Children's Online Privacy Protection Rule, 13247-13258 [06-2356]

Download as PDF Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations Radiated Fields (HIRF). Each system that performs critical functions must be designed and installed to ensure that the operations, and operational capabilities of these systems to perform critical functions, are not adversely affected when the airplane is exposed to high intensity radiated electromagnetic fields external to the airplane. 2. For the purpose of these special conditions, the following definition applies: Critical Functions: Functions whose failure would contribute to, or cause, a failure condition that would prevent the continued safe flight and landing of the airplane. longitude coordinate for the SWAPP fix was incorrectly published as 86°10′56″ W., which represents a one degree error. The correct longitude coordinate is 85°10′56″ W. This action corrects the error. The rule listed the correct coordinates for the SWAPP fix in the descriptions of routes Q–32 and Q–34. Correction to Final Rule Accordingly, pursuant to the authority delegated to me, the legal description for route Q–36 as published in the Federal Register on February 13, 2006 (71 FR 7409), Airspace Docket No. 05–ASO–7, FAA Docket No. FAA– 2005–22398, and incorporated by reference in 14 CFR 71.1, is corrected as follows: Issued in Kansas City, Missouri on March 6, 2006. David R. Showers, Acting Manager, Small Airplane Directorate, Aircraft Certification Service. [FR Doc. 06–2491 Filed 3–14–06; 8:45 am] § 71.1 BILLING CODE 4910–13–P I DEPARTMENT OF TRANSPORTATION Paragraph 2006—Area Navigation Routes Federal Aviation Administration Q–36 RZC to SWAPP [Corrected] RZC ..... VORT(lat. 36°14′47″ N., AC. 94°07′17″ W.) TWITS WP ...... (lat. 36°08′32″ N., 90°54′48″ W.) DEPEC WP ...... (lat. 36°06′00″ N., 87°31′00″ W.) BNA .... VORT(lat. 36°08′13″ N., AC. 86°41′05″ W.) SWAPP Fix ...... (lat. 36°36′50″ N., 85°10′56″ W.) [Docket No. FAA–2005–22398; Airspace Docket No. 05–ASO–7] RIN 2120–AA66 Establishment of High Altitude Area Navigation Routes; South Central United States cchase on PROD1PC60 with RULES SUMMARY: This action corrects an error in the geographic coordinate for one navigation fix listed in a final rule published in the Federal Register on February 13, 2006 (71 FR 7409), Airspace Docket No. 05–ASO–7, FAA Docket No. FAA–2005–22398. DATES: Effective: April 13, 2006. FOR FURTHER INFORMATION CONTACT: Paul Gallant, Airspace and Rules, Office of System Operations Airspace and AIM, Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591; telephone: (202) 267–8783. SUPPLEMENTARY INFORMATION: History On February 13, 2006, a final rule for Airspace Docket No. 05–ASO–7, FAA Docket No. FAA–2005–22398 was published in the Federal Register (71 FR 7409). This rule established 16 high altitude area navigation routes in the South Central United States. In the description for route Q–36, the Jkt 208001 * * Federal Aviation Administration (FAA), DOT. ACTION: Final rule; correction. AGENCY: 20:10 Mar 14, 2006 [Amended] On page 7411, correct the description for route Q–36, to read as follows: 14 CFR Part 71 VerDate Aug<31>2005 PART 71—[AMENDED] * * * * * * * long. long. long. long. long. * Issued in Washington, DC, on March 8, 2006. Edith V. Parish, Manager, Airspace and Rules. [FR Doc. 06–2503 Filed 3–14–06; 8:45 am] BILLING CODE 4910–13–P FEDERAL TRADE COMMISSION 16 CFR Part 312 Children’s Online Privacy Protection Rule Federal Trade Commission. Retention of rule without modification. AGENCY: ACTION: SUMMARY: The Federal Trade Commission (‘‘the Commission’’) has completed its regulatory review of the Children’s Online Privacy Protection Rule (‘‘the COPPA Rule’’ or ‘‘the Rule’’), which implements the Children’s Online Privacy Protection Act of 1998. The Rule regulates how Web site operators and others may collect, use, and distribute personal information from children online. The Commission PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 13247 requested comment on the costs and benefits of the Rule and whether it should be retained without change, modified, or eliminated. The Commission also requested comment on the Rule’s effect on: information practices relating to children; children’s ability to obtain online access to information of their choice; and the availability of Web sites directed to children. Pursuant to this review, the Commission concludes that the Rule continues to be valuable to children, their parents, and Web site operators, and has determined to retain the Rule in its current form. This document discusses the comments received in response to the Commission’s request for public comment and announces the Commission’s decision to retain the Rule without modification. DATES: Effective Date: March 15, 2006. FOR FURTHER INFORMATION CONTACT: Karen Muoio, (202) 326–2491, Federal Trade Commission, 600 Pennsylvania Avenue NW., Mail Drop NJ–3212, Washington, DC 20580. SUPPLEMENTARY INFORMATION: I. Introduction Pursuant to Congressional direction and the Commission’s systematic program of reviewing its rules and guides, in April 2005 the Commission issued a Federal Register Proposed Rule seeking public comment on the overall costs and benefits of the COPPA Rule and other issues related to the Rule (‘‘April 2005 NPR’’).1 In response, the Commission received 25 comments from various parties, including: trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers.2 As part of its review, the Commission also considered the 91 comments received in response to its January 14, 2005 Notice of Proposed Rulemaking (‘‘January 2005 NPR’’) on the Rule’s sliding scale approach to obtaining verifiable parental consent.3 1 70 FR 21107 (Apr. 22, 2005). The NPR also may be found online at https://www.ftc.gov/opa/2005/04/ coppacomments.htm. 2 The comments responsive to the April 2005 NPR have been filed on the Commission’s public record as Document Nos. 516296–00001, et seq., and may be found online at https://www.ftc.gov/os/ comments/COPPArulereview/index.htm. This document cites comments by commenter name and page number. If a commenter submitted comments in response to the April 2005 NPR and the January 2005 NPR, the comment submitted second is delineated with the number ‘‘2.’’ All comments are available for public inspection at the Public Reference Room, Room 130, Federal Trade Commission, 600 Pennsylvania Ave., NW., Washington, D.C. 20580. 3 70 FR 2580 (Jan. 14, 2005). The comments responsive to the January 2005 NPR have been filed E:\FR\FM\15MRR1.SGM Continued 15MRR1 13248 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations In the April 2005 NPR, the Commission asked members of the public to comment on all aspects of the Rule and additionally posed twenty-one specific questions. The Commission requested comment on the general costs and benefits of the Rule, each specific provision of the Rule, prominent issues that have arisen since the inception of the Rule, and particular issues that Congress statutorily directed the Commission to evaluate. The April 2005 NPR also restated the questions pertaining to the sliding scale approach to obtaining verifiable parental consent that were posed in the January 2005 NPR, to give the public further opportunity to comment on that issue. Commenters generally favored retaining the Rule without modification. In addition, although some commenters did not favor making the sliding scale approach permanent, they did not provide the Commission with sufficient data upon which to base a determination to eliminate or revise the sliding scale approach. This document first describes the background and requirements of the Rule. It then summarizes the comments received regarding the costs and benefits of the Rule and whether it should be retained, eliminated, or modified. It finally explains the Commission’s determination to retain the Rule without modification.4 cchase on PROD1PC60 with RULES II. Description and Background of the Children’s Online Privacy Protection Rule On October 21, 1998, Congress enacted COPPA (15 U.S.C. 6501–6508), which prohibits certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet.5 Pursuant to COPPA’s requirements, the Commission issued its final Rule implementing COPPA on November 3, 1999.6 The Rule imposes requirements on operators of Web sites or online services directed to children under 13 years of age or that have actual knowledge that they are collecting personal information online from children under 13 years of age (collectively, ‘‘operators’’).7 Among other things, the Rule requires operators on the Commission’s record as Document Nos. 514511–00001, et seq., and may be found online at https://www.ftc.gov/os/comments/ COPPA%20Rule%20Ammend/Index.htm. 4 Because the Commission is not modifying the Rule, this document does not contain analyses under the Regulatory Flexibility Act, 5 U.S.C. 601– 612, and the Paperwork Reduction Act, 44 U.S.C. 3501–3520. 5 15 U.S.C. 6501–6508. 6 64 FR 59888 (Nov. 3, 1999). 7 16 CFR Part 312. VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 to provide notice to parents and to obtain ‘‘verifiable parental consent’’ prior to collecting, using, or disclosing personal information from children under 13 years of age.8 ‘‘Verifiable parental consent’’ means that the consent method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.9 When the Commission issued the Rule in 1999, it adopted a sliding scale approach to obtaining verifiable parental consent.10 Under such an approach, more reliable measures are required for parental consent if an operator intends to disclose a child’s information to third parties or the public than if the operator only uses the information internally. The Commission adopted the sliding scale approach to address concerns that it was not yet feasible to require more technologically advanced methods of consent for internal uses of information. To reflect the expectation that this assessment could change, the sliding scale was scheduled to sunset in 2002. When public comment in 2002 indicated that changes in the technology had not occurred, the Commission extended the sliding scale approach three more years.11 In January 2005, the Commission sought public comment on whether to make the sliding scale approach permanent.12 Based on the comments received, the Commission determined that it would be appropriate to evaluate the sliding scale approach in the broader context of the current Rule review. Pending the outcome of the instant review, the Commission amended the Rule to extend the sliding scale approach.13 In addition to requiring operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, the Rule requires operators to post a notice of their information practices online, provide parents with access to their children’s information, and keep that information confidential and secure.14 It also prohibits operators from conditioning children’s participation in an activity on the children providing more personal information than is 8 16 CFR 312.4(c) and 312.5. CFR 312.5(b)(1). 10 The Commission adopted the sliding scale as part of the Rule in 1999 after soliciting public comments, https://www.ftc.gov/privacy/comments/ index.html, and conducting a public workshop, https://www.ftc.gov/privacy/chonlpritranscript.pdf, on consent methods. 11 67 FR 18818 (Apr. 17, 2002). 12 70 FR 2580. 13 70 FR 21107. 14 16 CFR 312.4(b), 312.6, and 312.8. 9 16 PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 reasonably necessary to participate in that activity.15 Further, the Rule provides a safe harbor for operators following Commission-approved selfregulatory guidelines, and instructions on how to get such guidelines approved.16 Both the Act and the Rule require that the Commission initiate a review of the Rule, including requesting data on certain issues, within five years of the Rule’s effective date, i.e., April 21, 2005.17 The Commission initiated its review on that date.18 The review also has been conducted pursuant to the Commission’s systematic program of periodically reviewing its rules and guides. III. Discussion of Comments and the Retention of the Rule Without Modification A. Summary of Comments The Commission received 25 comments in response to its April 2005 NPR on the overall Rule and 91 comments in response to its January 2005 NPR on the sliding scale approach to obtaining verifiable parental consent, for a total of 116 comments.19 The commenters included trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers. Of the 116 comments received, 68 were non-form letter comments from various entities and individuals. Approximately two-thirds of these 68 comments solely addressed the sliding scale approach.20 About one-third of 15 16 CFR 312.7. CFR 312.10. 17 15 U.S.C. 6507; 16 CFR 312.11. 18 70 FR 21107. The NPR also may be found online at https://www.ftc.gov/opa/2005/04/ coppacomments.htm. 19 The comments are discussed in subsections B and C of this Part. In addition, complete lists of the commenters and their comments appear at https:// www.ftc.gov/os/publiccomments.htm. 20 Dori Acampora; ADVO, Inc.; American Association of Advertising Agencies, et al. (‘‘AAAA’’); Lou Apa; Susan Barrett; Belinda Brewer; American Library Association (‘‘ALA’’); Center for Digital Democracy (‘‘CDD’’); Children’s Advertising Review Unit (‘‘CARU’’); Children’s Media Policy Coalition (‘‘CMPC’’); Consortium for School Networking (‘‘CoSN’’); Council of American Survey Research Organizations, Inc. (‘‘CASRO’’); Council for Marketing and Opinion Research (‘‘CMOR’’); Credit Union National Association (‘‘CUNA’’); William Demers; Gale DeVoar Sr.; Direct Marketing Association, Inc. (‘‘DMA’’); Christina Dukes; Electronic Privacy Information Center (‘‘EPIC’’); Gestweb S.p.a.; Illinois Credit Union League (‘‘ICUL’’); IT Law Group (‘‘ITLG’’); Gary Kelly; Liana Laughlin; Masterfoods USA; Mattel, Inc.; Adrieh Mehdikdani et al.; Jim Minor; Motion Picture Association of America (‘‘MPAA’’); National Cable & Telecommunications Association (‘‘NCTA’’); Navy Federal Credit Union (‘‘NFCU’’); Alta Price; Privo, Inc.; Procter & Gamble (‘‘P&G’’); Schwab Learning; Terri Seleman; Software & Information Industry Association (‘‘SIIA’’); 16 16 E:\FR\FM\15MRR1.SGM 15MRR1 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations cchase on PROD1PC60 with RULES them addressed other aspects of the Rule, in some cases also addressing the sliding scale approach.21 Forty-eight commenters submitted a form letter opposing letting operators obtain verifiable parental consent through a reply to an e-mail alone, because this could allow children to forge their parents’ consent. The form letter states, in pertinent part, that ‘‘Merely receiving an email from a parent’s email address does not qualify as permission since it is possible for parents to not even be aware that an exchange has taken place and therefore allows companies to market to children without parental permission.’’ 22 In its original COPPA rulemaking, the Commission agreed, concluding ‘‘that email alone does not satisfy the COPPA because it is easily subject to circumvention by children.’’ 23 Therefore, the Commission adopted the requirement in the Rule that operators must take an additional step to verify that it is, in fact, the parent sending the e-mail, a consent method commonly known as ‘‘e-mail plus.’’24 Specifically, the operator must send the parent by email, letter, or telephone call a confirmation of his or her consent.25 No commenter stated that the Rule should be eliminated. To the contrary, almost all commenters advocated retaining the Rule in its current form 26 or adding to its requirements.27 Two commenters suggested excepting certain kinds of Web sites from the Rule’s requirements,28 and one of the Rule’s safe harbor programs suggested extending the protected status granted to safe harbor program participants.29 Some commenters requested TRUSTe; John Surr; United States Internet Service Provider Association (‘‘US ISPA’’); John Villamil et al.; Anton Vogel et al.; Scot Wallace-Zeid; Carrie Williams. 21 Parry Aftab, et al.; ALA 2; Robert Chapin; CoSN 2; CUNA 2; Robert Custer; DMA 2; Edita Domentech, et al.; EPIC 2; Entertainment Software Rating Board (‘‘ESRB’’); Eileen Fernandez-Parker; Joseph Hodges; William Kreps; Mattel 2; Microsoft Corporation; MPAA 2; NFCU 2; Nickelodeon; Chris O’Neal; Peter Renguin; Scholastic Inc.; Time Warner Inc.; TRUSTe 2; Washington Legal Foundation (‘‘WLF’’). 22 See, e.g., Barbara Abbate. 23 64 FR at 59902. 24 Id. Under the sliding scale approach, if an operator wants to collect personal information from children and disclose it to third parties or the public, the Rule requires the operator to obtain verifiable parental consent through one of the more reliable means described in Section 312.5(b)(2) of the Rule. 16 CFR 312.5(b)(2). 25 Id. 26 E.g., ALA 2; CoSN 2; DMA 2; Mattel 2; MPAA 2; Nickelodeon; O’Neal; Scholastic; Time Warner. 27 CUNA 2; EPIC 2; Fernandez-Parker; Domenech; Kreps; NFCU 2; Reguin. 28 Aftab; Custer. 29 TRUSTe 2. VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 clarification on particular aspects of the Rule.30 On the specific issue of the sliding scale approach, unique commenters generally supported retaining it, with 34 unique comments submitted in favor of making it permanent 31 and nine unique comments submitted in favor of extending it for some period of time.32 Forty-eight form-letter comments opposed allowing receipt from a parent’s e-mail address to qualify as permission but, as explained above, the Rule already requires more. Eleven unique commenters were against making permanent or extending the sliding scale approach 33 and four did not take a clear position.34 B. General Comments on the Rule The Commission’s April 2005 NPR asked several questions about the implementation and necessity of the Rule as a whole. The NPR contained several standard Commission regulatory review questions about the costs and benefits of the Rule. The NPR also sought comments on three specific issues that Congress in the Act directed the Commission to evaluate. 1. The Costs and Benefits of the Rule The Commission asked several general questions in the April 2005 NPR pertaining to the necessity and effectiveness of the Rule. The questions requested comment on how the Rule has affected children’s online privacy and safety, whether the Rule is still needed, and how the Rule has affected consumers and operators. The Commission also requested comment on the Rule’s effect on small businesses and whether the Rule is in conflict with other existing laws. Commenters uniformly stated that the Rule has succeeded in providing greater protection to children’s personal information online, that there is a continuing need for the Rule, and that the Rule should be retained.35 For example, in explaining the Rule’s success in protecting children’s privacy and safety online, one commenter stated that ‘‘COPPA has been very successful in improving the data collection practices and curtailing unscrupulous interactive marketing practices of commercial Web sites,’’ 36 while another said that ‘‘all indications are that COPPA and its implementing rules provide an important tool in protecting the privacy and safety of children using the Internet.’’ 37 Another commenter stated that the Rule has increased consumer awareness of privacy issues across the board while encouraging operators to respond creatively to the challenge of protecting children online.38 As to the continuing need for the COPPA Rule, numerous commenters emphasized that the Rule provides operators with a clear set of standards to follow and that operators have received few, if any, complaints from parents about the standards and how they are implemented.39 One commenter described how the Rule’s definite standards have fostered consumer and business confidence in the Internet.40 Moreover, operators stated that they have no complaints about the costs of complying with the Rule’s requirements.41 The Commission did not receive any comments specifically addressing the Rule’s costs and benefits for small businesses or the Rule’s overlap with other laws or regulations. The Commission concludes that no modifications to the Rule are necessary on the basis of general comments submitted on the Rule and its costs and benefits. 2. COPPA-Mandated Issues When Congress enacted COPPA, it included a provision requiring the Commission to evaluate and report on the implementation of the Rule five years after its effective date. Congress directed the Commission to evaluate three particular issues: (1) How the Rule has affected practices relating to the 36 Aftab 30 Chapin; ESRB; EPIC 2; Microsoft; Privo; Reguin. 31 ADVO; Aftab; AAAA; Apa; Brewer; ALA 1, 2; CARU; CoSN 1, 2; CUNA 1, 2; DeVoar; DMA 1, 2; ESRB; ICUL; ITLG; Mattel 1, 2; Masterfoods; MPAA 1, 2; NCTA; NFCU 1, 2; Nickelodeon; P&G; Scholastic; SIIA; Time Warner; TRUSTe; U.S. ISPA; WLF. 32 CDD; CMPC; CASRO; CMOR; EPIC 1, 2; Mehdikdani; Villamil; Vogel. 33 Acampora; Barrett; Demers; Dukes; Laughlin; Minor; Price; Privo; Schwab Learning; Seleman; Williams. 34 Gestweb; Kelly; Surr; Wallace-Zeid. 35 E.g., Aftab at 2; ALA 2 at 1; COSN 2 at 1; CUNA 2 at 1–2; DMA 2 at 1–2; EPIC 2 at 1, 3; MPAA 2 at 2, 5; NFCU 2 at 1; Nickelodeon at 1; O’Neal; Scholastic at 2–3; Time Warner at 1. PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 13249 at 2. 2 at 1. 38 Chapin at 1. 39 DMA 2 at 2; MPAA 2 at 2, 5; Nickelodeon at 1; Scholastic at 2–3; Time Warner at 1. 40 MPAA 2 at 3–4. 