Children's Online Privacy Protection Rule, 59804-59833 [2011-24314]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 76, Number 187 (Tuesday, September 27, 2011)]
[Proposed Rules]
[Pages 59804-59833]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-24314]



[[Page 59803]]

Vol. 76

Tuesday,

No. 187

September 27, 2011

Part III





Federal Trade Commission





-----------------------------------------------------------------------





16 CFR Part 312





Children's Online Privacy Protection Rule; Proposed Rule

Federal Register / Vol. 76 , No. 187 / Tuesday, September 27, 2011 / 
Proposed Rules

[[Page 59804]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AB20


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Proposed rule; request for comment.

-----------------------------------------------------------------------

SUMMARY: The Commission proposes to amend the Children's Online Privacy 
Protection Rule (``COPPA Rule'' or ``Rule''), consistent with the 
requirements of the Children's Online Privacy Protection Act to respond 
to changes in online technology, including in the mobile marketplace, 
and, where appropriate, to streamline the Rule. After extensive 
consideration of public input, the Commission proposes to modify 
certain of the Rule's definitions, and to update the requirements set 
forth in the notice, parental consent, confidentiality and security, 
and safe harbor provisions. In addition, the Commission proposes adding 
a new provision addressing data retention and deletion.

DATES: Written comments must be received on or before November 28, 
2011.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``COPPA Rule Review, 16 
CFR Part 312, Project No. P104503'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/2011copparulereview, by following the instructions on the Web-based 
form. If you prefer to file your comment on paper, write ``COPPA Rule 
Review, 16 CFR Part 312, Project No. P104503'' on your comment, and 
mail or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex E), 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Phyllis H. Marcus or Mamie Kresses, 
Attorneys, Division of Advertising Practices, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580, (202) 326-2854, or (202) 326-2070.

SUPPLEMENTARY INFORMATION:

I. Background

    The COPPA Rule, 16 CFR part 312, issued pursuant to the Children's 
Online Privacy Protection Act (``COPPA'' or ``COPPA statute''), 15 
U.S.C. 6501 et seq., became effective on April 21, 2000. The Rule 
imposes certain requirements on operators of Web sites or online 
services directed to children under 13 years of age, and on operators 
of other Web sites or online services that have actual knowledge that 
they are collecting personal information online from a child under 13 
years of age (collectively, ``operators''). Among other things, the 
Rule requires that operators provide notice to parents and obtain 
verifiable parental consent prior to collecting, using, or disclosing 
personal information from children under 13 years of age.\1\ The Rule 
also requires operators to keep secure the information they collect 
from children and prohibits them from conditioning children's 
participation in activities on the collection of more personal 
information than is reasonably necessary to participate in such 
activities.\2\ The Rule contains a ``safe harbor'' provision enabling 
industry groups or others to submit to the Commission for approval 
self-regulatory guidelines that would implement the Rule's 
protections.\3\
---------------------------------------------------------------------------

    \1\ See Children's Online Privacy Protection Rule, 16 CFR 312.3.
    \2\ See 16 CFR 312.7 and 312.8.
    \3\ See 16 CFR 312.10; Children's Online Privacy Protection 
Rule, 64 FR 59888, 59906, 59908, 59915 (Nov. 3, 1999), available at 
https://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------

    The Commission initiated a review of the Rule on April 21, 2005, 
pursuant to Section 6507 of the COPPA statute, which required the 
Commission to conduct a review within five years of the Rule's 
effective date.\4\ After considering extensive public comment, the 
Commission determined in March 2006 to retain the Rule without 
change.\5\
---------------------------------------------------------------------------

    \4\ See 15 U.S.C. 6507; 16 CFR 312.11.
    \5\ See Children's Online Privacy Protection Rule, 71 FR 13247 
(Mar. 15, 2006) (retention of rule without modification).
---------------------------------------------------------------------------

    The Commission remains deeply committed to helping to create a 
safer, more secure online experience for children and takes seriously 
the challenge to ensure that COPPA continues to meet its originally 
stated goals, even as online technologies, and children's uses of such 
technologies, evolve. In light of the rapid-fire pace of technological 
change since the Commission's 2005 review, including an explosion in 
children's use of mobile devices, the proliferation of online social 
networking and interactive gaming, the Commission initiated review of 
the COPPA Rule in April 2010 on an accelerated schedule.\6\
---------------------------------------------------------------------------

