[Federal Register Volume 75, Number 64 (Monday, April 5, 2010)]
[Proposed Rules]
[Pages 17089-17093]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-7549]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 312
Request for Public Comment on the Federal Trade Commission's
Implementation of the Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'')
requests public comment on its implementation of the Children's Online
Privacy Protection Act (``COPPA'' or ``the Act''), through the
Children's Online Privacy Protection Rule (``COPPA Rule'' or ``the
Rule''),. The Commission requests comment on the costs and benefits of
the Rule, as well as on whether it, or certain sections, should be
retained, eliminated, or modified. All interested persons are hereby
given notice of the opportunity to submit written data, views, and
arguments concerning the Rule.
DATES: Written comments must be received by June 30, 2010.
ADDRESSES: Interested parties are invited to submit written comments
electronically or in paper form, by following the instructions in the
Invitation To Comment part of the ``SUPPLEMENTARY INFORMATION'' section
below. Comments in electronic form should be submitted by using the
following weblink: (https://public.commentworks.com/ftc/2010copparulereview) (and following the instructions on the web-based
form). Comments in paper form should be mailed or delivered to the
following address: Federal Trade Commission, Office of the Secretary,
Room H-135 (Annex E), 600 Pennsylvania Avenue, NW, Washington, DC
20580, (202) 326-2252.
FOR FURTHER INFORMATION CONTACT: Phyllis Marcus, (202) 326-2854, or
Mamie Kresses, (202) 326-2070, Attorneys, Federal Trade Commission,
Division of Advertising Practices, Federal Trade Commission,
Washington, D.C. 20580.
SUPPLEMENTARY INFORMATION:
Section I. Background
The COPPA Rule, issued pursuant to the Children's Online Privacy
Protection Act, 15 U.S.C. Sec. 6501, et seq., became effective on
April 21, 2000. The Rule imposes certain requirements on operators of
websites or online services directed to children under 13 years of age,
and on operators of other websites or online services that have actual
knowledge that they are collecting personal information online from a
child under 13 years of age (collectively, ``operators'').\1\ Among
other things, the Rule requires that operators provide notice to
parents and obtain verifiable parental consent prior to collecting,
using, or disclosing personal information from children under 13 years
of age. The Rule also requires operators to keep secure the information
they collect from children and prohibits them from conditioning
children's participation in activities on the collection of more
personal information than is reasonably necessary to participate in
such activities. Further, the Rule contains a ``safe harbor'' provision
enabling industry groups or others to submit to the Commission for
approval self-regulatory guidelines that would implement the Rule's
protections.\2\
---------------------------------------------------------------------------
\1\ 16 CFR Part 312.
\2\ See 16 CFR Part 312.10; 64 FR at 59906-59908, 59915.
---------------------------------------------------------------------------
Section II. Rule Review
COPPA and Sec. 312.11 of the Rule required the Commission to
initiate a review no later than five years after the Rule's effective
date to evaluate the Rule's implementation. The Commission commenced
this mandatory review on April 21, 2005. After receiving and
considering extensive public comment on the Rule, the Commission
determined in March 2006 to retain the COPPA Rule without change.\3\
However, the Commission believes that changes to the online environment
over the past five years, including but not limited to children's
increasing use of mobile technology to access the Internet, warrant
reexamining the Rule at this time.
---------------------------------------------------------------------------
\3\ See 71 FR 13247 (Mar. 15, 2006).
---------------------------------------------------------------------------
In this notice, the Commission poses its standard regulatory review
questions to determine whether the Rule should be retained, eliminated,
or modified. In addition, the Commission identifies several areas where
public comment would be especially useful. First, the Commission asks
whether the Rule's current definitions are sufficiently clear and
comprehensive, or whether they might warrant modification or expansion,
consistent with the COPPA statute. Among other questions, the
Commission asks for comment on the application of the definition of
``Internet'' to mobile communications, interactive television,
interactive gaming, and similar activities. Further, the Commission
asks whether the Rule's definition of ``personal information'' should
be expanded to include other items of information that can be collected
from children online and are not currently specified in the Rule, such
as persistent IP addresses, mobile geolocation information, or
information collected in connection with online behavioral advertising.
