings, 82 FR 58076 (Dec. 8, 2017).

Back to Citation

7.  65 FR 59888, 59903 (Nov. 3, 1999).

Back to Citation

8.  Such requirements would, for example: Prohibit operators from using personal information without the school official's consent; limit operators' use of information to the specified educational purpose and no other commercial purpose; ensure that the school maintains control of the information, including the right to review, correct, and delete the information; and prohibit operators from disclosing the information to third parties.

Back to Citation

9.  See U.S. Department of Education, Privacy Technical Assistance Center, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, https://tech.ed.gov/​wp-content/​uploads/​2014/​09/​Student-Privacy-and-Online-Educational-Services-February-2014.pdf (2014).

Back to Citation

10.  See Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings, 82 FR 58076 (Dec. 8, 2017).

Back to Citation

11.  See 78 FR 3972, 3984 (Jan. 17, 2013) (“The Commission retains its longstanding position that child-directed sites or services whose primary target audience is children must continue to presume all users are children and to provide COPPA protections accordingly.”).

Back to Citation

[FR Doc. 2019-15754 Filed 7-24-19; 8:45 am]

BILLING CODE 6750-01-P