    \6\ The Commission generally reviews each of its trade 
regulation rules approximately every ten years. Under this schedule, 
the next COPPA Rule review was originally set for 2017.
---------------------------------------------------------------------------

    On April 5, 2010, the Commission published a document in the 
Federal Register seeking public comment on whether technological 
changes to the online environment over the preceding five years 
warranted any changes to the Rule.\7\ The Commission's request for 
public comment examined each aspect of the COPPA Rule, posing 28 
questions for the public's consideration.\8\ The Commission identified 
several areas where public comment would be especially useful, 
including examination of whether: The Rule's existing definitions are 
sufficiently clear and comprehensive, or warrant modification or 
expansion, consistent with the COPPA statute; additional technological 
methods to obtain verifiable parental consent should be added to the 
COPPA Rule, and whether any of the consent methods currently included 
should be removed; whether the Rule provisions on protecting the 
confidentiality and security of personal information are sufficiently 
clear and comprehensive; and the Rule's criteria and process for 
Commission approval and oversight of safe harbor programs should be 
modified in any way. The comment period closed on July 12, 2010. During 
the comment period, on June 2, 2010, the Commission held a public 
roundtable to discuss in detail several of the areas where public 
comment was sought, including the application of COPPA's definitions of 
``Internet,'' ``website,'' and ``online service'' to new devices and 
technologies, the COPPA statute's actual knowledge standard for general 
audience Web sites and online services, the definition of ``personal 
information,'' emerging parental consent mechanisms, and COPPA's 
exceptions to prior parental consent.\9\
---------------------------------------------------------------------------

    \7\ See Request for Public Comment on the Federal Trade 
Commission's Implementation of the Children's Online Privacy 
Protection Rule (``2010 Rule Review''), 75 FR 17089 (Apr. 5, 2010).
    \8\ Id.
    \9\ Information about the June 2, 2010 COPPA Roundtable is 
located at https://www.ftc.gov/bcp/workshops/coppa/index.shtml.
---------------------------------------------------------------------------

    In addition to the dialogue at the public roundtable, the 
Commission received 70 comments from industry representatives, advocacy 
groups, academics, technologists, and individual members of the public 
in response to the April 5, 2010 request for public comment.\10\ The 
comments

[[Page 59805]]

addressed the efficacy of the Rule generally, and several possible 
areas for change.
---------------------------------------------------------------------------

    \10\ Public comments in response to the Commission's April 5, 
2010 Federal Register document are located at https://www.ftc.gov/os/comments/copparulerev2010/index.shtm. Comments have been numbered 
based upon alphabetical order. Comments are cited herein identified 
by commenter name, comment number, and, where applicable, page 
number.
---------------------------------------------------------------------------

II. COPPA's Definition of ``Child''

    The COPPA statute, and by extension, the COPPA Rule, defines as a 
child ``an individual under the age of 13.'' \11\ A few commenters 
suggested that COPPA's protections be broadened to cover a range of 
adolescents over age 12 and urged the Commission to seek a statutory 
change from Congress.\12\ By contrast, the majority of commenters who 
addressed this issue expressed concern that expanding COPPA's coverage 
to teenagers would raise a number of constitutional, privacy, and 
practical issues.\13\
---------------------------------------------------------------------------

    \11\ See 15 U.S.C. 6502(1).
    \12\ See Andrew Bergen (comment 4); Common Sense Media (comment 
12).
    \13\ See Sharon Anderson (comment 2); Kevin Brook (comment 6); 
Center for Democracy and Technology (``CDT'') (comment 8), at 5; 
CTIA (comment 14), at 10; Facebook (comment 22), at 2; Elatia 
Grimshaw (comment 26); Interactive Advertising Bureau (``IAB'') 
(comment 34), at 6-7; Harold Levy (comment 37); Motion Picture 
Association of America (``MPAA'') (comment 42), at 4; National Cable 
& Television Association (comment 44), at 5 n.16; NetChoice (comment 
45), at 2; Promotion Marketing Association (``PMA'') (comment 51), 
at 5; Berin Szoka (comment 59), at 6; Toy Industry Association of 
America (comment 63), at 5. Five commenters urged the Commission to 
consider lowering or eliminating COPPA's age to permit younger 
children access to a variety of educational online offerings. See 
Eric MacDonald (comment 38); Mark Moran (comment 41); Steingreaber 
(comment 58); Karla Talbot (comment 60); Daniel Widrew (comment 67).
---------------------------------------------------------------------------