41 CoSN 2 at 1; NFCU 2 at 1; Nickelodeon at 1; Scholastic at 2–3; Time Warner at 1. Indeed, one commenter detailed the ways in which changing the Rule’s sliding scale approach would impose substantial costs on operators. MPAA at 4–5. The commenter, a large trade association representing numerous Web site operators, stated that these costs would include not only up-front labor and other quantifiable financial costs, but also unquantifiable costs associated with operators becoming unwilling to invest in new technology due to an uncertain regulatory climate and consumers becoming unwilling to trust an uncertain system. Id. 37 EPIC E:\FR\FM\15MRR1.SGM 15MRR1 13250 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations collection and disclosure of information relating to children online; (2) how the Rule has affected children’s access to information of their choice online; and (3) how the Rule has affected the availability of Web sites or online services directed to children.42 Accordingly, the Commission specifically included questions about these issues in the April 2005 NPR.43 Some commenters submitted views on the three issues, although none provided the Commission with related empirical data. Regarding the question of whether and, if so, how the Rule has affected practices relating to the collection, use, and disclosure of information relating to children online, three commenters (two operators of major Web sites and their trade association) provided specific and concrete examples of how the Rule has affected their own information practices concerning children.44 These commenters stated that the primary response of operators has been to limit the personal information they collect from children (by either not collecting any personal information or collecting only e-mail addresses) while developing innovative ways to offer the interactive online experiences children want. The commenters each described a wide variety of activities they offer at their Web sites that let children interact with the sites but require little or no information collection or disclosure.45 These commenters also stated that the Rule’s exceptions to prior verifiable parental consent for e-mail addresses are useful for providing children with safe online interactivity while preserving their Web sites’ viability.46 The Rule sets forth five exceptions to its requirement that operators obtain verifiable parental consent before collecting a child’s personal information. These exceptions allow operators to collect a child’s online contact information (i.e., an e-mail address) 47 without obtaining prior parental consent and use that information only for certain specified purposes.48 In each instance, the Rule 42 15 U.S.C. 6507. FR at 21109. 44 DMA 2 at 2; Nickelodeon at 3–4; Time Warner at 2. 45 Id. 46 Id. 47 Id. Some exceptions also allow the operator to collect the child’s name, the parent’s name, or the parent’s online contact information. 48 16 CFR 312.5(c). For example, an operator can collect and use a child’s e-mail address without prior parental consent to obtain verifiable parental consent, to protect the safety of a child visitor, or to respond to judicial process. 16 CFR 312.5(c)(1), 312.5(c)(4), and 312.5(c)(5)(ii). cchase on PROD1PC60 with RULES 43 70 VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 prohibits the operator from using the information for any other purpose. The commenters highlighted two of the exceptions as particularly useful in providing interactive content to children. The first of these exceptions lets operators collect a child’s e-mail address to respond once to a child’s specific request, such as to answer a question (e.g., homework help) or to provide other information (e.g., when a new product will be on sale).49 The operator does not need to provide notice to the parents or obtain parental consent, so long as it deletes the child’s e-mail address upon responding. The second noted exception lets an operator collect the e-mail addresses of the child and his or her parent so that the operator can respond more than once to a child’s specific request, such as to subscribe the child to an electronic newsletter.50 Here, the operator must provide notice to the parent before contacting the child a second time and give the parent an opportunity to opt out of the repeated contact. Commenters stated that these two exceptions help them to provide safe, interactive, and fun children’s content.51 The second statutorily mandated question was whether and, if so, how the Rule has affected children’s ability to access information online. Most commenters stated that the Rule’s requirements have struck an appropriate balance between protecting children’s personal information online and preserving their ability to access content.52 One commenter stated that the Rule has ‘‘unfairly limited student access to educational sites.’’ 53 In contrast, another commenter noted that, in her experience as a teacher, children have been able to access online educational content without revealing their personal information and that her students ‘‘have not faced a problem because of COPPA.’’ 54 In addition, in the educational context, teachers often 49 16 CFR 312.5(c)(2). CFR 312.5(c)(3). 51 DMA 2 at 2; Nickelodeon at 3–4; Time Warner at 2. 52 DMA 2 at 1–2; Fernandez-Parker; Nickelodeon at1; Time Warner at 3. 53 Custer. The commenter suggested that the Commission exempt educational sites from the Rule. The Commission notes that the Rule already exempts certain nonprofit entities, which would include many educational sites. 16 CFR 312.2 (‘‘Operator means any person who operates a website * * * where such website or online service is operated for commercial purposes[.] * * * This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).’’). 54 Fernandez-Parker. 50 16 PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 can act on behalf of parents to provide consent for purposes of COPPA.55 The final statutorily mandated question concerned the Rule’s effect on the availability of Web sites directed to children. Many commenters indicated that they have been successful in operating popular and viable children’s Web sites in the five years since the Rule’s effective date.56 One commenter, however, suggested that the Rule’s requirements could have caused at least a few smaller children’s Web sites to fail.57 However, this commenter also acknowledged that, given the failure of innumerable Web sites for multiple reasons during the dot-com bust of 2000, it would be difficult to single out the Rule as the cause. No commenters submitted empirical data showing the Rule’s direct impact on the availability of Web sites directed to children. Accordingly, the record does not indicate that the cost of complying with COPPA has decreased the number of children’s Web sites.58 The Commission concludes that no modifications to the Rule are necessary on the basis of the comments submitted in response to the three COPPAmandated questions. C. Comments Pertaining to Specific Rule Provisions 59 1. Section 312.2: Definitions Section 312.2 defines various terms used in the Rule.60 The Commission 55 Most schools require parents to agree to the school’s Internet ‘‘Acceptable Use Policy’’ (‘‘AUP’’) before a child can visit the Internet at school. Such AUPs can and often do authorize teachers to act on behalf of parents to provide verifiable parental consent for purposes of COPPA. In this way, if children must provide personal information to access certain content, the teacher can provide the requisite consent. The Commission has posted COPPA guidance for teachers and parents at https://www.ftc.gov/bcp/conline/pubs/online/ teachers.htm. 56 DMA 2 at 2; MPAA 2 at 8; Nickelodeon at 11; Scholastic at 2. 57 Aftab at 1. 58 One commenter suggested that the Commission regularly evaluate the status of children’s privacy online to ensure that the Rule continues to provide children with the best protection. EPIC 2 at 3. Under the FTC’s systematic program of periodically reviewing its rules and guides, the Rule will be evaluated comprehensively, approximately every ten years. 59 The Commission received no comments on certain provisions of the Rule, including Section 312.1 (describing the Rule’s scope); Section 312.3 (generally describing the Rule’s requirements); Section 312.9 (providing that a violation of the Rule shall be treated as a violation of a rule prohibiting an unfair or deceptive act or practice prescribed under Section 18(a)(1)(B) of the FTC Act, 15 U.S.C. 57(a)(1)(B)); Section 312.11 (mandating the instant regulatory review); and Section 312.12 (providing that each Rule provision is separate and severable from the others). The Commission has determined that no modifications to these provisions are necessary. 60 16 CFR 312.2. E:\FR\FM\15MRR1.SGM 15MRR1 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations requested comment on whether the definitions contained in this section are effective, clear, and appropriate, and whether any improvements or additions should be made. In particular, the Commission asked whether the Rule correctly articulates the factors to consider in determining whether a Web site is directed to children and whether the term ‘‘actual knowledge’’ is sufficiently clear.61 No comments were submitted on the general effectiveness of the Rule’s definitions section, but the Commission received some comments concerning the terms ‘‘website or online service directed to children’’ and ‘‘actual knowledge.’’ The term ‘‘website or online service directed to children’’ is defined specifically in COPPA and the Rule itself,62 while ‘‘actual knowledge’’ is discussed in the Rule’s Statement of Basis and Purpose and later Commission guidance.63 Overall, most commenters stated that the terms are sufficiently clear,64 although two suggested that the Commission continue to refine the terms through enforcement actions or other guidance.65 a. ‘‘Website or Online Service Directed to Children’’ The Rule specifically defines the term ‘‘website or online service directed to children’’ as ‘‘a commercial website or online service, or portion thereof, that is targeted to children.’’ 66 The Rule further provides that, in determining whether a Web site or online service is ‘‘targeted to children,’’ the Commission will consider several factors. These factors include subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or childoriented activities or incentives.67 The Rule’s Statement of Basis and Purpose states that the Commission, in making cchase on PROD1PC60 with RULES 61 70 FR at 21109. 62 15 U.S.C. 6502; 16 CFR 312.2. See also discussion of factors to be considered in determining whether a Web site is directed to children at 64 FR 59893. 63 64 FR 59892; Frequently Asked Questions about the Children’s Online Privacy Protection Rule: Volume One (‘‘COPPA FAQs’’), questions 38 and 39, available at https://www.ftc.gov/privacy/ coppafaqs.htm#teen; and The Children’s Online Privacy Protection Rule: Not Just for Kids’ Sites, available at https://www.ftc.gov/bcp/conline/pubs/ alerts/coppabizalrt.htm. 64 DMA 2 at 2–4; EPIC 2 at 3–5; Nickelodeon at 9–10; Time Warner at 4, 6. 65 EPIC 2 at 5; ESRB at 2–3. 66 16 CFR 312.2. 67 64 FR 59912–13. VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 its determination, will consider ‘‘the overall character of the site—and not just the presence or absence of one or more factors.’’ 68 Commenters representing numerous Web site operators stated that the language of the Rule and discussion in the Rule’s Statement of Basis and Purpose provide effective and clear guidance for determining whether a Web site is directed to children.69 Two commenters suggested that the Commission clarify, through additional guidance, when a Web site is considered to be directed to children under the Rule. The first commenter suggested adding several design elements to the Rule’s list of factors the Commission will consider, including color, nontextual content, interactivity, navigational tools, and advertisements.70 The Commission believes that the existing factors set forth in the Rule already encompass these suggested additions. For example, the Rule’s definition expressly provides that the Commission will consider advertising appearing on or promoting the Web site or service.71 The Rule also provides that the Commission will consider a site’s visual and audio content, language and other characteristics of the site, and any childoriented activities or incentives.72 The Commission therefore concludes it is unnecessary to modify the Rule’s definition of a Web site or online service directed to children. A second commenter suggested it might be instructive to incorporate into the Rule the analysis that Commission staff set forth in a recent letter denying a petition for law enforcement action filed concerning the Amazon Web site, https://www.amazon.com.73 The letter, published on the petitioner’s Web site,74 analyzes the Amazon Web site using the factors set forth in the Rule for determining whether a Web site is directed to children. The commenter suggested that incorporating the analysis into the Rule would clarify how the Commission determines whether other Web sites are directed to children. The letter does provide one example of how the Commission staff has applied the Rule’s factors in analyzing whether a particular Web site was directed to children. However, the Commission does not believe that the general factors 68 64 FR 59893. 2 at 2; Nickelodeon at 9; Time Warner at 69 DMA 4–5. 70 EPIC 71 16 2 at 4. CFR 312.2. 72 Id. 73 ESRB at 2. https://www.epic.org/privacy/amazon/ ftc_amazon.pdf (last accessed 10/12/05). 74 See PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 13251 in the Rule need to be modified in light of the FTC staff’s application of these factors in that specific instance. b. ‘‘Actual Knowledge’’ The Commission also asked whether the term ‘‘actual knowledge’’ is sufficiently clear. The Rule’s requirements apply to operators of Web sites other than those directed to children (sometimes referred to as ‘‘general audience Web sites’’) if such operators have ‘‘actual knowledge’’ that they are collecting or maintaining personal information from children.75 The Rule’s Statement of Basis and Purpose explains that a general audience Web site operator has the requisite actual knowledge if it ‘‘learns of a child’s age or grade from the child’s registration or a concerned parent * * * .’’ 76 It may have the requisite knowledge if it asks age, grade, or other age-identifying questions.77 Subsequent to the Rule’s issuance, the Commission staff posted guidance on the FTC Web site clarifying that a general audience Web site operator does not obtain actual knowledge of a child’s age ‘‘[i]f a child posts personal information on a general audience site, but doesn’t reveal his or her age * * *’’ 78 In addition, the guidance provides that the operator would not have actual knowledge if a child posts his or her age in a chat room on the site, but no one at the operator sees or is alerted to the post.79 Most commenters stated that the Rule’s Statement of Basis and Purpose and subsequent guidance have made the term ‘‘actual knowledge’’ sufficiently clear and no modification to the Rule is necessary.80 For example, one commenter states ‘‘the Commission’s guidance clarifying that asking for age or date of birth information or similar questions through which the Web site would learn the ages of specific visitors[] provides clear criteria for Web 75 16 76 64 CFR 312.3. FR 59892. 77 Id. 78 COPPA FAQs, question 38, available at https://www.ftc.gov/privacy/coppafaqs.htm#teen. 79 Id. The Commission also released a business alert in 2004 reiterating its guidance on actual knowledge, in conjunction with filing complaints and consent decrees against two general audience Web site operators that allegedly had actual knowledge that they were collecting personal information from children. See February 18, 2004 FTC news release at https://www.ftc.gov/opa/2004/ 02/bonziumg.htm and FTC Business Alert entitled The Children’s Online Privacy Protection Rule: Not Just for Kids Sites at https://www.ftc.gov/bcp/ conline/pubs/alerts/coppabizalrt.htm. 80 E.g., DMA 2 at 3–4; Nickelodeon at 9–10; Time Warner at 6–7. E:\FR\FM\15MRR1.SGM 15MRR1 13252 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations sites to determine their obligations.’’ 81 One commenter did suggest, however, that the Commission continue to clarify the term in the context of additional enforcement actions.82 The Commission concludes that no modifications to the Rule are necessary on the basis of these comments. c. Age Screening and Age Falsification General audience Web sites or those directed to teenagers may attract a substantial number of children under the age of 13. Although such Web sites are not directed at children under 13, operators of such sites must comply with the Rule to the extent that they have ‘‘actual knowledge’’ that visitors are under 13. Some operators of such Web sites choose to screen visitors to determine whether they are under 13. This practice, popularly referred to as ‘‘agescreening,’’ started with Web sites directed to teenagers and is now used by many general audience Web sites that may appeal to children. Some general audience Web sites appear to use agescreening to reject children’s registration requests, thus providing children with an incentive to falsify their age to gain access. The FTC staff has issued guidance regarding how operators of teen-directed Web sites can obtain age information from their visitors without encouraging age falsification.83 The Commission asked if there was evidence that a substantial number of children were falsifying age information in response to age-screening on general audience Web sites and, if so, whether the Rule should be modified to address this problem. The Commission received five comments concerning agescreening. Two commenters stated that some children falsify their age to register on Web sites that screen for age, but provided no empirical information as to how frequently this occurs.84 Other commenters stated that age falsification is not a problem in practice, especially when Web sites follow Commission staff guidance and request age information in a neutral manner, then set session cookies to prevent children from later changing their age.85 One commenter suggested that attempting to regulate online age falsification would be unrealistic, because there is no way to prevent certain children from falsifying their age.86 Instead, commenters cchase on PROD1PC60 with RULES 81 Nickelodeon at 10. 2 at 5. 83 COPPA FAQs, question 39, available at https://www.ftc.gov/privacy/coppafaqs.htm#teen. 84 Aftab at 5; WLF at 5. 85 DMA 2 at 4; Time Warner at 6. 86 WLF at 5. 82 EPIC VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 stressed that following Commission staff guidance on age-screening remains a reasonable practice for teen or general audience site operators seeking to comply with the Rule.87 The Commission has concluded that no changes to the Rule are needed in response to operators’ age-screening practices. d. Other Definitions Few comments were submitted about the definitions of other terms used in the Rule. Two commenters suggested that the term ‘‘internal use’’ is not adequately defined.88 The Rule does not define the term ‘‘internal use,’’ but it does define ‘‘disclosure’’ to include releasing personal information collected from a child, except to a person providing internal support for the operations of the Web site.89 The Rule also explicitly provides that persons providing internal support cannot use the information for any other purpose.90 The Rule’s Statement of Basis and Purpose further explains that ‘‘support for the internal operations of the Web site’’ can include providing technical support, servers, or services such as chat and e-mail.91 The commenters that asked that ‘‘internal use’’ of information be defined specifically sought clarification as to whether sharing information among corporate affiliates constitutes an internal use or a disclosure. The Rule’s Statement of Basis and Purpose explains that determining whether an operator’s sharing of information with another entity is an internal use or a disclosure depends on the receiving entity’s relationship to the information. Sharing information with another entity can constitute an internal use of the information only if it is solely to facilitate internal support services for the operator and the entity does not use the information for any other purpose.92 87 DMA 2 at 4; Time Warner at 6. One commenter reported that age-screening in the shopping area of its general audience Web site was preventing adults who enter an age under 13 from completing their purchase. Mattel at 2–3. As discussed in the text, age-screening is designed for general audience Web sites or portions of Web sites that may appeal to children. The shopping areas of Web sites are unlikely to attract children because making a purchase online generally requires a credit card, which most children do not have. The Commission therefore has not advocated that operators of general audience Web sites, like the commenter, ask age-screening questions on the shopping areas of their sites. 88 Privo at 5; EPIC at 2. 89 16 CFR 312.2. 90 Id. 91 See 64 FR 59890–91. 92 Id. at 59890, 59891. The Rule’s Statement of Basis and Purpose incorporates by reference a set of factors that can be used to help define an entity’s relationship to collected information, including PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 Sharing for any other use, whether or not the other entity is a corporate affiliate, constitutes a disclosure.93 The Commission concludes that no modification to the Rule is necessary. Another commenter suggested that the Commission expand the Rule’s definition of ‘‘operator’’ to include individuals operating noncommercial Web sites and nonprofit entities operating Web sites.94 COPPA expressly applies only to operators of Web sites and online services ‘‘operated for commercial purposes’’ and excludes ‘‘any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).’’ 95 The Rule includes the statutory language of COPPA,96 so the Commission cannot modify the definition. Finally, one commenter sought clarification of certain statutory terms set forth in COPPA, such as ‘‘online contact information,’’ ‘‘personal information,’’ ‘‘retrievable form,’’ and ‘‘recontact.’’ 97 To provide businesses and consumers with additional guidance, the Commission has provided more specific articulations of some of COPPA’s statutory terms in the Rule and the Rule’s Statement of Basis and Purpose. For example, the commenter asked the Commission to clarify whether certain types of information not specifically listed in COPPA’s definition of ‘‘personal information,’’ such as IP addresses, unique identifiers, birthdates, or photographs, do constitute ‘‘personal information.’’ The Rule’s definition of ‘‘personal information’’ includes ‘‘a persistent identifier * * * associated with individually identifiable information’’ as well as a photograph when combined with other information that permits contacting the individual.98 The Commission concludes that no ownership, control, payment, use, and maintenance of the information, as well as any pre-existing contractual relationships. Id. at 59891, citing 64 FR 22750, 22752 (Apr. 27, 1999). See also COPPA FAQs, question 47, at https://www.ftc.gov/privacy/ coppafaqs.htm. 93 Id. 94 Reguin. 95 15 U.S.C. 6502(2). 96 16 CFR 312.2. The Commission staff has provided guidance encouraging all operators to practice fair information principles with their visitors, https://www.ftc.gov/privacy/ coppafaqs.htm#teen, and many nonprofit Web sites do voluntarily comply with COPPA and the Rule because they want to protect children’s safety and privacy. In addition, Federal policy requires all federal Web sites to provide their child visitors with COPPA protections. Memorandum for the Heads of Executive Departments and Agencies, M–00–13 (June 22, 2000), available at https:// www.whitehouse.gov/omb/memoranda/m00– 13.html. 97 Chapin. 98 16 CFR 312.2. E:\FR\FM\15MRR1.SGM 15MRR1 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations additional clarification of the particular terms identified by this commenter is necessary. For the reasons discussed above, the Commission concludes that no modifications to the Rule’s current definitions are necessary. 2. Section 312.4: Notice cchase on PROD1PC60 with RULES Section 312.4 of the Rule requires operators to provide notice of their information practices to parents. These notices must inform parents about their information practices, including what information they collect from children online, how they use the information, and their disclosure practices for such information. The Commission requested comment on whether the notice requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. Two commenters submitted comments on the Rule’s notice provision. The first commenter noted the importance of providing parents with contact information for the operator, so they can discuss and attempt to resolve any concerns with the operator.99 The commenter did not seek any changes to the Rule’s notice provision. The second commenter stated that it was unclear whether the Rule requires a general audience Web site operator with actual knowledge that it has collected personal information from a child to post a privacy notice on its site.100 Section 312.4(b) of the Rule sets forth the requirements for posting a privacy notice on a Web site, including which operators must post a privacy notice online.101 According to the Rule, ‘‘an operator of a Web site or online service directed to children must post a link to a notice of its information practices with regard to children * * *’’ 102 In addition, ‘‘[a]n operator of a general audience website or online service that has a separate children’s area or site must post a link to a notice of its information practices with regard to children* * *.’’ 103 The Rule therefore does not otherwise require that operators post privacy notices, including general audience site operators that have actual knowledge that they have collected personal information from children. For the above reasons, the Commission concludes that no modification to the Rule’s notice requirement is necessary. 2 at 1–2. at 2–3. 101 16 CFR 312.4. 102 16 CFR 312.4(b). 103 Id. 3. Section 312.5: Verifiable Parental Consent a. General Issues Section 312.5 of the Rule requires operators to obtain verifiable parental consent before collecting, using, or disclosing any personal information from children, including making any material change to information practices to which the parent previously consented. The Commission requested comment on whether the consent requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to the requirement. The Commission further asked whether it is reasonable for an operator to use a credit card to verify a parent’s identity. The Commission also offered an additional opportunity for the public to comment on the Rule’s sliding scale approach to obtaining verifiable parental consent. 1. Parental Opt-Out From Disclosure to Third Parties One commenter asked how operators that provide online communication services such as e-mail accounts, bulletin boards, and chat rooms can comply with Section 312.5(a)(2) of the Rule.104 This section mandates that parents must be given the option to allow an operator to collect a child’s personal information (such as by registering a child for an e-mail or chat account) but not disclose the information collected to third parties.105 The commenter noted that the Rule defines ‘‘disclosure’’ to include ‘‘making personal information collected * * * publicly available in identifiable form,’’ such as through an e-mail account or chat room.106 Specifically, the commenter contended that ‘‘a parent cannot realistically consent only to the use of his or her child’s personal information and not to the disclosure of such information by these [online communications] services.’’107 Commission staff guidance addresses this point. ‘‘The Rule only requires parental choice as to disclosures to third parties. You don’t have to offer parents choice regarding the collection of personal information necessary for chat or a message board; but prior parental consent is still required before permitting children to participate in chat rooms or message boards that enable them to make their personal 99 CUNA 100 Microsoft VerDate Aug<31>2005 20:10 Mar 14, 2006 104 Microsoft at 4. CFR 312.2. 106 Microsoft at 4, citing 16 CFR 312.2. 107 Id. 105 16 Jkt 208001 PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 13253 information publicly available.’’ 108 For example, when an e-mail provider obtains verifiable parent consent for registering a child for an e-mail account, the operator must let the parent opt out from any disclosures, by the operator, of information collected during the registration process. The Commission concludes that no modification to the Rule is required. 2. Using a Credit Card To Obtain Verifiable Parental Consent The Rule sets forth a nonexclusive list of approved methods to obtain verifiable parental consent, including the use of a credit card in connection with a transaction.109 In light of reports that companies are marketing credit cards to minors,110 the Commission specifically requested comment on the continued use of credit cards as a means of obtaining verifiable parental consent. The majority of commenters on this issue stated that even if a small percentage of children may possess credit cards, using a credit card with a transaction is a reasonable and trustworthy method to obtain verifiable parental consent.111 No information was submitted demonstrating to what extent credit cards are issued to children under 13.112 Commenters, however, emphasized that granting credit requires the formation of a legally enforceable contract between the creditor and the debtor, which has resulted in credit cards being issued almost exclusively to adults.113 Moreover, even if credit cards are being issued to children under 13, the same principles of contract law would require the credit cards to be linked to a supervisory adult’s account.114 Through this link, parents can set controls on and monitor the account, ensuring that the children cannot use the credit cards without permission.115 In addition, the Rule’s requirement that the credit card be used in connection with a transaction provides 108 COPPA FAQs, question 37, available at https://www.ftc.gov/privacy/coppafaqs.htm#consent. See also 64 FR at 59899, note 166. 109 16 CFR 312.5(b). 110 See, e.g., articles at https://www.bankrate.com/ brm/news/cc/20000508.asp; https:// www.commercialalert.org/blog/archives/2005/02/ marketing_credi.html; https://www.fool.com/news/ commentary/2004/commentary04092804.htm (all last accessed 12/07/05). 111 DMA 2 at 4, 5; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6–8; Nickelodeon at 10–11; Scholastic at 2; Time Warner at 2. 112 DMA 2 at 4; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6; Scholastic at 2; Time Warner at 7. 113 DMA 2 at 4; MPAA 2 at 7–8; Nickelodeon at 10; Scholastic at 2; Time Warner at 7–8. 114 DMA 2 at 4; MPAA 2 at 6; Nickelodeon at 10; Time Warner at 7. 115 CUNA 2 at 2; NFCU 2 at 1. E:\FR\FM\15MRR1.SGM 15MRR1 13254 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations extra reliability because parents obtain a transaction record that gives them additional notice of the consent provided.116 Parents thus are notified of the purported consent, and can withdraw it if improperly given.117 The Commission is satisfied that no change in circumstances has invalidated using a credit card with a transaction to obtain verifiable parental consent.118 One commenter requested clarification on whether the Rule would permit using a credit card to obtain verifiable parental consent without a concomitant transaction.119 The Rule provides: ‘‘Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.’’ 120 Some methods can confirm that the credit card number provided is consistent with numbers that issuers assign to their credit cards, but this does not provide reasonable assurance that the number provided is for an actual credit card. Other methods can confirm that the credit card number is the number of an actual credit card, but does not provide reasonable assurance that the card belongs to the child’s parent. The Commission therefore concludes that these methods are not reasonably calculated to ensure that it was the parent who provided consent. In addition, unless the operator conducts a transaction in connection with the consent, no record is formed notifying the parent of the purported consent and offering an opportunity to revisit that consent.121 The Commission concludes that no modification is warranted to the Rule provision treating the use of a credit card in connection with a transaction as one method of obtaining verifiable parental consent.122 3. The E-Mail Exceptions to Prior Parental Consent The Commission next requested comment on the Rule’s exceptions to prior parental consent (the ‘‘e-mail 116 MPAA 2 at 6. 2 at 5; MPAA 2 at 7. 118 The Commission expresses no view about the legal ramifications of using a credit card transaction as a proxy for age generally, a tangential issue raised by some commenters. Mattel 2 at 5; MPAA at 7–8; Nickelodeon at 10–11; Scholastic at 2; Time Warner at 8. 119 ESRB at 2. 120 16 CFR 312.5(b)(1). 121 DMA 2 at 5. 122 Previous FTC staff guidance suggested that operators might not always be prohibited from using a credit card without a transaction to obtain consent. Such guidance will be clarified to reflect the Commission’s determination that such a method currently does not constitute verifiable parental consent. See COPPA FAQs, question 34, at https:// www.ftc.gov/privacy/coppafaqs.htm#consent. cchase on PROD1PC60 with RULES 117 DMA VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 exceptions’’ to prior parental consent). In limited circumstances, COPPA and Section 312.5(c) of the Rule allow operators to collect the online contact information of the child, and sometimes parent, before obtaining verifiable parental consent.123 Such circumstances include when the operator seeks to obtain parental consent, wants to respond once to a child’s specific request (such as a homework help question), or wants to respond multiple times to a child’s specific request (such as an electronic newsletter).124 Two commenters stated that the email exceptions are useful in allowing operators to continue to provide interactive content to children online. One stated: ‘‘The ability to use COPPA’s ‘e-mail exceptions’ to parental consent has enabled us to offer meaningful children’s content and preserve the interactivity of the medium, while still protecting privacy.’’ 125 The commenter noted that the e-mail exceptions enable not only online activities popular with children, such as contests, online newsletters, and electronic postcards, but also sending direct notices and requests for consent to parents.126 Another commenter suggested that the Rule should prohibit operators from collecting any information from children, even just an e-mail address, without parental consent. However, the commenter neither provided any basis for eliminating the e-mail exceptions nor offered any alternative way to provide direct notice and obtain parental consent.127 The Commission concludes for these reasons that no modification to the e-mail exceptions to prior parental consent is necessary. b. The Sliding Scale Approach To Obtaining Verifiable Parental Consent In its April 2005 FRN, the Commission gave the public an additional opportunity to comment on the Rule’s sliding scale approach to obtaining verifiable parental consent. The Rule provides that ‘‘[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.’’ 128 Prior to issuing the Rule, the Commission studied extensively the state of available parental consent technologies.129 In July 1999, the 123 15 U.S.C. 6503(b)(2); 16 CFR 312.5(c). 124 Id. 125 Nickelodeon at 1. at 5. 127 Domentech at 6. 128 16 CFR 312.5(b)(1). 129 See, e.g., public comments received on initial rulemaking (1999), available at https://www.ftc.gov/ privacy/comments/. 126 Id. PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 Commission held a workshop on parental consent, which revealed that more reliable electronic methods of verification were not widely available or affordable.130 In determining to adopt the sliding scale approach in 1999, the Commission balanced the costs imposed by the method of obtaining parental consent and the risks associated with the intended uses of information.131 Because of the limited availability and affordability of the more reliable methods of obtaining consent— including electronic methods of verification—the Commission found that these methods should be required only when obtaining consent for uses of information posing the greatest risks to children, such as chat, e-mail accounts, and message boards.132 Accordingly, the Commission implemented the sliding scale approach, noting that it would ‘‘provide[] operators with cost-effective options until more reliable electronic methods became available and affordable, while providing parents with the means to protect their children.’’ 133 The sliding scale approach allows an operator, when collecting personal information only for its internal use, to obtain verifiable parental consent through an e-mail from the parent, so long as the e-mail is coupled with additional steps. Such additional steps include: obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call, or sending a delayed confirmatory e-mail to the parent after receiving consent.134 The purpose of the additional steps is to provide greater assurance that the person providing the consent is, in fact, the parent. In contrast, for uses of personal information that involve disclosing the information to the public or third parties, the Rule requires operators to use more reliable methods of obtaining verifiable parental consent. These methods include: using a print-and-send form that can be faxed or mailed back to the Web site operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key 130 See FTC news release announcing workshop and transcript of workshop, available at https:// www.ftc.gov/opa/1999/06/kidswork.htm and https:// www.ftc.gov/privacy/chonlpritranscript.pdf. 131 64 FR 59901–02. 132 Id. 133 Id. 134 Id. CARU, a Commission-approved COPPA safe harbor program, expressed concern that operators may not understand that an additional step is required. E:\FR\FM\15MRR1.SGM 15MRR1 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations cchase on PROD1PC60 with RULES technology; and using e-mail accompanied by a PIN or password obtained through one of the above methods.135 As noted in the Rule’s Statement of Basis and Purpose, these more reliable methods of obtaining parental consent are justified because ‘‘the record shows that disclosures to third parties are among the most sensitive and potentially risky uses of children’s personal information.’’ 136 When it issued the Rule, the Commission anticipated that the sliding scale approach would be necessary only in the short term because more reliable methods of obtaining verifiable parental consent would become widely available and affordable.137 Accordingly, the approach originally was set to expire two years after the Rule went into effect.138 However, when public comment in 2002 revealed that the expected progress in available technology had not occurred, the Commission extended the approach three more years.139 With the sliding scale approach set to expire on April 21, 2005, the Commission again sought comment on it in its January 2005 NPR.140 The NPR noted that the expected progress in available technology apparently still had not transpired and requested comment on a proposed amendment making the sliding scale approach a permanent feature of the Rule. The Commission also requested comment on: (1) The current and anticipated availability and affordability of more secure electronic mechanisms or infomediaries for obtaining parental consent; (2) the effect of the sliding scale approach on the incentive to develop and deploy more secure electronic mechanisms; (3) the effect of the sliding scale approach on operators’ incentives to disclose children’s personal information to third parties or the public; and (4) any evidence the sliding scale approach is being misused or not working effectively. The vast majority of the commenters responding to the NPR stated that the development and deployment of secure electronic verification technologies did not appear to be on the horizon. However, because some commenters questioned the effectiveness of and need for the sliding scale approach, the Commission decided it would be beneficial to accept additional comments during the regulatory review 135 16 CFR 312.5(b)(2). FR 59899. 137 64 FR 59902. 138 16 CFR 312.5(b)(2). 139 67 FR 18818. 140 70 FR 2580. 136 64 VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 comment period. To allow for such additional comments, the Commission eliminated the sliding scale approach’s sunset date from the Rule, thereby extending the approach.141 Having reviewed the comments submitted in response to the January 2005 NPR and the April 2005 NPR, the Commission concludes that more secure electronic mechanisms and infomediary services for obtaining verifiable parental consent are not yet widely available at a reasonable cost. The Commission therefore has decided to extend the sliding scale approach indefinitely, while continuing to monitor technological developments. As discussed below, the Commission believes that this flexible approach will allow parents and operators to continue to rely on a familiar and efficient tool and allow the Rule to reflect changes in technology. 1. The Availability and Cost of More Secure Methods of Verification a. Electronic Verification Technology Most of the commenters that specifically addressed the sliding scale approach stated that secure electronic mechanisms have not developed to the point where they are widely available and affordable.142 In addition, the anticipated date for the development and deployment of such technologies on a widespread and affordable basis cannot be predicted with any reasonable certainty.143 For example, the Software & Information Industry Association, the principal and worldwide trade association of the software code and digital content industry, stated that: In reviewing developments over the last several years, there are no clear signals that the anticipated verification technology— technology that must be low-cost, widely deployed and acceptable to consumer end users—is likely to be economically and widely available in the consumer market in the foreseeable future.144 The comments received suggest that extending the sliding scale approach will not discourage technological innovation or undermine the global development of secure electronic verification technologies.145 One commenter noted that the sliding scale 141 70 FR at 21106. at 1; Aftab at 5; AAAA at 2; CARU at 2; CASRO at 3–5; CMOR; CUNA at 2; CUNA 2 at 2; DMA at 4; DMA 2 at 6; EPIC at 2; EPIC 2 at 3; ITLG at 1; Masterfoods; Mattel at 1; Mattel 2 at 4; MPAA at 6; NCTA at 2; NFCU at 1; NCFU 2 at 1– 2; Nickelodeon at 8; P&G; SIIA at 1; Scholastic at 2; Time Warner 3–4; TRUSTe at 2; U.S. ISPA at 1; WLF at 6–7. 143 CASRO at 5–6; DMA at 4; MPAA at 2; SIIA at 3; Time Warner at 3–4; U.S. ISPA at 3. 144 SIIA at 3. 145 CARU at 2; Mattel at 1. 142 ADVO PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 13255 approach does not prevent companies from using secure electronic technologies now or in the future.146 Although three commenters suggested that extending the sliding scale approach may discourage the development of secure verification technologies, none explained how or to what extent children’s privacy and parental consent issues would have such an effect.147 Several commenters discussed the state of electronic verification technology in detail and noted the lack of widely available, cost effective, and consumer friendly verification technologies.148 In particular, commenters discussed how digital signatures, digital certificates, public key infrastructure, P3P, and other electronic technologies have not developed as anticipated.149 For example, the Motion Picture Association of America (‘‘MPAA’’) said that ‘‘the range of digital signature technologies are either too costly for consumers (e.g., biometric verification systems), not able to confirm the identity of users (e.g., P3P), or not widely deployed (e.g., encryption key systems).’’ 150 The MPAA further stated that encryption key technology is only effective at confirming which computer has transmitted consent and cannot independently identify whether the user is a parent or a child.151 No commenters presented evidence that the state of these technologies—or their usefulness in obtaining parental consent—has improved since the inception of the Rule. The United States Internet Service Provider Association, which represents major Internet service providers and network providers, explained that widespread public key infrastructure solutions have not developed due to the lack of an appropriate legal regime: ‘‘there is no easily identifiable certification authority that will take on the liability for verifying identities in an open, public system.’’ 