The Commission also seeks comment on the use of automated systems
for reviewing children's web submissions (e.g., those that filter out
any personally identifiable information prior to posting). In addition,
the Commission asks whether change is warranted as to the Rule
provisions on protecting the confidentiality and security of personal
information, the right of parents to review or delete personal
information, and the prohibition against conditioning a child's
participation on the collection of personal information. Finally, the
Commission seeks comment about its role in administering the Rule's
safe harbor provisions.
Section III. Questions Regarding the COPPA Rule
The Commission invites members of the public to comment on any
issues or concerns they believe are relevant or appropriate to the
Commission's review of the COPPA Rule, and to submit written data,
views, facts, and arguments addressing the Rule. All comments should be
filed as prescribed in the Invitation To Comment part of the
``SUPPLEMENTARY INFORMATION'' section below, and must be received by
June 30, 2010. The Commission is particularly interested in comments
addressing the following questions:
A. General Questions for Comment
1. Is there a continuing need for the Rule as currently
promulgated? Why or why not?
a. Since the Rule was issued, have changes in technology, industry,
or economic conditions affected the need for or effectiveness of the
Rule?
b. What are the aggregate costs and benefits of the Rule?
c. Does the Rule include any provisions not mandated by the Act
that are unnecessary or whose costs outweigh their benefits? If so,
which ones and why?
[[Page 17090]]
2. What effect, if any, has the Rule had on children, parents, or
other consumers?
a. Has the Rule benefitted children, parents, or other consumers?
If so, how?
b. Has the Rule imposed any costs on children, parents, or other
consumers? If so, what are these costs?
c. What changes, if any, should be made to the Rule to increase its
benefits, consistent with the Act's requirements? What costs would
these changes impose?
3. What impact, if any, has the Rule had on operators?
a. Has the Rule provided benefits to operators? If so, what are
these benefits?
b. Has the Rule imposed costs on operators, including costs of
compliance in time or monetary expenditures? If so, what are these
costs?
c. What changes, if any, should be made to the Rule to reduce the
costs imposed on operators, consistent with the Act's requirements? How
would these changes affect the Rule's benefits?
4. How many small businesses are subject to the Rule? What costs
(types and amounts) do small businesses incur in complying with the
Rule? How has the Rule otherwise affected operators that are small
businesses? Have the costs or benefits of the Rule changed over time
with respect to small businesses? What regulatory alternatives, if any,
would decrease the Rule's burden on small businesses, consistent with
the Act's requirements?
5. Does the Rule overlap or conflict with any other federal, state,
or local government laws or regulations? How should these overlaps or
conflicts be resolved, consistent with the Act's requirements?
a. Are there any unnecessary regulatory burdens created by
overlapping jurisdiction? If so, what can be done to ease the burdens,
consistent with the Act's requirements?
b. Are there any gaps where no federal, state, or local government
law or regulation has addressed a problematic practice relating to
children's online privacy? Could or should any such gaps be remedied by
a modification to the Rule?
B. Definitions
6. Do the definitions set forth in Sec. 312.2 of the Rule
accomplish COPPA's goal of protecting children's online privacy and
safety?
7. Are the definitions in Sec. 312.2 clear and appropriate? If
not, how can they be improved, consistent with the Act's requirements?
8. Should the definitions of ``collects or collection'' and/or
``disclosure'' be modified in any way to take into account online
technologies and/or Internet activities and features that have emerged
since the Rule was enacted or that may emerge in the future? For
instance, how will the use of centralized authentication methods (e.g.,
OpenId) affect individual websites' COPPA compliance efforts?