    Recognizing the difficulties of extending COPPA to children ages 13 
or older, at least one commenter, the Institute for Public 
Representation, proposed the need for alternative privacy protections 
for teenagers. This commenter, while not proposing a statutory change 
to the definition of ``child,'' called on the Commission to develop a 
set of privacy protections for teens, consistent with the Fair 
Information Practices Principles created by the Organization for 
Economic Cooperation and Development, that would require understandable 
notices, limited information collection, an opt-in consent process, and 
access and control rights to data collected from them.\14\
---------------------------------------------------------------------------

    \14\ See Institute for Public Representation (comment 33), at 
42.
---------------------------------------------------------------------------

    In the course of drafting COPPA, Congress looked closely at whether 
adolescents should be covered by the law. Congress initially considered 
a requirement that operators make reasonable efforts to provide parents 
with notice and an opportunity to prevent or curtail the collection or 
use of personal information collected from children over the age of 12 
and under the age of 17.\15\ Ultimately, however, Congress decided to 
define a ``child'' as an individual under age 13.\16\ The Commission 
supported this assessment at the time, based in part on the view that 
young children under age 13 do not possess the level of knowledge or 
judgment to make appropriate determinations about when and if to 
divulge personal information over the Internet.\17\ The Commission 
continues to believe that the statutory definition of a child remains 
appropriate.\18\
---------------------------------------------------------------------------

    \15\ See Children's Online Privacy Protection Act of 1998, S. 
2326, 105th Cong. Sec.  3(a)(2)(iii) (1998).
    \16\ See 15 U.S.C. 6502.
    \17\  See Protection of Children's Privacy on the World Wide 
Web: Hearing on S. 2326 Before the Subcomm. on Communications of the 
S. Comm. on Commerce, Science & Transportation, 105th Cong. (1998), 
at 5 (Statement of Robert Pitofsky, Chairman, Federal Trade 
Commission), available at https://www.ftc.gov/os/1998/09/priva998.htm 
(``Children are not fully capable of understanding the consequences 
of divulging personal information online.'').
    \18\ See Protecting Youths in an Online World: Hearing Before 
the Subcomm. on Consumer Protection, Product Safety, and Insurance 
of the S. Comm. on Commerce, Science & Transportation, 111th Cong. 
14-15 (2010) (Statement of Jessica Rich, Deputy Director, Bureau of 
Consumer Protection, Federal Trade Commission), available at https://www.ftc.gov/os/testimony/100715toopatestimony.pdf.
---------------------------------------------------------------------------

    Although teens face particular privacy challenges online,\19\ 
COPPA's parental notice and consent approach is not designed to address 
such issues. COPPA's parental notice and consent model works fairly 
well for young children, but the Commission continues to believe that 
it would be less effective or appropriate for adolescents.\20\ COPPA 
relies on children providing operators with parental contact 
information at the outset to initiate the consent process. The COPPA 
model would be difficult to implement for teenagers, as many would be 
less likely than young children to provide their parents' contact 
information, and more likely to falsify this information or lie about 
their ages in order to participate in online activities. In addition, 
courts have recognized that as children age, they have an increased 
constitutional right to access information and express themselves 
publicly.\21\ Finally, given that adolescents are more likely than 
young children to spend a greater proportion of their time on Web sites 
and online services that also appeal to adults, the practical 
difficulties in expanding COPPA's reach to adolescents might 
unintentionally burden the right of adults to engage in online 
speech.\22\ For all of these reasons, the Commission declines to 
advocate for a change to the statutory definition of ``child.''
---------------------------------------------------------------------------