152 The group also stated that reliable public key solutions are difficult to achieve because ‘‘certification standards are insufficiently developed and precise to assure reliable interoperability of the various subtly different implementations of a given standard 146 MPAA at 6. at 6; Mehdikdani at 3; Privo at 7. 148 Aftab at 5; CASRO at 3–5; Mattel 2 at 4; MPAA at 5–6; SIIA at 3; Time Warner at 3–4; U.S. ISPA at 2–3. 149 Id. 150 MPAA at 5. 151 Id. at 5–6. 152 US ISPA at 3. 147 CASRO E:\FR\FM\15MRR1.SGM 15MRR1 13256 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations * * * that inevitably appear in the open Internet environment.’’ 153 The Platform for Privacy Preferences Project (‘‘P3P’’), developed by the World Wide Web Consortium, is a technology that enables Web sites to express their privacy practices in a standard, machine-readable format. P3P-enabled browsers can ‘‘read’’ privacy practices automatically and compare them to a consumer’s own set of privacy preferences. The technology is designed to give consumers a simple, automated way to gain more control over the use of their personal information on Web sites they visit.154 While P3P technology can offer individuals more control over how their personal information is used or disclosed online, it is not employed widely by consumers.155 Even if it were widely used, the automated P3P platform would not facilitate the notice and consent required by COPPA. To give verifiable parental consent under COPPA, a parent must be informed about specific information and then provide an appropriate form of verifiable parental consent. P3P cannot ensure either that a parent has been informed or that the person providing consent is the child’s parent. Moreover, parents’ privacy preferences for themselves might not be the same as for their children. Other commenters agreed that digital signature, digital certificate, and other digital verification technologies are not currently viable options for obtaining parental consent because they have not developed sufficiently and are not widely accessible to consumers.156 One commenter also noted that the cost of these technologies may be prohibitive for both businesses and consumers to use in obtaining parental consent.157 Finally, commenters also noted that, to the extent these electronic verification technologies have improved, the advances have been in business-to-business, not business-toconsumer, applications.158 For example, digital signature and digital certificate technologies, which can provide reliable electronic verification of a signer’s identity, are sometimes employed in commercial transactions, but have not advanced to the point of being a viable alternative for obtaining verifiable parental consent.159 Public key infrastructure solutions, which provide a means for encrypting and decrypting information, also seem to be marketed almost exclusively for business-tobusiness applications.160 b. The Availability and Cost of Infomediary Services Commenters likewise submitted information about whether infomediary services are widely available and affordable. Infomediary services act as middlemen in obtaining verifiable parental consent for Web sites and can offer options such as driver’s license and social security number verification. Several commenters noted that infomediary services to facilitate obtaining verifiable parental consent are not widely available and affordable.161 One commenter, Privo Inc., an infomediary service recently approved as a COPPA safe harbor program, stated that such services are already widely available at a reasonable cost, but cited only one example, itself.162 Privo’s comment did not indicate how many clients have used its service, although another commenter stated that it has used Privo’s service.163 This commenter expressed support for Privo’s registration process; however, it did not contend that infomediary services are otherwise widely available.164 The comments received did not demonstrate that infomediary services are affordable or would be widely used. Privo’s comment did not provide any information about the start-up and monthly costs for operators that use its service, although it stated that it ‘‘currently does not charge more than $1 per verification, and often much less.’’ 165 Other commenters, in contrast, stated that the costs of obtaining verifiable parental consent through more verifiable means, like infomediary services, are higher than what many small and medium-size operators can afford to pay.166 Moreover, one commenter stated that parents are willing to grant consent to an operator with a recognizable brand name, but would be unlikely to ‘‘embrace infomediary technology’’ because it involves granting consent to an entity with which the parents have little or no 159 CASRO cchase on PROD1PC60 with RULES 154 See World Wide Web Consortium Recommendation for the Platform for Privacy Preferences 1.0 (P3P1.0) Specification, available at https://www.w3.org/TR/P3P/#Introduction. 155 CASRO at 4–5; MPAA at 5. 156 CARU at 2; Mattel at 1; Mehdikdani at 1; NCTA at 2. 157 MPAA at 6. 158 CASRO at 4–5; MPAA at 5; US ISPA at 2. VerDate Aug<31>2005 at 4; MPAA at 5. at 5; U.S. ISPA at 3. 161 CASRO at 5; ITLG at 1; P&G. 162 Privo at 6. Privo did note that it has ‘‘processed hundreds of thousands of online registrations requiring verifiable parental consent.’’ 163 Schwab Learning at 1. 164 Id. 165 Privo at 6. 166 CARU at 2; DMA at 5; ITLG at 1; MPAA at 3– 4; see also P&G; SIIA at 3. 160 MPAA 153 Id. 20:10 Mar 14, 2006 Jkt 208001 PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 experience.167 Consequently, the Commission finds that more secure electronic verification technologies and infomediary services to facilitate obtaining parental consent do not appear to be, currently or foreseeably, widely available at a reasonable cost.168 2. The Effectiveness of the Sliding Scale Approach The Commission concludes that, over the course of five years, the sliding scale approach has proven to be an effective method for protecting children’s privacy without hindering the development of children’s online content.169 Several commenters noted that there have been few complaints by parents about the sliding scale approach.170 Although some commenters suggested that the email plus mechanism, permitted for internal use of information collected from children, is unreliable, they did not provide any examples where children’s privacy has been violated.171 One commenter was concerned that operators may not understand that an additional follow-up step is required in addition to the consent e-mail itself.172 Some comments received in response to the January 2005 NPR suggested that making the sliding scale approach permanent may foster the development of appropriate children’s online content.173 These commenters noted that the sliding scale approach enables Web sites to provide interactive content for children without requiring operators to institute more costly parental consent mechanisms that could have the unintended effect of reducing children’s 167 Mattel 2 at 4. commenter stated that more research is required to better understand the role of infomediaries but did not explain what specifically needs to be studied. CDD at 2. 169 Comments that support the Commission’s conclusion include: ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; DMA at 2; Mattel 2 at 4; MPAA at 2; NCTA at 1; P&G; Scholastic at 2; SIIA at 3; Time Warner at 3–4; US ISPA at 3; WLF at 4, 6. 170 ALA; CARU at 2; CASRO at 7; CoSN; DMA at 4; Mattel at 2; Mattel 2 at 4; MPAA at 3; NCTA at 2; Scholastic at 2; WLF at 7. These comments are consistent with the FTC staff’s enforcement experience. 171 E.g., Acampora; Privo at 2, 4–5; Villamil at 3; Vogel at 1–2. Some commenters appear to be under the misimpression that the Rule permits operators to obtain consent through a single e-mail, without more. E.g., Abbate and 47 other commenters who submitted form letters. 172 CARU at 2. The commenter did not suggest any particular language that might further clarify the language, which identifies such steps as ‘‘sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call.’’ 16 CFR 312.5(b)(2). 173 ADVO at 1; AAAA at 1; CoSN 2 at 1; DMA at 4–5; MPAA at 4; Nickelodeon at 1–2, 8; SIIA at 3. 168 One E:\FR\FM\15MRR1.SGM 15MRR1 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations content on the Internet.174 The commenters suggested that making the sliding scale approach permanent may encourage companies to make the types of investments in children’s content that they may have hesitated to make in the past given the temporary nature of the sliding scale approach.175 Nearly all commenters agreed that use of the sliding scale approach is justified because collecting children’s personal information only for internal use continues to present a low risk to children.176 Even when an operator obtains consent through the e-mail plus mechanism, such information is protected because the operator must comply with the Rule’s mandate to ‘‘establish and maintain reasonable procedures to protect the confidentiality, security, and integrity’’ of that information.177 In addition, commenters noted that disclosing children’s personal information continues to pose a greater risk to children than keeping it internal.178 Some commenters stated that the low cost of the e-mail plus mechanism will encourage operators to not disclose children’s information to third parties,179 which furthers one of COPPA’s stated goals of protecting children’s online safety.180 Two commenters even suggested that, given the lesser risks posed by operators’ internal uses of information, the Commission should eliminate the prior parental consent requirement for such operators and require them only to provide parents with direct notice and an opportunity to opt-out of the maintenance and use of their child’s information.181 The Commission concludes that the effectiveness of the sliding scale approach warrants its continued use without modification. cchase on PROD1PC60 with RULES 3. The Commission’s Decision To Extend the Sliding Scale on an Indefinite Basis Several commenters argued that the sliding scale approach should be made permanent rather than extending it for 174 ADVO at 1; AAAA at 1; DMA at 4–5; MPAA at 4; SIIA at 3. 175 Id.; Nickelodeon at 8. 176 ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; CoSN; CUNA at 1–2; ICUL; Mattel at 1; NFCU at 1; P&G; SIIA at 4; US ISPA at 3. But cf. Privo at 5; Villamil at 1, 3; Vogel at 1, 2 (stating that internal use and disclosure are equally risky). 177 16 CFR 312.8. 178 ADVO at 1; AAAA at 1; Brewer; CARU at 2; CoSN; CUNA at 1–2; DMA at 2–3; ICUL; Mattel at 1; NFCU at 1; P&G; SIIA at 4; US ISPA at 3. 179 ADVO at 1; ALA 2 at 2; CASRO at 6; CUNA at 2; NFCU at 1; TRUSTe at 2. 180 ADVO at 1; CUNA at 2; NFCU at 1. 181 CARU at 2; Mattel at 2. VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 a finite period of time. They stressed the benefits of greater regulatory certainty, including providing a consistent standard that operators can rely on in deciding how to structure their activities and encouraging investments in children’s content with some assurance about the law’s requirements for parental consent mechanisms.182 Some commenters additionally noted that many operators have made significant investments in implementing the sliding scale and that abandoning the regime without an equally viable, cost-effective alternative may adversely affect these companies, particularly the small ones.183 Based on the public comments received, and its own experience in administering the Rule, the Commission concludes that the risk to children’s privacy from an operator collecting personal information only for its internal use remains relatively low. The Commission also determines that more secure electronic technologies and infomediary services that might be used to obtain parental consent for internal use of personal information from children are not widely available at a reasonable cost. Further, the Commission concludes that the sliding scale approach has worked well and its continued use may foster the development of children’s online content. In light of the unpredictability of technological advancement and the benefits of decreasing regulatory uncertainty, the Commission has determined to retain the sliding scale indefinitely while it continues to evaluate developments. As one commenter noted, nothing precludes the Commission from revisiting the issue at an appropriate point in the future.184 If warranted by future developments, the Commission will seek comment on amending the Rule to change the sliding scale mechanism. 4. Section 312.6: Parental Access Section 312.6 of the Rule requires operators to give a parent, upon request: (1) A description of the types of personal information collected from children (e.g., ‘‘We collect full name and e-mail address from children’’); (2) the opportunity for the parent to refuse to permit the further use or collection of personal information from his or her child and direct the deletion of the information; and (3) a means of 182 DMA at 5; MPAA at 2; NCTA at 2; P&G; SIIA at 3. 183 CASRO at 6; CARU at 2; ITLG at 1; Mattel at 1; MPAA at 3; NCTA at 2. 184 CUNA at 2. PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 13257 reviewing any actual personal information collected from his or her child (e.g., ‘‘We have collected the following information from your child: Mary Smith, msmith@domain.com’’). The Commission asked if these requirements are effective, if their benefits outweigh their costs, and what changes, if any, should be made. The Commission received one comment related to a parent’s right to direct the operator to delete the child’s personal information.185 The commenter indicated that operators may want to retain children’s personal information in certain situations, ranging from private contractual obligations to active law enforcement investigations, irrespective of a parent’s direction to delete the information.186 The commenter then suggested that the Commission should draft a list of exceptions to the Rule’s deletion requirement to address these situations.187 COPPA mandates, and the Rule requires, that operators satisfy three requests when made by parents upon ‘‘proper identification.’’ 188 First, operators must provide parents with a description of the types of information collected from children.189 Second, operators must provide parents with ‘‘the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form’’ of their child’s personal information.190 Third, operators must provide parents with the actual information collected from their child.191 Without a change in the Act, the Commission cannot adopt the exceptions from the parental deletion requirement the commenter advocated.192 The Commission also is not aware of information sufficient to justify recommending that Congress amend the Act to create such exceptions. The commenter also requested that the Commission clarify why operators must verify the identity of a purported parent before disclosing his or her child’s personal information, but not verify the identity of a purported parent 185 16 CFR 312.6(a)(2). at 3. 186 Microsoft 187 Id. 188 15 U.S.C. 6503(b)(1)(B). U.S.C. 6503(b)(1)(B)(i). 190 15 U.S.C. 6503(b)(1)(B)(ii). 191 15 U.S.C. 6503(b)(1)(B)(iii). 192 The Rule does give operators the right to collect, without parental consent, the name and online contact information of a child ‘‘to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.’’ 16 CFR 312.5(c)(5)(iv). 189 15 E:\FR\FM\15MRR1.SGM 15MRR1 13258 Federal Register / Vol. 71, No. 50 / Wednesday, March 15, 2006 / Rules and Regulations before deleting the information.193 In drafting the Rule, the Commission carefully considered what level of identification would be appropriate for these two requirements. Erroneously disclosing a child’s actual personal information to a purported parent poses a high risk to that child’s privacy because the purported parent receives the actual personal information of the child.194 In contrast, erroneously deleting a child’s actual personal information poses a lower risk because the purported parent never receives the information.195 The Commission thus concluded that the former, but not the latter, situation warrants verifying the purported parent’s identity.196 After reconsideration, the Commission concludes that no modification to this requirement is warranted. 5. Section 312.7: Prohibition Against Conditioning a Child’s Participation on the Collection of More Personal Information Than Is Necessary Section 312.7 of the Rule prohibits operators from conditioning a child’s participation in an activity on disclosing more personal information than is reasonably necessary to participate in that activity. The Commission asked whether this prohibition is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The Commission received one comment addressing this provision of the Rule. The commenter raised no concerns and cited this provision as one way in which the Rule has ‘‘succeeded in providing more privacy protections and safeguards for both children and their parents.’’ 197 The Commission concludes that no changes to this provision are warranted. cchase on PROD1PC60 with RULES 6. Section 312.8: Confidentiality, Security, and Integrity of Personal Information Collected From a Child Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child. The Commission asked whether this requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The FTC also specifically asked if the term ‘‘reasonable procedure’’ is sufficiently clear. The Commission received no comments addressing this 193 In conducting this verification, operators are required to use the same methods that they must use to obtain verifiable parental consent. 16 CFR 312.6(a)(3)(i). 194 64 FR at 59904. 195 Id. at 59904–05. 196 16 CFR 312.6(a)(1) and (2). 197 CUNA 2 at 2. VerDate Aug<31>2005 20:10 Mar 14, 2006 Jkt 208001 provision of the Rule. The FTC concludes that no modifications to this requirement are necessary. 7. Section 312.10: Safe Harbors Section 312.10 of the Rule provides that an operator will be deemed in compliance if the operator complies with Commission-approved selfregulatory guidelines. The Commission asked if this ‘‘safe harbor’’ approach is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. In addressing the Rule’s safe harbor provision, commenters uniformly lauded the part played by COPPA safe harbors in making successful the Commission’s effort to protect children’s online safety and privacy.198 In addition, one commenter stated that the COPPA safe harbors ‘‘are an important educational resource on children’s privacy issues, and serve to heighten awareness of children’s privacy issues more generally.’’ 199 Another commenter said, ‘‘the Safe Harbor program demonstrates the benefits of a self-regulatory scheme and mechanism for industry to maintain high standards with limited government intervention.’’ 200 One commenter, a COPPA safe harbor, suggested that the Commission encourage greater participation in COPPA safe harbor programs by amending the Rule to provide that ‘‘membership in good standing in a Commission-approved safe harbor program is an affirmative defense to an enforcement action’’ under COPPA.201 As this commenter recognized, the Rule already provides that operators ‘‘in compliance’’ with an approved safe harbor program ‘‘will be deemed to be in compliance’’ with the Rule and the Commission will consider an operator’s participation in a safe harbor program in determining whether to open an investigation or file an enforcement action, and what remedies to seek.202 The commenter did not provide any evidence demonstrating that these current incentives to participate in safe harbor programs are inadequate. The Commission thus concludes that no changes to the safe harbor provision are necessary. IV. Conclusion For the foregoing reasons, the Commission has determined to retain the Children’s Online Privacy Protection Rule without modification. 198 DMA 2 at 5; ESRB at 3–4; Mattel 2 at 5–6; TRUSTe at 1–3. 199 DMA 2 at 5. 200 Mattel 2 at 5–6. 201 TRUSTe at 3. 202 16 CFR 312.10(a) and 312.10(b)(4). PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 List of Subjects in 16 CFR Part 312 Communications, Computer technology, Consumer protection, Infants and Children, Privacy, Reporting and recordkeeping requirements, Safety, Science and technology, Trade practices, Youth. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 06–2356 Filed 3–14–06; 8:45 am] BILLING CODE 6750–01–P PENSION BENEFIT GUARANTY CORPORATION 29 CFR Parts 4022 and 4044 Benefits Payable in Terminated SingleEmployer Plans; Allocation of Assets in Single-Employer Plans; Interest Assumptions for Valuing and Paying Benefits Pension Benefit Guaranty Corporation. ACTION: Final rule. AGENCY: SUMMARY: The Pension Benefit Guaranty Corporation’s regulations on Benefits Payable in Terminated Single-Employer Plans and Allocation of Assets in Single-Employer Plans prescribe interest assumptions for valuing and paying benefits under terminating singleemployer plans. This final rule amends the regulations to adopt interest assumptions for plans with valuation dates in April 2006. Interest assumptions are also published on the PBGC’s Web site (https://www.pbgc.gov). DATES: Effective April 1, 2006. FOR FURTHER INFORMATION CONTACT: Catherine B. Klion, Attorney, Legislative and Regulatory Department, Pension Benefit Guaranty Corporation, 1200 K Street, NW., Washington, DC 20005, 202–326–4024. (TTY/TDD users may call the Federal relay service toll-free at 1–800–877–8339 and ask to be connected to 202–326–4024.) SUPPLEMENTARY INFORMATION: The PBGC’s regulations prescribe actuarial assumptions—including interest assumptions—for valuing and paying plan benefits of terminating singleemployer plans covered by title IV of the Employee Retirement Income Security Act of 1974. The interest assumptions are intended to reflect current conditions in the financial and annuity markets. Three sets of interest assumptions are prescribed: (1) A set for the valuation of benefits for allocation purposes under section 4044 (found in Appendix B to Part 4044), (2) a set for the PBGC to use E:\FR\FM\15MRR1.SGM 15MRR1