9. The Rule considers personal information to have been
``collected'' where an operator enables children to make personal
information publicly available through a chat room, message board, or
other means, except where the operator ``deletes'' all individually
identifiable information from postings by children before they are made
public and deletes such information from the operator's records.
a. Are there circumstances in which an operator using an automated
system of review and/or posting meets the deletion exception to the
definition of collection?
b. Does the Rule's current definition of ``delete'' provide
sufficient guidance to operators about how to handle the removal of
personal information?
10. Should the definition of ``collection'' be modified or
clarified to include other means of collection of personal information
from children that are not specifically enumerated in the Rule's
current definition?
11. What are the implications for COPPA enforcement raised by
technologies such as mobile communications, interactive television,
interactive gaming, or other similar interactive media, consistent with
the Act's definition of ``Internet''?
12. The Rule defines ``personal information'' as individually
identifiable information about an individual collected online, and
enumerates such items of information. Do the items currently enumerated
as ``personal information'' need to be clarified or modified in any
way, consistent with the Act?
13. Section 1302(8)(F) of the Act provides the Commission with
discretion to include in the definition of ``personal information'' any
identifier that it determines would permit the physical or online
contacting of a specific individual.
a. Do operators, including network advertising companies, have the
ability to contact a specific individual, either physically or online,
using one or more pieces of information collected from children online,
such as user or screen names and/or passwords, zip code, date of birth,
gender, persistent IP addresses, mobile geolocation information,
information collected in connection with online behavioral advertising,
or other emerging categories of information? Are operators using such
information to contact specific individuals?
b. Should the definition of ``personal information'' in the Rule be
expanded to include any such information?
14. Are providers of downloadable software collecting information
from children that permits the physical or online contacting of a
specific individual?
15. Should the Rule define ``the physical or online contacting of a
specific individual,'' ``website,'' ``online service,'' or any other
term not currently defined? If so, how should such terms be defined,
consistent with the Act's requirements?
C. Notice
16. Section 312.4 of the Rule sets out the requirements for the
content and delivery of operators' notices of their information
practices with regard to children.
a. Are the requirements in this Part clear and appropriate? If not,
how can they be improved?
b. Should the notice requirements be clarified or modified in any
way to reflect changes in the types or uses of children's information
collected by operators or changes in communications options available
between operators and parents?
D. Parental Consent
17. Section 312.5 of the Rule requires operators to obtain
verifiable parental consent before collecting, using, and/or disclosing
personal information from children, including consent to any material
change to practices to which the parent previously consented. This Part
further requires operators to make reasonable efforts to obtain this
consent, which efforts are reasonably calculated to ensure that the
person providing consent is the child's parent, taking into
consideration available technology.
a. Has the consent requirement been effective in protecting
children's online privacy and safety?
b. What data exists on: (1) operators' use of parental consent
mechanisms; (2) parents' awareness of the Rule's parental consent
requirements; or (3) parents' response to operators' parental consent
requests?
18. Section 312.5(b)(2) of the Rule provides a non-exhaustive list
of approved methods to obtain verifiable parental consent, including:
providing a consent form to be signed by the parent and returned to the
operator; requiring a parent to use a credit card in connection with a
transaction; having a parent call a toll-free number staffed by trained
personnel; using a digital
[[Page 17091]]
certificate that uses public key technology; and using email
accompanied by a PIN/password obtained through one of the other
enumerated verification methods.
a. To what extent are operators using each of the enumerated
methods? Please provide as much specific data as possible, including
the costs and benefits associated with each method described.
b. Are there additional methods to obtain verifiable parental
consent, based on current or emerging technological changes, that
should be added to Sec. 312.5 of the Rule? What are the costs and
benefits of these additional methods?
c. Should any of the currently enumerated methods to obtain
verifiable parental consent be removed from the Rule? If so, please
explain which one(s) and why.