    \19\ For example, research shows that teens tend to be more 
impulsive than adults and that they may not think as clearly as 
adults about the consequences of what they do. See, e.g., Transcript 
of Exploring Privacy, A Roundtable Series (Mar. 17, 2010), Panel 3: 
Addressing Sensitive Information, available at https://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdf; Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow, 
How Different Are Young Adults from Older Adults When It Comes to 
Information Privacy Attitudes & Policies? (April 14, 2010), 
available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864. As a result, they may voluntarily disclose more 
information online than they should. On social networking sites, 
young people may share personal details that leave them vulnerable 
to identity theft. See Javelin Strategy and Research, 2010 Identity 
Fraud Survey Report (Feb. 2010), available at https://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdf. They may also share details 
that could adversely affect their potential employment or college 
admissions. See e.g., Commonsense Media, Is Social Networking 
Changing Childhood? A National Poll (Aug. 10, 2009), available at 
https://www.commonsensemedia.org/teen-social-media (indicating that 
28 percent of teens have shared personal information online that 
they would not normally share publicly).
    \20\ Id.
    \21\ See, e.g., American Amusement Mach. Ass'n v. Kendrick, 244 
F.3d 572 (7th Cir. 2001) (citing Erznoznik v. City of Jacksonville, 
422 U.S. 205, 212-14 (1975)); Tinker v. Des Moines Indep. Sch. 
Dist., 393 U.S. 503, 511-14 (1969).
    \22\ See ACLU v. Ashcroft, 534 F.3d 181, 196 (3d Cir. 2008) 
(citing ACLU v. Gonzales, 478 F. Supp. 2d 775, 806 (E.D. Pa. 2007) 
(``Requiring users to go through an age verification process would 
lead to a distinct loss of personal privacy.''); see also Bolger v. 
Youngs Drug Prods. Corp., 463 U.S. 60, 73 (1983) (citing Butler v. 
Michigan, 352 U.S. 380, 383 (1957) (``The Government may not reduce 
the adult population * * * to reading only what is fit for 
children.''). See also Berin Szoka (comment 59), at 6.
---------------------------------------------------------------------------

    Although the Commission does not recommend that Congress expand 
COPPA to cover teenagers, the Commission believes that it is essential 
that teens, like adults, be provided with clear information about uses 
of their data and be given meaningful choices about such uses. 
Therefore, the Commission is exploring new privacy approaches that will 
ensure that teens--and adults--benefit from stronger privacy 
protections than are currently generally available.\23\
---------------------------------------------------------------------------

    \23\ See A Preliminary FTC Staff Report on Protecting Consumer 
Privacy in an Era of Rapid Change: A Proposed Framework for 
Businesses and Policymakers, 36-36 (Dec. 1, 2010), available at 
https://www.ftc.gov/os/2010/12/101201privacyreport.pdf; Protecting 
Youths in an Online World, supra note 18, at 14-15 (``The FTC 
believes that its upcoming privacy recommendations based on its 
roundtable discussions will greatly benefit teens. The Commission 
expects that the privacy proposals emerging from this initiative 
will provide teens both a greater understanding of how their data is 
used and a greater ability to control such data.'').

---------------------------------------------------------------------------

[[Page 59806]]

III. COPPA's ``Actual Knowledge'' Standard

    The COPPA statute applies to two types of operators: (1) Those who 
operate Web sites or online services directed to children and collect 
personal information, and (2) those who have actual knowledge that they 
are collecting personal information from a child under age 13.\24\ The 
second prong, commonly known as ``the actual knowledge standard,'' 
holds operators of Web sites directed to teenagers, adults, or to a 
general audience, liable for providing COPPA's protections only when 
they know they are collecting personal information from a COPPA-covered 
child (i.e., one under age 13). COPPA therefore was never intended to 
apply to the entire Internet, but rather to a subset of Web sites and 
online services.\25\
---------------------------------------------------------------------------

    \24\ See 15 U.S.C. 6503(a)(1).
    \25\ See MPAA (comment 42), at 10 (``Congress deliberately 
selected the actual knowledge standard because it served the 
objective of protecting young children without constraining 
appropriate data collection and use by operators of general audience 
Web sites. This standard was selected to serve the goals of COPPA 
without imposing excessive burdens--including burdens that could 
easily constrain innovation--on general audience sites and online 
services'').
---------------------------------------------------------------------------

    Congress did not define the term ``actual knowledge'' in the COPPA 
statute, nor did the Commission define the term in the Rule. The case 
law makes clear that actual knowledge does not equate to ``knowledge 
fairly implied by the circumstances''; nor is actual knowledge 
``constructive knowledge,'' as that term is interpreted and applied 
legally.\26\ Therefore, the Commission has advised that operators of 
general audience Web sites are not required to investigate the ages of 
their users.\27\ By contrast, however, operators that ask for--or 
otherwise collect--information establishing that a user is under the 
age of 13 trigger COPPA's verifiable parental consent and all other 
requirements.\28\
---------------------------------------------------------------------------