Agencies

FEDERAL TRADE COMMISSION

[Federal Register Volume 71, Number 50 (Wednesday, March 15, 2006)]
[Rules and Regulations]
[Pages 13247-13258]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-2356]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission.

ACTION: Retention of rule without modification.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``the Commission'') has 
completed its regulatory review of the Children's Online Privacy 
Protection Rule (``the COPPA Rule'' or ``the Rule''), which implements 
the Children's Online Privacy Protection Act of 1998. The Rule 
regulates how Web site operators and others may collect, use, and 
distribute personal information from children online. The Commission 
requested comment on the costs and benefits of the Rule and whether it 
should be retained without change, modified, or eliminated. The 
Commission also requested comment on the Rule's effect on: information 
practices relating to children; children's ability to obtain online 
access to information of their choice; and the availability of Web 
sites directed to children. Pursuant to this review, the Commission 
concludes that the Rule continues to be valuable to children, their 
parents, and Web site operators, and has determined to retain the Rule 
in its current form. This document discusses the comments received in 
response to the Commission's request for public comment and announces 
the Commission's decision to retain the Rule without modification.

DATES: Effective Date: March 15, 2006.

FOR FURTHER INFORMATION CONTACT: Karen Muoio, (202) 326-2491, Federal 
Trade Commission, 600 Pennsylvania Avenue NW., Mail Drop NJ-3212, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Introduction

    Pursuant to Congressional direction and the Commission's systematic 
program of reviewing its rules and guides, in April 2005 the Commission 
issued a Federal Register Proposed Rule seeking public comment on the 
overall costs and benefits of the COPPA Rule and other issues related 
to the Rule (``April 2005 NPR'').\1\ In response, the Commission 
received 25 comments from various parties, including: trade 
associations, Web site operators, privacy and educational 
organizations, COPPA safe harbor programs, and consumers.\2\ As part of 
its review, the Commission also considered the 91 comments received in 
response to its January 14, 2005 Notice of Proposed Rulemaking 
(``January 2005 NPR'') on the Rule's sliding scale approach to 
obtaining verifiable parental consent.\3\
---------------------------------------------------------------------------

    \1\ 70 FR 21107 (Apr. 22, 2005). The NPR also may be found 
online at https://www.ftc.gov/opa/2005/04/coppacomments.htm.
    \2\ The comments responsive to the April 2005 NPR have been 
filed on the Commission's public record as Document Nos. 516296-
00001, et seq., and may be found online at https://www.ftc.gov/os/
comments/COPPArulereview/index.htm. This document cites comments by 
commenter name and page number. If a commenter submitted comments in 
response to the April 2005 NPR and the January 2005 NPR, the comment 
submitted second is delineated with the number ``2.'' All comments 
are available for public inspection at the Public Reference Room, 
Room 130, Federal Trade Commission, 600 Pennsylvania Ave., NW., 
Washington, D.C. 20580.
    \3\ 70 FR 2580 (Jan. 14, 2005). The comments responsive to the 
January 2005 NPR have been filed on the Commission's record as 
Document Nos. 514511-00001, et seq., and may be found online at 
https://www.ftc.gov/os/comments/COPPA%20Rule%20Ammend/Index.htm.