d. Are there methods for delivering a signed consent form, other
than postal mail or facsimile, that would meet the Rule's standards for
verifiable parental consent? Should these be specified in the Rule?
e. Are there current or emerging forms of payment, other than the
use of a credit card in connection with a transaction, that would meet
the Rule's standards for verifiable parental consent? Should these be
specified in the Rule?
f. The Rule permits use of a credit card in connection with a
transaction to serve as a form of verifiable parental consent. Is there
data available on the proliferation of credit cards, debit cards, or
gift cards among children under 13 years of age? What challenges, if
any, does children's use of credit, debit, and/or gift cards pose for
Rule compliance or enforcement?
g. Are there current or emerging forms of oral communication, other
than the use of a toll-free telephone number staffed by trained
personnel, that would meet the Rule's standards for verifiable parental
consent? Should these be specified in the Rule?
19. Section 312.5(b)(2) also sets forth a mechanism that operators
can use to obtain verifiable parental consent for uses of information
other than ``disclosures'' (the ``email plus mechanism''). The email
plus mechanism permits the use of an email coupled with additional
steps to provide assurances that the person providing consent is the
parent, including sending a confirmatory email to the parent following
receipt of consent or obtaining a postal address or telephone number
from the parent and confirming the parent's consent by letter or
telephone call. In 2006, the Commission announced that it would retain
the email plus mechanism indefinitely. See (http://www.ftc.gov/os/fedreg/2006/march/060315childrens-online-privacy-rule.pdf).
a. Does the email plus mechanism remain a viable form of verifiable
parental consent for operators' internal uses of information?
b. Are there other current or emerging forms of communications, not
enumerated in Sec. 312.5(b)(2), that would meet the Rule's standards
for verifiable parental consent for operators' internal uses of
information? Are any changes or modifications to this Part warranted?
E. Exceptions to Verifiable Parental Consent
20. COPPA and Sec. 312.5(c) of the Rule set forth five exceptions
to the prior parental consent requirement. Are the exceptions in Sec.
312.5(c) clear? If not, how can they be improved, consistent with the
Act's requirements?
21. Section 312.5(c)(3) of the Rule requires that operators who
collect children's online contact information for the sole purpose of
communicating directly with a child after the child has specifically
requested such communication must provide parents with notice and the
opportunity to opt-out of the operator's further use of the information
(the ``multiple contact'' exception).
a. To what extent are operators using the multiple contact
exception to communicate or engage with children on an ongoing basis?
Are operators relying on the multiple contact exception to collect more
than just online contact information from children?
b. Should the multiple contact exception be clarified or modified
in any way, consistent with the Act's requirements, to take into
account any changes in the manner in which operators communicate or
engage with children?
c. Under this Part, acceptable notice mechanisms include sending
the opt-out notice by postal mail or to the parent's email address.
Should Sec. 312.5(c)(3) be modified to remove postal mail as a means
of delivering an opt-out notice to parents?
d. Should Sec. 312.5(c)(3) be otherwise clarified or modified in
any way to reflect current or emerging technological changes that have
or may expand options for the online contacting of children or options
for communications between operators and parents?
22. Section 312.5(c)(4) of the Rule requires an operator who
collects a child's name and online contact information to the extent
reasonably necessary to protect the safety of a child participant in
the website or online service to use reasonable efforts to provide a
parent notice and the opportunity to opt-out of the operator's use of
such information. Such information must only be used to protect the
child's safety, cannot be used to re-contact the child or any other
purpose, and may not be disclosed.
a. To what extent, and under what circumstances, do operators use
Sec. 312.5(c)(4) to protect children's safety?
b. Are the requirements of Sec. 312.5(c)(4) clear and appropriate?
If not, how can they be improved, consistent with the Act's
requirements?