    \26\ The original scope of COPPA, as indicated in S. 2326 and 
H.R. 4667, would have applied to any commercial Web site or online 
service used by an operator to ``knowingly'' collect information 
from children. See Children's Online Privacy Protection Act of 1998, 
S. 2326, 105th Cong. Sec.  2(11)(A)(iii) (1998); Electronic Privacy 
Bill of Rights Act of 1998, H.R. 4667, 105th Cong. Sec.  
105(7)(A)(iii) (1998). Under federal case law, the term 
``knowingly'' encompasses actual, implied, and constructive 
knowledge. See Schmitt v. FMA Alliance, 398 F.3d 995, 997 (8th Cir. 
2005); Freeman United Coal Mining Co. v. Federal Mine Safety and 
Health Review Comm'n, 108 F.3d 358, 363 (D.C. Cir. 1997).
    Upon the consideration of testimony from various witnesses, 
Congress modified the knowledge standard in the final legislation to 
require ``actual knowledge.'' See Internet Privacy Hearing: Hearing 
on S. 2326 Before the Subcomm. on Communications of the S. Comm. on 
Commerce, Science, and Transportation, 105th Cong. 1069 (1998). 
Actual knowledge is generally understood from case law to establish 
a far stricter standard than constructive knowledge or knowledge 
implied from the ambient facts. See United States v. DiSanto, 86 
F.3d 1238, 1257 (1st Cir. 1996) (citing United States v. Spinney, 65 
F.3d 231, 236 (1st Cir. 1995), for the proposition that ``when 
considering the question of ``knowledge'' [it is helpful] to recall 
that ``the length of the hypothetical knowledge continuum'' is 
marked by ``constructive knowledge'' at one end and ``actual 
knowledge'' at the other with various ``gradations,'' such as 
``notice of likelihood'' in the ``poorly charted area that stretches 
between the poles'').
    \27\ See Children's Online Privacy Protection Rule, Statement of 
Basis and Purpose (``1999 Statement of Basis and Purpose''), 64 FR 
59888, 59889 (Nov. 3, 1999), available at https://www.ftc.gov/os/1999/10/64Fr59888.pdf.
    \28\ See id. at 59892 (``Actual knowledge will be present, for 
example, where an operator learns of a child's age or grade from the 
child's registration at the site or from a concerned parent who has 
learned that his child is participating at the site. In addition, 
although the COPPA does not require operators of general audience 
sites to investigate the ages of their site's visitors, the 
Commission notes that it will examine closely sites that do not 
directly ask age or grade, but instead ask `age identifying' 
questions, such as `what type of school do you go to: (a) 
elementary; (b) middle; (c) high school; (d) college.' Through such 
questions, operators may acquire actual knowledge that they are 
dealing with children under 13'').
---------------------------------------------------------------------------

    In general, commenters to the Rule review expressed widespread 
support for Congress's retention of the statutory actual knowledge 
standard. Supporters find that the standard provides necessary 
certainty regarding the boundaries of operators' legal liability for 
COPPA violations.\29\ Commenters generally felt strongly that a lesser 
standard, e.g., constructive or implied knowledge, would cause extreme 
uncertainty for operators of general audience Web sites or online 
services seeking to comply with the law since they would be obliged 
either to make guesses about the presence of underage children or to 
deny access to a wide swath of participants, not only young 
children.\30\ According to commenters, such actions would result in 
greater data collection from all users, including children, in order to 
determine who should receive COPPA protections (or, alternatively, be 
denied access to a site). Commenters viewed this result as 
contradictory to COPPA's goal of minimizing data collection.\31\
---------------------------------------------------------------------------

    \29\ See CTIA (comment 14), at 2; Direct Marketing Association 
(``DMA'') (comment 17), at 8; MPAA (comment 42), at 9; Toy Industry 
Association, Inc. (comment 63), at 5; Jeffrey Greenbaum, Partner, 
Frankfurt Kurnit Klein & Selz PC, and J. Beckwith (``Becky'') Burr, 
Partner, WilmerHale, Remarks from The ``Actual Knowledge'' Standard 
in Today's Online Environment Panel at the Federal Trade 
Commission's Roundtable: Protecting Kids' Privacy Online 78-79 (June 
2, 2010), available at https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \30\ See Sharon Anderson (comment 2); Boku (comment 5); CDT 
(comment 9), at 6; CTIA (comment 14), at 2; DMA (comment 17), at 8; 
Facebook (comment 22), at 7; IAB (comment 34), at 6.
    \31\ See CTIA (comment 14), at 2; DMA (comment 17), at 8; 
Facebook (comment 22), at 7-8.
---------------------------------------------------------------------------