---------------------------------------------------------------------------

[[Page 13248]]

    In the April 2005 NPR, the Commission asked members of the public 
to comment on all aspects of the Rule and additionally posed twenty-one 
specific questions. The Commission requested comment on the general 
costs and benefits of the Rule, each specific provision of the Rule, 
prominent issues that have arisen since the inception of the Rule, and 
particular issues that Congress statutorily directed the Commission to 
evaluate. The April 2005 NPR also restated the questions pertaining to 
the sliding scale approach to obtaining verifiable parental consent 
that were posed in the January 2005 NPR, to give the public further 
opportunity to comment on that issue.
    Commenters generally favored retaining the Rule without 
modification. In addition, although some commenters did not favor 
making the sliding scale approach permanent, they did not provide the 
Commission with sufficient data upon which to base a determination to 
eliminate or revise the sliding scale approach.
    This document first describes the background and requirements of 
the Rule. It then summarizes the comments received regarding the costs 
and benefits of the Rule and whether it should be retained, eliminated, 
or modified. It finally explains the Commission's determination to 
retain the Rule without modification.\4\
---------------------------------------------------------------------------

    \4\ Because the Commission is not modifying the Rule, this 
document does not contain analyses under the Regulatory Flexibility 
Act, 5 U.S.C. 601-612, and the Paperwork Reduction Act, 44 U.S.C. 
3501-3520.
---------------------------------------------------------------------------

II. Description and Background of the Children's Online Privacy 
Protection Rule

    On October 21, 1998, Congress enacted COPPA (15 U.S.C. 6501-6508), 
which prohibits certain unfair or deceptive acts or practices in 
connection with the collection, use, or disclosure of personal 
information from children on the Internet.\5\ Pursuant to COPPA's 
requirements, the Commission issued its final Rule implementing COPPA 
on November 3, 1999.\6\
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 6501-6508.
    \6\ 64 FR 59888 (Nov. 3, 1999).
---------------------------------------------------------------------------

    The Rule imposes requirements on operators of Web sites or online 
services directed to children under 13 years of age or that have actual 
knowledge that they are collecting personal information online from 
children under 13 years of age (collectively, ``operators'').\7\ Among 
other things, the Rule requires operators to provide notice to parents 
and to obtain ``verifiable parental consent'' prior to collecting, 
using, or disclosing personal information from children under 13 years 
of age.\8\ ``Verifiable parental consent'' means that the consent 
method must be reasonably calculated, in light of available technology, 
to ensure that the person providing consent is the child's parent.\9\
---------------------------------------------------------------------------

    \7\ 16 CFR Part 312.
    \8\ 16 CFR 312.4(c) and 312.5.
    \9\ 16 CFR 312.5(b)(1).
---------------------------------------------------------------------------

    When the Commission issued the Rule in 1999, it adopted a sliding 
scale approach to obtaining verifiable parental consent.\10\ Under such 
an approach, more reliable measures are required for parental consent 
if an operator intends to disclose a child's information to third 
parties or the public than if the operator only uses the information 
internally. The Commission adopted the sliding scale approach to 
address concerns that it was not yet feasible to require more 
technologically advanced methods of consent for internal uses of 
information. To reflect the expectation that this assessment could 
change, the sliding scale was scheduled to sunset in 2002. When public 
comment in 2002 indicated that changes in the technology had not 
occurred, the Commission extended the sliding scale approach three more 
years.\11\ In January 2005, the Commission sought public comment on 
whether to make the sliding scale approach permanent.\12\ Based on the 
comments received, the Commission determined that it would be 
appropriate to evaluate the sliding scale approach in the broader 
context of the current Rule review. Pending the outcome of the instant 
review, the Commission amended the Rule to extend the sliding scale 
approach.\13\
---------------------------------------------------------------------------

    \10\ The Commission adopted the sliding scale as part of the 
Rule in 1999 after soliciting public comments, https://www.ftc.gov/
privacy/comments/, and conducting a public workshop, 
https://www.ftc.gov/privacy/chonlpritranscript.pdf, on consent 
methods.
    \11\ 67 FR 18818 (Apr. 17, 2002).
    \12\ 70 FR 2580.
    \13\ 70 FR 21107.
---------------------------------------------------------------------------

    In addition to requiring operators to obtain verifiable parental 
consent before collecting, using, or disclosing personal information 
from children, the Rule requires operators to post a notice of their 
information practices online, provide parents with access to their 
children's information, and keep that information confidential and 
secure.\14\ It also prohibits operators from conditioning children's 
participation in an activity on the children providing more personal 
information than is reasonably necessary to participate in that 
activity.\15\ Further, the Rule provides a safe harbor for operators 
following Commission-approved self-regulatory guidelines, and 
instructions on how to get such guidelines approved.\16\
---------------------------------------------------------------------------

    \14\ 16 CFR 312.4(b), 312.6, and 312.8.
    \15\ 16 CFR 312.7.
    \16\ 16 CFR 312.10.
---------------------------------------------------------------------------

    Both the Act and the Rule require that the Commission initiate a 
review of the Rule, including requesting data on certain issues, within 
five years of the Rule's effective date, i.e., April 21, 2005.\17\ The 
Commission initiated its review on that date.\18\ The review also has 
been conducted pursuant to the Commission's systematic program of 
periodically reviewing its rules and guides.
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 6507; 16 CFR 312.11.
    \18\ 70 FR 21107. The NPR also may be found online at https://
www.ftc.gov/opa/2005/04/coppacomments.htm.
---------------------------------------------------------------------------

III. Discussion of Comments and the Retention of the Rule Without 
Modification

A. Summary of Comments

    The Commission received 25 comments in response to its April 2005 
NPR on the overall Rule and 91 comments in response to its January 2005 
NPR on the sliding scale approach to obtaining verifiable parental 
consent, for a total of 116 comments.\19\ The commenters included trade 
associations, Web site operators, privacy and educational 
organizations, COPPA safe harbor programs, and consumers.
---------------------------------------------------------------------------

    \19\ The comments are discussed in subsections B and C of this 
Part. In addition, complete lists of the commenters and their 
comments appear at https://www.ftc.gov/os/publiccomments.htm.
---------------------------------------------------------------------------

    Of the 116 comments received, 68 were non-form letter comments from 
various entities and individuals. Approximately two-thirds of these 68 
comments solely addressed the sliding scale approach.\20\ About one-
third of

[[Page 13249]]

them addressed other aspects of the Rule, in some cases also addressing 
the sliding scale approach.\21\
---------------------------------------------------------------------------

    \20\ Dori Acampora; ADVO, Inc.; American Association of 
Advertising Agencies, et al. (``AAAA''); Lou Apa; Susan Barrett; 
Belinda Brewer; American Library Association (``ALA''); Center for 
Digital Democracy (``CDD''); Children's Advertising Review Unit 
(``CARU''); Children's Media Policy Coalition (``CMPC''); Consortium 
for School Networking (``CoSN''); Council of American Survey 
Research Organizations, Inc. (``CASRO''); Council for Marketing and 
Opinion Research (``CMOR''); Credit Union National Association 
(``CUNA''); William Demers; Gale DeVoar Sr.; Direct Marketing 
Association, Inc. (``DMA''); Christina Dukes; Electronic Privacy 
Information Center (``EPIC''); Gestweb S.p.a.; Illinois Credit Union 
League (``ICUL''); IT Law Group (``ITLG''); Gary Kelly; Liana 
Laughlin; Masterfoods USA; Mattel, Inc.; Adrieh Mehdikdani et al.; 
Jim Minor; Motion Picture Association of America (``MPAA''); 
National Cable & Telecommunications Association (``NCTA''); Navy 
Federal Credit Union (``NFCU''); Alta Price; Privo, Inc.; Procter & 
Gamble (``P&G''); Schwab Learning; Terri Seleman; Software & 
Information Industry Association (``SIIA''); TRUSTe; John Surr; 
United States Internet Service Provider Association (``US ISPA''); 
John Villamil et al.; Anton Vogel et al.; Scot Wallace-Zeid; Carrie 
Williams.
    \21\ Parry Aftab, et al.; ALA 2; Robert Chapin; CoSN 2; CUNA 2; 
Robert Custer; DMA 2; Edita Domentech, et al.; EPIC 2; Entertainment 
Software Rating Board (``ESRB''); Eileen Fernandez-Parker; Joseph 
Hodges; William Kreps; Mattel 2; Microsoft Corporation; MPAA 2; NFCU 
2; Nickelodeon; Chris O'Neal; Peter Renguin; Scholastic Inc.; Time 
Warner Inc.; TRUSTe 2; Washington Legal Foundation (``WLF'').
---------------------------------------------------------------------------

    Forty-eight commenters submitted a form letter opposing letting 
operators obtain verifiable parental consent through a reply to an e-
mail alone, because this could allow children to forge their parents' 
consent. The form letter states, in pertinent part, that ``Merely 
receiving an email from a parent's email address does not qualify as 
permission since it is possible for parents to not even be aware that 
an exchange has taken place and therefore allows companies to market to 
children without parental permission.'' \22\ In its original COPPA 
rulemaking, the Commission agreed, concluding ``that e-mail alone does 
not satisfy the COPPA because it is easily subject to circumvention by 
children.'' \23\ Therefore, the Commission adopted the requirement in 
the Rule that operators must take an additional step to verify that it 
is, in fact, the parent sending the e-mail, a consent method commonly 
known as ``e-mail plus.''\24\ Specifically, the operator must send the 
parent by e-mail, letter, or telephone call a confirmation of his or 
her consent.\25\
---------------------------------------------------------------------------

    \22\ See, e.g., Barbara Abbate.
    \23\ 64 FR at 59902.
    \24\ Id. Under the sliding scale approach, if an operator wants 
to collect personal information from children and disclose it to 
third parties or the public, the Rule requires the operator to 
obtain verifiable parental consent through one of the more reliable 
means described in Section 312.5(b)(2) of the Rule. 16 CFR 
312.5(b)(2).
    \25\ Id.
---------------------------------------------------------------------------

    No commenter stated that the Rule should be eliminated. To the 
contrary, almost all commenters advocated retaining the Rule in its 
current form \26\ or adding to its requirements.\27\ Two commenters 
suggested excepting certain kinds of Web sites from the Rule's 
requirements,\28\ and one of the Rule's safe harbor programs suggested 
extending the protected status granted to safe harbor program 
participants.\29\ Some commenters requested clarification on particular 
aspects of the Rule.\30\
---------------------------------------------------------------------------

    \26\ E.g., ALA 2; CoSN 2; DMA 2; Mattel 2; MPAA 2; Nickelodeon; 
O'Neal; Scholastic; Time Warner.
    \27\ CUNA 2; EPIC 2; Fernandez-Parker; Domenech; Kreps; NFCU 2; 
Reguin.
    \28\ Aftab; Custer.
    \29\ TRUSTe 2.
    \30\ Chapin; ESRB; EPIC 2; Microsoft; Privo; Reguin.
---------------------------------------------------------------------------

    On the specific issue of the sliding scale approach, unique 
commenters generally supported retaining it, with 34 unique comments 
submitted in favor of making it permanent \31\ and nine unique comments 
submitted in favor of extending it for some period of time.\32\ Forty-
eight form-letter comments opposed allowing receipt from a parent's e-
mail address to qualify as permission but, as explained above, the Rule 
already requires more. Eleven unique commenters were against making 
permanent or extending the sliding scale approach \33\ and four did not 
take a clear position.\34\
---------------------------------------------------------------------------

    \31\ ADVO; Aftab; AAAA; Apa; Brewer; ALA 1, 2; CARU; CoSN 1, 2; 
CUNA 1, 2; DeVoar; DMA 1, 2; ESRB; ICUL; ITLG; Mattel 1, 2; 
Masterfoods; MPAA 1, 2; NCTA; NFCU 1, 2; Nickelodeon; P&G; 
Scholastic; SIIA; Time Warner; TRUSTe; U.S. ISPA; WLF.
    \32\ CDD; CMPC; CASRO; CMOR; EPIC 1, 2; Mehdikdani; Villamil; 
Vogel.
    \33\ Acampora; Barrett; Demers; Dukes; Laughlin; Minor; Price; 
Privo; Schwab Learning; Seleman; Williams.
    \34\ Gestweb; Kelly; Surr; Wallace-Zeid.
---------------------------------------------------------------------------

B. General Comments on the Rule

    The Commission's April 2005 NPR asked several questions about the 
implementation and necessity of the Rule as a whole. The NPR contained 
several standard Commission regulatory review questions about the costs 
and benefits of the Rule. The NPR also sought comments on three 
specific issues that Congress in the Act directed the Commission to 
evaluate.
1. The Costs and Benefits of the Rule
    The Commission asked several general questions in the April 2005 
NPR pertaining to the necessity and effectiveness of the Rule. The 
questions requested comment on how the Rule has affected children's 
online privacy and safety, whether the Rule is still needed, and how 
the Rule has affected consumers and operators. The Commission also 
requested comment on the Rule's effect on small businesses and whether 
the Rule is in conflict with other existing laws.
    Commenters uniformly stated that the Rule has succeeded in 
providing greater protection to children's personal information online, 
that there is a continuing need for the Rule, and that the Rule should 
be retained.\35\ For example, in explaining the Rule's success in 
protecting children's privacy and safety online, one commenter stated 
that ``COPPA has been very successful in improving the data collection 
practices and curtailing unscrupulous interactive marketing practices 
of commercial Web sites,'' \36\ while another said that ``all 
indications are that COPPA and its implementing rules provide an 
important tool in protecting the privacy and safety of children using 
the Internet.'' \37\ Another commenter stated that the Rule has 
increased consumer awareness of privacy issues across the board while 
encouraging operators to respond creatively to the challenge of 
protecting children online.\38\
---------------------------------------------------------------------------

    \35\ E.g., Aftab at 2; ALA 2 at 1; COSN 2 at 1; CUNA 2 at 1-2; 
DMA 2 at 1-2; EPIC 2 at 1, 3; MPAA 2 at 2, 5; NFCU 2 at 1; 
Nickelodeon at 1; O'Neal; Scholastic at 2-3; Time Warner at 1.
    \36\ Aftab at 2.
    \37\ EPIC 2 at 1.
    \38\ Chapin at 1.
---------------------------------------------------------------------------

    As to the continuing need for the COPPA Rule, numerous commenters 
emphasized that the Rule provides operators with a clear set of 
standards to follow and that operators have received few, if any, 
complaints from parents about the standards and how they are 
implemented.\39\ One commenter described how the Rule's definite 
standards have fostered consumer and business confidence in the 
Internet.\40\ Moreover, operators stated that they have no complaints 
about the costs of complying with the Rule's requirements.\41\
---------------------------------------------------------------------------

    \39\ DMA 2 at 2; MPAA 2 at 2, 5; Nickelodeon at 1; Scholastic at 
2-3; Time Warner at 1.
    \40\ MPAA 2 at 3-4.
    \41\ CoSN 2 at 1; NFCU 2 at 1; Nickelodeon at 1; Scholastic at 
2-3; Time Warner at 1. Indeed, one commenter detailed the ways in 
which changing the Rule's sliding scale approach would impose 
substantial costs on operators. MPAA at 4-5. The commenter, a large 
trade association representing numerous Web site operators, stated 
that these costs would include not only up-front labor and other 
quantifiable financial costs, but also unquantifiable costs 
associated with operators becoming unwilling to invest in new 
technology due to an uncertain regulatory climate and consumers 
becoming unwilling to trust an uncertain system. Id.
---------------------------------------------------------------------------

    The Commission did not receive any comments specifically addressing 
the Rule's costs and benefits for small businesses or the Rule's 
overlap with other laws or regulations.
    The Commission concludes that no modifications to the Rule are 
necessary on the basis of general comments submitted on the Rule and 
its costs and benefits.
2. COPPA-Mandated Issues
    When Congress enacted COPPA, it included a provision requiring the 
Commission to evaluate and report on the implementation of the Rule 
five years after its effective date. Congress directed the Commission 
to evaluate three particular issues: (1) How the Rule has affected 
practices relating to the

[[Page 13250]]

collection and disclosure of information relating to children online; 
(2) how the Rule has affected children's access to information of their 
choice online; and (3) how the Rule has affected the availability of 
Web sites or online services directed to children.\42\ Accordingly, the 
Commission specifically included questions about these issues in the 
April 2005 NPR.\43\
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 6507.
    \43\ 70 FR at 21109.
---------------------------------------------------------------------------

    Some commenters submitted views on the three issues, although none 
provided the Commission with related empirical data. Regarding the 
question of whether and, if so, how the Rule has affected practices 
relating to the collection, use, and disclosure of information relating 
to children online, three commenters (two operators of major Web sites 
and their trade association) provided specific and concrete examples of 
how the Rule has affected their own information practices concerning 
children.\44\ These commenters stated that the primary response of 
operators has been to limit the personal information they collect from 
children (by either not collecting any personal information or 
collecting only e-mail addresses) while developing innovative ways to 
offer the interactive online experiences children want. The commenters 
each described a wide variety of activities they offer at their Web 
sites that let children interact with the sites but require little or 
no information collection or disclosure.\45\
---------------------------------------------------------------------------

    \44\ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.
    \45\ Id.
---------------------------------------------------------------------------

    These commenters also stated that the Rule's exceptions to prior 
verifiable parental consent for e-mail addresses are useful for 
providing children with safe online interactivity while preserving 
their Web sites' viability.\46\ The Rule sets forth five exceptions to 
its requirement that operators obtain verifiable parental consent 
before collecting a child's personal information. These exceptions 
allow operators to collect a child's online contact information (i.e., 
an e-mail address) \47\ without obtaining prior parental consent and 
use that information only for certain specified purposes.\48\ In each 
instance, the Rule prohibits the operator from using the information 
for any other purpose.
---------------------------------------------------------------------------