23. Section 312.5(c)(5) of the Rule permits operators to collect a
child's name and online contact information to protect the security or
integrity of the site, take precautions against liability, respond to
judicial process, or to provide information to law enforcement agencies
or in connection with a public safety investigation.
a. To what extent, and under what circumstances, do operators use
Sec. 312.5(c)(5)?
b. Are the requirements of Sec. 312.5(c)(5) clear and appropriate?
If not, how can they be improved, consistent with the Act's
requirements? For example, should Sec. 312.5(c)(5) of the Rule be
clarified to allow operators to collect and maintain a child's name
and/or online contact information for the purpose of preventing future
attempts at registration?
F. Right of a Parent to Review and/or Have Personal Information Deleted
24. Section 312.6(a) of the Rule requires operators to give
parents, upon their request: (1) a description of the specific types of
personal information collected from children; (2) the opportunity to
refuse to permit the further use or collection of personal information
from the child and to direct the deletion of the information; and (3) a
means of reviewing any personal information collected from the child.
In the case of a parent who wishes to review the personal information
collected from the child, Sec. 312.6(a)(3) of the Rule requires
operators to provide a means of review that ensures that the requestor
is a parent of that child (taking into account available technology)
and is not unduly burdensome to the parent.
a. To what extent are parents exercising their rights under Sec.
312.6(a)(1) to obtain from operators a description of the specific
types of personal information collected from children?
b. To what extent are parents exercising their rights under Sec.
312.6(a)(2) to refuse to permit the
[[Page 17092]]
further use or collection of personal information from the child and to
direct the deletion of the information?
c. To what extent are parents exercising their rights under Sec.
312.(a)(3) to review any personal information collected from the child?
d. Do the costs and burdens to operators or parents differ
depending on whether a parent seeks a description of the information
collected, access to the child's information, or to have the child's
information deleted?
e. Is it difficult for operators to ensure, taking into account
available technology, that a requester seeking to review the personal
information collected from a child is a parent of that child?
f. Should Sec. 312.6(a)(3) enumerate the methods an operator may
use to ensure that a requestor seeking to review the personal
information collected from a child is a parent of that child? Should
these methods be consistent with the verification methods enumerated
currently or in the future in Sec. 312.5(b)(2) of the Rule?
g. Are the requirements of Sec. 312.6 clear and appropriate? If
not, how can they be improved, consistent with the Act's requirements?
G. Prohibition Against Conditioning a Child's Participation on
Collection of Personal Information
25. COPPA and Sec. 312.7 of the Rule prohibit operators from
conditioning a child's participation in an activity on disclosing more
personal information than is reasonably necessary to participate in
such activity.
a. Do operators take this requirement into account when shaping
their online offerings to children?
b. Has the prohibition been effective in protecting children's
online privacy and safety?
c. Is Sec. 312.7 of the Rule clear and adequate? If not, how could
it be improved, consistent with the Act's requirements?
H. Confidentiality, Security and Integrity of Personal Information
26. Section 312.8 of the Rule requires operators to establish and
maintain reasonable procedures to protect the confidentiality,
security, and integrity of personal information collected from a child.
a. Have operators implemented sufficient safeguards to protect the
confidentiality, security, and integrity of personal information
collected from a child?
b. Is Sec. 312.8 of the Rule clear and adequate? If not, how could
it be improved, consistent with the Act's requirements?
I. Safe Harbors
27. Section 312.10 of the Rule provides that an operator will be
deemed in compliance with the Rule's requirements if the operator
complies with Commission-approved self-regulatory guidelines (the
``safe harbor'' process).
a. Has the safe harbor process been effective in enhancing
compliance with the Rule?
b. Should the criteria for Commission approval of a safe harbor
program be modified in any way to strengthen the standards currently
enumerated in Sec. 312.10(b)?
c. Should Sec. 312.10 be modified to include a requirement that
approved safe harbor programs undergo periodic reassessment by the
Commission? If so, how often should such assessments be required?
d. Should Sec. 312.10(b)(4) of the Rule, regarding the
Commission's discretion to initiate an investigation or bring an
enforcement action against an operator participating in a safe harbor
program, be clarified or modified in any way?
e. Should any other changes be made to the criteria for approval of
self-regulatory guidelines, or to the safe harbor process, consistent
with the Act's requirements?