    \46\ Id.
    \47\ Id. Some exceptions also allow the operator to collect the 
child's name, the parent's name, or the parent's online contact 
information.
    \48\ 16 CFR 312.5(c). For example, an operator can collect and 
use a child's e-mail address without prior parental consent to 
obtain verifiable parental consent, to protect the safety of a child 
visitor, or to respond to judicial process. 16 CFR 312.5(c)(1), 
312.5(c)(4), and 312.5(c)(5)(ii).
---------------------------------------------------------------------------

    The commenters highlighted two of the exceptions as particularly 
useful in providing interactive content to children. The first of these 
exceptions lets operators collect a child's e-mail address to respond 
once to a child's specific request, such as to answer a question (e.g., 
homework help) or to provide other information (e.g., when a new 
product will be on sale).\49\ The operator does not need to provide 
notice to the parents or obtain parental consent, so long as it deletes 
the child's e-mail address upon responding. The second noted exception 
lets an operator collect the e-mail addresses of the child and his or 
her parent so that the operator can respond more than once to a child's 
specific request, such as to subscribe the child to an electronic 
newsletter.\50\ Here, the operator must provide notice to the parent 
before contacting the child a second time and give the parent an 
opportunity to opt out of the repeated contact. Commenters stated that 
these two exceptions help them to provide safe, interactive, and fun 
children's content.\51\
    The second statutorily mandated question was whether and, if so, 
how the Rule has affected children's ability to access information 
online. Most commenters stated that the Rule's requirements have struck 
an appropriate balance between protecting children's personal 
information online and preserving their ability to access content.\52\ 
One commenter stated that the Rule has ``unfairly limited student 
access to educational sites.'' \53\ In contrast, another commenter 
noted that, in her experience as a teacher, children have been able to 
access online educational content without revealing their personal 
information and that her students ``have not faced a problem because of 
COPPA.'' \54\ In addition, in the educational context, teachers often 
can act on behalf of parents to provide consent for purposes of 
COPPA.\55\
---------------------------------------------------------------------------

    \49\ 16 CFR 312.5(c)(2).
    \50\ 16 CFR 312.5(c)(3).
    \51\ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.
    \52\ DMA 2 at 1-2; Fernandez-Parker; Nickelodeon at1; Time 
Warner at 3.
    \53\ Custer. The commenter suggested that the Commission exempt 
educational sites from the Rule. The Commission notes that the Rule 
already exempts certain nonprofit entities, which would include many 
educational sites. 16 CFR 312.2 (``Operator means any person who 
operates a website * * * where such website or online service is 
operated for commercial purposes[.] * * * This definition does not 
include any nonprofit entity that would otherwise be exempt from 
coverage under Section 5 of the Federal Trade Commission Act (15 
U.S.C. 45).'').
    \54\ Fernandez-Parker.
    \55\ Most schools require parents to agree to the school's 
Internet ``Acceptable Use Policy'' (``AUP'') before a child can 
visit the Internet at school. Such AUPs can and often do authorize 
teachers to act on behalf of parents to provide verifiable parental 
consent for purposes of COPPA. In this way, if children must provide 
personal information to access certain content, the teacher can 
provide the requisite consent. The Commission has posted COPPA 
guidance for teachers and parents at https://www.ftc.gov/bcp/conline/
pubs/online/teachers.htm.
---------------------------------------------------------------------------

    The final statutorily mandated question concerned the Rule's effect 
on the availability of Web sites directed to children. Many commenters 
indicated that they have been successful in operating popular and 
viable children's Web sites in the five years since the Rule's 
effective date.\56\ One commenter, however, suggested that the Rule's 
requirements could have caused at least a few smaller children's Web 
sites to fail.\57\ However, this commenter also acknowledged that, 
given the failure of innumerable Web sites for multiple reasons during 
the dot-com bust of 2000, it would be difficult to single out the Rule 
as the cause. No commenters submitted empirical data showing the Rule's 
direct impact on the availability of Web sites directed to children. 
Accordingly, the record does not indicate that the cost of complying 
with COPPA has decreased the number of children's Web sites.\58\
---------------------------------------------------------------------------

    \56\ DMA 2 at 2; MPAA 2 at 8; Nickelodeon at 11; Scholastic at 
2.
    \57\ Aftab at 1.
    \58\ One commenter suggested that the Commission regularly 
evaluate the status of children's privacy online to ensure that the 
Rule continues to provide children with the best protection. EPIC 2 
at 3. Under the FTC's systematic program of periodically reviewing 
its rules and guides, the Rule will be evaluated comprehensively, 
approximately every ten years.
---------------------------------------------------------------------------

    The Commission concludes that no modifications to the Rule are 
necessary on the basis of the comments submitted in response to the 
three COPPA-mandated questions.

C. Comments Pertaining to Specific Rule Provisions \59\
---------------------------------------------------------------------------

    \59\ The Commission received no comments on certain provisions 
of the Rule, including Section 312.1 (describing the Rule's scope); 
Section 312.3 (generally describing the Rule's requirements); 
Section 312.9 (providing that a violation of the Rule shall be 
treated as a violation of a rule prohibiting an unfair or deceptive 
act or practice prescribed under Section 18(a)(1)(B) of the FTC Act, 
15 U.S.C. 57(a)(1)(B)); Section 312.11 (mandating the instant 
regulatory review); and Section 312.12 (providing that each Rule 
provision is separate and severable from the others). The Commission 
has determined that no modifications to these provisions are 
necessary.
---------------------------------------------------------------------------

1. Section 312.2: Definitions
    Section 312.2 defines various terms used in the Rule.\60\ The 
Commission

[[Page 13251]]

requested comment on whether the definitions contained in this section 
are effective, clear, and appropriate, and whether any improvements or 
additions should be made. In particular, the Commission asked whether 
the Rule correctly articulates the factors to consider in determining 
whether a Web site is directed to children and whether the term 
``actual knowledge'' is sufficiently clear.\61\
---------------------------------------------------------------------------

    \60\ 16 CFR 312.2.
    \61\ 70 FR at 21109.
---------------------------------------------------------------------------

    No comments were submitted on the general effectiveness of the 
Rule's definitions section, but the Commission received some comments 
concerning the terms ``website or online service directed to children'' 
and ``actual knowledge.'' The term ``website or online service directed 
to children'' is defined specifically in COPPA and the Rule itself,\62\ 
while ``actual knowledge'' is discussed in the Rule's Statement of 
Basis and Purpose and later Commission guidance.\63\ Overall, most 
commenters stated that the terms are sufficiently clear,\64\ although 
two suggested that the Commission continue to refine the terms through 
enforcement actions or other guidance.\65\
---------------------------------------------------------------------------

    \62\ 15 U.S.C. 6502; 16 CFR 312.2. See also discussion of 
factors to be considered in determining whether a Web site is 
directed to children at 64 FR 59893.
    \63\ 64 FR 59892; Frequently Asked Questions about the 
Children's Online Privacy Protection Rule: Volume One (``COPPA 
FAQs''), questions 38 and 39, available at https://www.ftc.gov/
privacy/coppafaqs.htm#teen; and The Children's Online Privacy 
Protection Rule: Not Just for Kids' Sites, available at https://
www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.
    \64\ DMA 2 at 2-4; EPIC 2 at 3-5; Nickelodeon at 9-10; Time 
Warner at 4, 6.
    \65\ EPIC 2 at 5; ESRB at 2-3.
---------------------------------------------------------------------------

a. ``Website or Online Service Directed to Children''
    The Rule specifically defines the term ``website or online service 
directed to children'' as ``a commercial website or online service, or 
portion thereof, that is targeted to children.'' \66\ The Rule further 
provides that, in determining whether a Web site or online service is 
``targeted to children,'' the Commission will consider several factors. 
These factors include subject matter; visual and audio content; age of 
models; language or other characteristics; advertising appearing on or 
promoting the site or service; competent and reliable empirical 
evidence of audience composition; evidence regarding the intended 
audience; and whether the site uses animated characters or child-
oriented activities or incentives.\67\ The Rule's Statement of Basis 
and Purpose states that the Commission, in making its determination, 
will consider ``the overall character of the site--and not just the 
presence or absence of one or more factors.'' \68\ Commenters 
representing numerous Web site operators stated that the language of 
the Rule and discussion in the Rule's Statement of Basis and Purpose 
provide effective and clear guidance for determining whether a Web site 
is directed to children.\69\
---------------------------------------------------------------------------

    \66\ 16 CFR 312.2.
    \67\ 64 FR 59912-13.
    \68\ 64 FR 59893.
    \69\ DMA 2 at 2; Nickelodeon at 9; Time Warner at 4-5.
---------------------------------------------------------------------------

    Two commenters suggested that the Commission clarify, through 
additional guidance, when a Web site is considered to be directed to 
children under the Rule. The first commenter suggested adding several 
design elements to the Rule's list of factors the Commission will 
consider, including color, non-textual content, interactivity, 
navigational tools, and advertisements.\70\ The Commission believes 
that the existing factors set forth in the Rule already encompass these 
suggested additions. For example, the Rule's definition expressly 
provides that the Commission will consider advertising appearing on or 
promoting the Web site or service.\71\ The Rule also provides that the 
Commission will consider a site's visual and audio content, language 
and other characteristics of the site, and any child-oriented 
activities or incentives.\72\ The Commission therefore concludes it is 
unnecessary to modify the Rule's definition of a Web site or online 
service directed to children.
---------------------------------------------------------------------------

    \70\ EPIC 2 at 4.
    \71\ 16 CFR 312.2.
    \72\ Id.
---------------------------------------------------------------------------

    A second commenter suggested it might be instructive to incorporate 
into the Rule the analysis that Commission staff set forth in a recent 
letter denying a petition for law enforcement action filed concerning 
the Amazon Web site, https://www.amazon.com.\73\ The letter, published 
on the petitioner's Web site,\74\ analyzes the Amazon Web site using 
the factors set forth in the Rule for determining whether a Web site is 
directed to children. The commenter suggested that incorporating the 
analysis into the Rule would clarify how the Commission determines 
whether other Web sites are directed to children. The letter does 
provide one example of how the Commission staff has applied the Rule's 
factors in analyzing whether a particular Web site was directed to 
children. However, the Commission does not believe that the general 
factors in the Rule need to be modified in light of the FTC staff's 
application of these factors in that specific instance.
---------------------------------------------------------------------------

    \73\ ESRB at 2.
    \74\ See https://www.epic.org/privacy/amazon/ftc_amazon.pdf 
(last accessed 10/12/05).
---------------------------------------------------------------------------

b. ``Actual Knowledge''
    The Commission also asked whether the term ``actual knowledge'' is 
sufficiently clear. The Rule's requirements apply to operators of Web 
sites other than those directed to children (sometimes referred to as 
``general audience Web sites'') if such operators have ``actual 
knowledge'' that they are collecting or maintaining personal 
information from children.\75\ The Rule's Statement of Basis and 
Purpose explains that a general audience Web site operator has the 
requisite actual knowledge if it ``learns of a child's age or grade 
from the child's registration or a concerned parent * * * .'' \76\ It 
may have the requisite knowledge if it asks age, grade, or other age-
identifying questions.\77\ Subsequent to the Rule's issuance, the 
Commission staff posted guidance on the FTC Web site clarifying that a 
general audience Web site operator does not obtain actual knowledge of 
a child's age ``[i]f a child posts personal information on a general 
audience site, but doesn't reveal his or her age * * *'' \78\ In 
addition, the guidance provides that the operator would not have actual 
knowledge if a child posts his or her age in a chat room on the site, 
but no one at the operator sees or is alerted to the post.\79\
---------------------------------------------------------------------------

    \75\ 16 CFR 312.3.
    \76\ 64 FR 59892.
    \77\ Id.
    \78\ COPPA FAQs, question 38, available at https://www.ftc.gov/
privacy/coppafaqs.htm#teen.
    \79\ Id. The Commission also released a business alert in 2004 
reiterating its guidance on actual knowledge, in conjunction with 
filing complaints and consent decrees against two general audience 
Web site operators that allegedly had actual knowledge that they 
were collecting personal information from children. See February 18, 
2004 FTC news release at https://www.ftc.gov/opa/2004/02/bonziumg.htm 
and FTC Business Alert entitled The Children's Online Privacy 
Protection Rule: Not Just for Kids Sites at https://www.ftc.gov/bcp/
conline/pubs/alerts/coppabizalrt.htm.
---------------------------------------------------------------------------

    Most commenters stated that the Rule's Statement of Basis and 
Purpose and subsequent guidance have made the term ``actual knowledge'' 
sufficiently clear and no modification to the Rule is necessary.\80\ 
For example, one commenter states ``the Commission's guidance 
clarifying that asking for age or date of birth information or similar 
questions through which the Web site would learn the ages of specific 
visitors[] provides clear criteria for Web

[[Page 13252]]

sites to determine their obligations.'' \81\ One commenter did suggest, 
however, that the Commission continue to clarify the term in the 
context of additional enforcement actions.\82\ The Commission concludes 
that no modifications to the Rule are necessary on the basis of these 
comments.
---------------------------------------------------------------------------

    \80\ E.g., DMA 2 at 3-4; Nickelodeon at 9-10; Time Warner at 6-
7.
    \81\ Nickelodeon at 10.
    \82\ EPIC 2 at 5.
---------------------------------------------------------------------------

c. Age Screening and Age Falsification
    General audience Web sites or those directed to teenagers may 
attract a substantial number of children under the age of 13. Although 
such Web sites are not directed at children under 13, operators of such 
sites must comply with the Rule to the extent that they have ``actual 
knowledge'' that visitors are under 13.
    Some operators of such Web sites choose to screen visitors to 
determine whether they are under 13. This practice, popularly referred 
to as ``age-screening,'' started with Web sites directed to teenagers 
and is now used by many general audience Web sites that may appeal to 
children. Some general audience Web sites appear to use age-screening 
to reject children's registration requests, thus providing children 
with an incentive to falsify their age to gain access. The FTC staff 
has issued guidance regarding how operators of teen-directed Web sites 
can obtain age information from their visitors without encouraging age 
falsification.\83\
---------------------------------------------------------------------------

    \83\ COPPA FAQs, question 39, available at https://www.ftc.gov/
privacy/coppafaqs.htm#teen.
---------------------------------------------------------------------------

    The Commission asked if there was evidence that a substantial 
number of children were falsifying age information in response to age-
screening on general audience Web sites and, if so, whether the Rule 
should be modified to address this problem. The Commission received 
five comments concerning age-screening. Two commenters stated that some 
children falsify their age to register on Web sites that screen for 
age, but provided no empirical information as to how frequently this 
occurs.\84\ Other commenters stated that age falsification is not a 
problem in practice, especially when Web sites follow Commission staff 
guidance and request age information in a neutral manner, then set 
session cookies to prevent children from later changing their age.\85\ 
One commenter suggested that attempting to regulate online age 
falsification would be unrealistic, because there is no way to prevent 
certain children from falsifying their age.\86\ Instead, commenters 
stressed that following Commission staff guidance on age-screening 
remains a reasonable practice for teen or general audience site 
operators seeking to comply with the Rule.\87\ The Commission has 
concluded that no changes to the Rule are needed in response to 
operators' age-screening practices.
---------------------------------------------------------------------------