J. Statutory Requirements
28. Does the commenter propose any modifications to the Rule that
may conflict with the statutory provisions of the COPPA Act? For any
such proposed modification, does the commenter propose seeking
legislative changes to the Act?
Section IV. Invitation to Comment
All persons are hereby given notice of the opportunity to submit
written data, views, facts, and arguments pertinent to this rule
review. Written comments must be received on or before June 30, 2010,
and may be submitted electronically or in paper form. Comments should
refer to ``COPPA Rule Review, P104503'' to facilitate the organization
of comments. Please note that your comment - including your name and
your state - will be placed on the public record of this proceeding,
including on the publicly accessible FTC website, at (http://www.ftc.gov/os/publiccomments.shtm).
Because comments will be made public, they should not include any
sensitive personal information, such as any individual's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, comments should not include any ``[t]rade secret or any
commercial or financial information which is obtained from any person
and which is privileged or confidential. . . ,'' as provided in Section
6(f) of the Federal Trade Commission Act (``FTC Act''), 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing
material for which confidential treatment is requested must be filed in
paper form, must be clearly labeled ``Confidential,'' and must comply
with FTC Rule 4.9(c), 16 CFR 4.9(c).\4\
---------------------------------------------------------------------------
\4\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See FTC Rule 4.9(c), 16
C.F.R. 4.9(c).
---------------------------------------------------------------------------
Because paper mail addressed to the FTC is subject to delay due to
heightened security screening, please consider submitting your comments
in electronic form. Comments filed in electronic form should be
submitted by using the following weblink: (https://public.commentworks.com/ftc/2010copparulereview) (and following the
instructions on the web-based form). To ensure that the Commission
considers an electronic comment, you must file it at (https://public.commentworks.com/ftc/2010copparulereview). If this document
appears at (http://www.regulations.gov/search/Regs/home.html#home), you
may also file an electronic comment through that website. The
Commission will consider all comments that regulations.gov forwards to
it. You may also visit the FTC website at (http://www.ftc.gov) to read
the document and the news release describing it.
A comment filed in paper form should include the ``COPPA Rule
Review, P104503'' reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission, Office of the Secretary, Room H-135 (Annex E), 600
Pennsylvania Avenue, NW, Washington, DC 20580. The FTC is requesting
that any comment filed in paper form be sent by courier or overnight
service, if possible, because U.S. postal mail in the Washington area
and at the Commission is subject to
[[Page 17093]]
delay due to heightened security precautions.
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. The Commission will consider all timely and responsive
public comments that it receives, whether filed in paper or electronic
form. Comments received will be available to the public on the FTC
website, to the extent practicable, at (http://www.ftc.gov/os/publiccomments.shtm). As a matter of discretion, the Commission makes
every effort to remove home contact information for individuals from
the public comments it receives before placing those comments on the
FTC website. More information, including routine uses permitted by the
Privacy Act may be found in the FTC's privacy policy, at (http://www.ftc.gov/ftc/privacy.shtm).
Section V. Communications by Outside Parties to Commissioners or Their
Advisors
Written communications and summaries of transcripts of oral
communications respecting the merits of this proceeding from any
outside party to any Commissioner or Commissioner's advisor will be
placed on the public record.\5\
---------------------------------------------------------------------------
\5\ See 16 CFR Part 1.26(b)(5).
---------------------------------------------------------------------------
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety,
Science and technology, Trade practices, Website, Youth.
Authority: 15 U.S.C. Sec. Sec. 6501-6508.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2010-7549 Filed 4-2-10; 10:31 am]
BILLING CODE 6750-01-S