    \84\ Aftab at 5; WLF at 5.
    \85\ DMA 2 at 4; Time Warner at 6.
    \86\ WLF at 5.
    \87\ DMA 2 at 4; Time Warner at 6. One commenter reported that 
age-screening in the shopping area of its general audience Web site 
was preventing adults who enter an age under 13 from completing 
their purchase. Mattel at 2-3. As discussed in the text, age-
screening is designed for general audience Web sites or portions of 
Web sites that may appeal to children. The shopping areas of Web 
sites are unlikely to attract children because making a purchase 
online generally requires a credit card, which most children do not 
have. The Commission therefore has not advocated that operators of 
general audience Web sites, like the commenter, ask age-screening 
questions on the shopping areas of their sites.
---------------------------------------------------------------------------

d. Other Definitions
    Few comments were submitted about the definitions of other terms 
used in the Rule. Two commenters suggested that the term ``internal 
use'' is not adequately defined.\88\ The Rule does not define the term 
``internal use,'' but it does define ``disclosure'' to include 
releasing personal information collected from a child, except to a 
person providing internal support for the operations of the Web 
site.\89\ The Rule also explicitly provides that persons providing 
internal support cannot use the information for any other purpose.\90\ 
The Rule's Statement of Basis and Purpose further explains that 
``support for the internal operations of the Web site'' can include 
providing technical support, servers, or services such as chat and e-
mail.\91\
---------------------------------------------------------------------------

    \88\ Privo at 5; EPIC at 2.
    \89\ 16 CFR 312.2.
    \90\ Id.
    \91\ See 64 FR 59890-91.
---------------------------------------------------------------------------

    The commenters that asked that ``internal use'' of information be 
defined specifically sought clarification as to whether sharing 
information among corporate affiliates constitutes an internal use or a 
disclosure. The Rule's Statement of Basis and Purpose explains that 
determining whether an operator's sharing of information with another 
entity is an internal use or a disclosure depends on the receiving 
entity's relationship to the information. Sharing information with 
another entity can constitute an internal use of the information only 
if it is solely to facilitate internal support services for the 
operator and the entity does not use the information for any other 
purpose.\92\ Sharing for any other use, whether or not the other entity 
is a corporate affiliate, constitutes a disclosure.\93\ The Commission 
concludes that no modification to the Rule is necessary.
---------------------------------------------------------------------------

    \92\ Id. at 59890, 59891. The Rule's Statement of Basis and 
Purpose incorporates by reference a set of factors that can be used 
to help define an entity's relationship to collected information, 
including ownership, control, payment, use, and maintenance of the 
information, as well as any pre-existing contractual relationships. 
Id. at 59891, citing 64 FR 22750, 22752 (Apr. 27, 1999). See also 
COPPA FAQs, question 47, at https://www.ftc.gov/privacy/
coppafaqs.htm.
    \93\ Id.
---------------------------------------------------------------------------

    Another commenter suggested that the Commission expand the Rule's 
definition of ``operator'' to include individuals operating 
noncommercial Web sites and nonprofit entities operating Web sites.\94\ 
COPPA expressly applies only to operators of Web sites and online 
services ``operated for commercial purposes'' and excludes ``any 
nonprofit entity that would otherwise be exempt from coverage under 
Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).'' \95\ 
The Rule includes the statutory language of COPPA,\96\ so the 
Commission cannot modify the definition.
---------------------------------------------------------------------------

    \94\ Reguin.
    \95\ 15 U.S.C. 6502(2).
    \96\ 16 CFR 312.2. The Commission staff has provided guidance 
encouraging all operators to practice fair information principles 
with their visitors, https://www.ftc.gov/privacy/coppafaqs.htm#teen, 
and many nonprofit Web sites do voluntarily comply with COPPA and 
the Rule because they want to protect children's safety and privacy. 
In addition, Federal policy requires all federal Web sites to 
provide their child visitors with COPPA protections. Memorandum for 
the Heads of Executive Departments and Agencies, M-00-13 (June 22, 
2000), available at https://www.whitehouse.gov/omb/memoranda/m00-
13.html.
---------------------------------------------------------------------------

    Finally, one commenter sought clarification of certain statutory 
terms set forth in COPPA, such as ``online contact information,'' 
``personal information,'' ``retrievable form,'' and ``recontact.'' \97\ 
To provide businesses and consumers with additional guidance, the 
Commission has provided more specific articulations of some of COPPA's 
statutory terms in the Rule and the Rule's Statement of Basis and 
Purpose. For example, the commenter asked the Commission to clarify 
whether certain types of information not specifically listed in COPPA's 
definition of ``personal information,'' such as IP addresses, unique 
identifiers, birthdates, or photographs, do constitute ``personal 
information.'' The Rule's definition of ``personal information'' 
includes ``a persistent identifier * * * associated with individually 
identifiable information'' as well as a photograph when combined with 
other information that permits contacting the individual.\98\ The 
Commission concludes that no

[[Page 13253]]

additional clarification of the particular terms identified by this 
commenter is necessary.
---------------------------------------------------------------------------

    \97\ Chapin.
    \98\ 16 CFR 312.2.
---------------------------------------------------------------------------

    For the reasons discussed above, the Commission concludes that no 
modifications to the Rule's current definitions are necessary.
2. Section 312.4: Notice
    Section 312.4 of the Rule requires operators to provide notice of 
their information practices to parents. These notices must inform 
parents about their information practices, including what information 
they collect from children online, how they use the information, and 
their disclosure practices for such information. The Commission 
requested comment on whether the notice requirement is effective, if 
its benefits outweigh its costs, and what changes, if any, should be 
made to it.
    Two commenters submitted comments on the Rule's notice provision. 
The first commenter noted the importance of providing parents with 
contact information for the operator, so they can discuss and attempt 
to resolve any concerns with the operator.\99\ The commenter did not 
seek any changes to the Rule's notice provision.
---------------------------------------------------------------------------

    \99\ CUNA 2 at 1-2.
---------------------------------------------------------------------------

    The second commenter stated that it was unclear whether the Rule 
requires a general audience Web site operator with actual knowledge 
that it has collected personal information from a child to post a 
privacy notice on its site.\100\ Section 312.4(b) of the Rule sets 
forth the requirements for posting a privacy notice on a Web site, 
including which operators must post a privacy notice online.\101\ 
According to the Rule, ``an operator of a Web site or online service 
directed to children must post a link to a notice of its information 
practices with regard to children * * *'' \102\ In addition, ``[a]n 
operator of a general audience website or online service that has a 
separate children's area or site must post a link to a notice of its 
information practices with regard to children* * *.'' \103\ The Rule 
therefore does not otherwise require that operators post privacy 
notices, including general audience site operators that have actual 
knowledge that they have collected personal information from children. 
For the above reasons, the Commission concludes that no modification to 
the Rule's notice requirement is necessary.
---------------------------------------------------------------------------

    \100\ Microsoft at 2-3.
    \101\ 16 CFR 312.4.
    \102\ 16 CFR 312.4(b).
    \103\ Id.
---------------------------------------------------------------------------

3. Section 312.5: Verifiable Parental Consent
a. General Issues
    Section 312.5 of the Rule requires operators to obtain verifiable 
parental consent before collecting, using, or disclosing any personal 
information from children, including making any material change to 
information practices to which the parent previously consented. The 
Commission requested comment on whether the consent requirement is 
effective, if its benefits outweigh its costs, and what changes, if 
any, should be made to the requirement. The Commission further asked 
whether it is reasonable for an operator to use a credit card to verify 
a parent's identity. The Commission also offered an additional 
opportunity for the public to comment on the Rule's sliding scale 
approach to obtaining verifiable parental consent.
1. Parental Opt-Out From Disclosure to Third Parties
    One commenter asked how operators that provide online communication 
services such as e-mail accounts, bulletin boards, and chat rooms can 
comply with Section 312.5(a)(2) of the Rule.\104\ This section mandates 
that parents must be given the option to allow an operator to collect a 
child's personal information (such as by registering a child for an e-
mail or chat account) but not disclose the information collected to 
third parties.\105\ The commenter noted that the Rule defines 
``disclosure'' to include ``making personal information collected * * * 
publicly available in identifiable form,'' such as through an e-mail 
account or chat room.\106\ Specifically, the commenter contended that 
``a parent cannot realistically consent only to the use of his or her 
child's personal information and not to the disclosure of such 
information by these [online communications] services.''\107\
---------------------------------------------------------------------------

    \104\ Microsoft at 4.
    \105\ 16 CFR 312.2.
    \106\ Microsoft at 4, citing 16 CFR 312.2.
    \107\ Id.
---------------------------------------------------------------------------

    Commission staff guidance addresses this point. ``The Rule only 
requires parental choice as to disclosures to third parties. You don't 
have to offer parents choice regarding the collection of personal 
information necessary for chat or a message board; but prior parental 
consent is still required before permitting children to participate in 
chat rooms or message boards that enable them to make their personal 
information publicly available.'' \108\ For example, when an e-mail 
provider obtains verifiable parent consent for registering a child for 
an e-mail account, the operator must let the parent opt out from any 
disclosures, by the operator, of information collected during the 
registration process. The Commission concludes that no modification to 
the Rule is required.
---------------------------------------------------------------------------

    \108\ COPPA FAQs, question 37, available at https://www.ftc.gov/
privacy/coppafaqs.htm#consent. See also 64 FR at 59899, note 166.
---------------------------------------------------------------------------

2. Using a Credit Card To Obtain Verifiable Parental Consent
    The Rule sets forth a nonexclusive list of approved methods to 
obtain verifiable parental consent, including the use of a credit card 
in connection with a transaction.\109\ In light of reports that 
companies are marketing credit cards to minors,\110\ the Commission 
specifically requested comment on the continued use of credit cards as 
a means of obtaining verifiable parental consent.
---------------------------------------------------------------------------

    \109\ 16 CFR 312.5(b).
    \110\ See, e.g., articles at https://www.bankrate.com/brm/news/
cc/20000508.asp; https://www.commercialalert.org/blog/archives/2005/
02/marketing_credi.html; https://www.fool.com/news/commentary/2004/
commentary04092804.htm (all last accessed 12/07/05).
---------------------------------------------------------------------------

    The majority of commenters on this issue stated that even if a 
small percentage of children may possess credit cards, using a credit 
card with a transaction is a reasonable and trustworthy method to 
obtain verifiable parental consent.\111\ No information was submitted 
demonstrating to what extent credit cards are issued to children under 
13.\112\ Commenters, however, emphasized that granting credit requires 
the formation of a legally enforceable contract between the creditor 
and the debtor, which has resulted in credit cards being issued almost 
exclusively to adults.\113\ Moreover, even if credit cards are being 
issued to children under 13, the same principles of contract law would 
require the credit cards to be linked to a supervisory adult's 
account.\114\ Through this link, parents can set controls on and 
monitor the account, ensuring that the children cannot use the credit 
cards without permission.\115\
---------------------------------------------------------------------------

    \111\ DMA 2 at 4, 5; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6-8; 
Nickelodeon at 10-11; Scholastic at 2; Time Warner at 2.
    \112\ DMA 2 at 4; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6; 
Scholastic at 2; Time Warner at 7.
    \113\ DMA 2 at 4; MPAA 2 at 7-8; Nickelodeon at 10; Scholastic 
at 2; Time Warner at 7-8.
    \114\ DMA 2 at 4; MPAA 2 at 6; Nickelodeon at 10; Time Warner at 
7.
    \115\ CUNA 2 at 2; NFCU 2 at 1.
---------------------------------------------------------------------------

    In addition, the Rule's requirement that the credit card be used in 
connection with a transaction provides

[[Page 13254]]

extra reliability because parents obtain a transaction record that 
gives them additional notice of the consent provided.\116\ Parents thus 
are notified of the purported consent, and can withdraw it if 
improperly given.\117\ The Commission is satisfied that no change in 
circumstances has invalidated using a credit card with a transaction to 
obtain verifiable parental consent.\118\
---------------------------------------------------------------------------

    \116\ MPAA 2 at 6.
    \117\ DMA 2 at 5; MPAA 2 at 7.
    \118\ The Commission expresses no view about the legal 
ramifications of using a credit card transaction as a proxy for age 
generally, a tangential issue raised by some commenters. Mattel 2 at 
5; MPAA at 7-8; Nickelodeon at 10-11; Scholastic at 2; Time Warner 
at 8.
---------------------------------------------------------------------------

    One commenter requested clarification on whether the Rule would 
permit using a credit card to obtain verifiable parental consent 
without a concomitant transaction.\119\ The Rule provides: ``Any method 
to obtain verifiable parental consent must be reasonably calculated, in 
light of available technology, to ensure that the person providing 
consent is the child's parent.'' \120\ Some methods can confirm that 
the credit card number provided is consistent with numbers that issuers 
assign to their credit cards, but this does not provide reasonable 
assurance that the number provided is for an actual credit card. Other 
methods can confirm that the credit card number is the number of an 
actual credit card, but does not provide reasonable assurance that the 
card belongs to the child's parent. The Commission therefore concludes 
that these methods are not reasonably calculated to ensure that it was 
the parent who provided consent. In addition, unless the operator 
conducts a transaction in connection with the consent, no record is 
formed notifying the parent of the purported consent and offering an 
opportunity to revisit that consent.\121\ The Commission concludes that 
no modification is warranted to the Rule provision treating the use of 
a credit card in connection with a transaction as one method of 
obtaining verifiable parental consent.\122\
---------------------------------------------------------------------------

    \119\ ESRB at 2.
    \120\ 16 CFR 312.5(b)(1).
    \121\ DMA 2 at 5.
    \122\ Previous FTC staff guidance suggested that operators might 
not always be prohibited from using a credit card without a 
transaction to obtain consent. Such guidance will be clarified to 
reflect the Commission's determination that such a method currently 
does not constitute verifiable parental consent. See COPPA FAQs, 
question 34, at https://www.ftc.gov/privacy/coppafaqs.htm#consent.
---------------------------------------------------------------------------

3. The E-Mail Exceptions to Prior Parental Consent
    The Commission next requested comment on the Rule's exceptions to 
prior parental consent (the ``e-mail exceptions'' to prior parental 
consent). In limited circumstances, COPPA and Section 312.5(c) of the 
Rule allow operators to collect the online contact information of the 
child, and sometimes parent, before obtaining verifiable parental 
consent.\123\ Such circumstances include when the operator seeks to 
obtain parental consent, wants to respond once to a child's specific 
request (such as a homework help question), or wants to respond 
multiple times to a child's specific request (such as an electronic 
newsletter).\124\
---------------------------------------------------------------------------

    \123\ 15 U.S.C. 6503(b)(2); 16 CFR 312.5(c).
    \124\ Id.
---------------------------------------------------------------------------

    Two commenters stated that the e-mail exceptions are useful in 
allowing operators to continue to provide interactive content to 
children online. One stated: ``The ability to use COPPA's `e-mail 
exceptions' to parental consent has enabled us to offer meaningful 
children's content and preserve the interactivity of the medium, while 
still protecting privacy.'' \125\ The commenter noted that the e-mail 
exceptions enable not only online activities popular with children, 
such as contests, online newsletters, and electronic postcards, but 
also sending direct notices and requests for consent to parents.\126\
---------------------------------------------------------------------------

    \125\ Nickelodeon at 1.
    \126\ Id. at 5.
---------------------------------------------------------------------------

    Another commenter suggested that the Rule should prohibit operators 
from collecting any information from children, even just an e-mail 
address, without parental consent. However, the commenter neither 
provided any basis for eliminating the e-mail exceptions nor offered 
any alternative way to provide direct notice and obtain parental 
consent.\127\ The Commission concludes for these reasons that no 
modification to the e-mail exceptions to prior parental consent is 
necessary.
---------------------------------------------------------------------------

    \127\ Domentech at 6.
---------------------------------------------------------------------------

b. The Sliding Scale Approach To Obtaining Verifiable Parental Consent
    In its April 2005 FRN, the Commission gave the public an additional 
opportunity to comment on the Rule's sliding scale approach to 
obtaining verifiable parental consent. The Rule provides that ``[a]ny 
method to obtain verifiable parental consent must be reasonably 
calculated, in light of available technology, to ensure that the person 
providing consent is the child's parent.'' \128\ Prior to issuing the 
Rule, the Commission studied extensively the state of available 
parental consent technologies.\129\ In July 1999, the Commission held a 
workshop on parental consent, which revealed that more reliable 
electronic methods of verification were not widely available or 
affordable.\130\
---------------------------------------------------------------------------

    \128\ 16 CFR 312.5(b)(1).
    \129\ See, e.g., public comments received on initial rulemaking 
(1999), available at https://www.ftc.gov/pri

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.