    A handful of commenters argued for a different standard. One 
commenter urged the Commission to require commercial Web site operators 
to make reasonable efforts to determine if a child is registering 
online, taking into consideration available technology.\32\ According 
to this commenter, Web site operators otherwise face minimal legal risk 
and business incentive to proactively institute privacy protections for 
children online. Other commenters, such as the Institute for Public 
Representation and Microsoft, urged the Commission to adopt clearer 
guidance on when an operator will be considered to have obtained actual 
knowledge that it has collected personal information from a child.\33\
---------------------------------------------------------------------------

    \32\ See Harry A. Valetk (comment 66), at 4.
    \33\ See Institute for Public Representation (comment 33), at 34 
(urging the Commission to make clear that an operator can gain 
actual knowledge where it obtains age information from a source 
other than the child and where it creates a category for behavioral 
advertising to children under age 13. ``Simply, if an operator 
decides on, or uses, or purports to know the fact that someone is a 
child, then that operator has actual knowledge that it is dealing 
with a child.''); Microsoft (comment 39), at 8 (asking the 
Commission to provide clear guidance on how operators can better 
meet COPPA's objectives of providing access to rich media content 
while not undermining parental involvement).
---------------------------------------------------------------------------

    Despite the limitations of the actual knowledge standard, the 
Commission is persuaded that this remains the correct standard to be 
applied to operators of Web sites and online services that are not 
directed to children. Accordingly, the Commission does not advocate 
that Congress amend the COPPA statute's actual knowledge requirement at 
this time. Actual knowledge is far more workable, and provides greater 
certainty, than other legal standards that might be applied to the 
universe of general audience Web sites and online services. This is 
because the actual knowledge standard is triggered only at the point at 
which an operator becomes aware of a child's age. By contrast, imposing 
a lesser ``reasonable efforts'' or ``constructive knowledge'' standard 
might require operators to ferret through a host of circumstantial 
information to determine who may or may not be a child.
    As described in detail below, with this Notice of Proposed 
Rulemaking, the Commission is proposing several modifications to the 
Rule's definition of ``personal information.'' \34\ Were the

[[Page 59807]]

Commission to recommend that Congress change COPPA's actual knowledge 
standard, the changes the Commission proposes to the Rule's definitions 
might prove infeasible if applied across the entire Internet. The 
impact of the proposed changes to the definition of personal 
information are significantly narrowed by the fact that COPPA only 
applies to the finite universe of Web sites and online services 
directed to children and Web sites and online services with actual 
knowledge.
---------------------------------------------------------------------------

    \34\ For example, the Commission proposes defining as personal 
information persistent identifiers and screen or user names where 
they are used for functions other than or in addition to support for 
the internal operations of a Web site or online service. The 
Commission also proposes including identifiers that link the 
activities of a child across different Web sites or online services, 
as well as digital files containing a child's image or voice, in the 
definition. See infra Part V.A.(4).
---------------------------------------------------------------------------

IV. COPPA's Coverage of Evolving Technologies

    The Commission's April 5, 2010 Federal Register document sought 
public input on the implications for COPPA enforcement raised by 
technologies such as mobile communications, interactive television, 
interactive gaming, and other evolving media.\35\ The Commission's June 
2, 2010 roundtable featured significant discussion on the breadth of 
the terms ``Internet,'' ``website located on the Internet,'' and 
``online service'' as they relate to the statute and the Rule.
---------------------------------------------------------------------------

    \35\ See 2010 Rule Review, supra note 7, at 17090.
---------------------------------------------------------------------------

    Commenters and roundtable participants expressed a consensus that 
both the COPPA statute and Rule are written broadly enough to encompass 
many new technologies without the need for new statutory language.\36\ 
First, there is widespread agreement that the statute's definition of 
``Internet,'' covering the ``myriad of computer and telecommunications 
facilities, including equipment and operating software, which comprise 
the interconnected world-wide network of networks that employ the 
Transmission Control Protocol/Internet Protocol,'' is device 
neutral.\37\
---------------------------------------------------------------------------

    \36\ See CDT (comment 8), at 2; Edward Felten, Dir. and 
Professor of Computer Sci. and Pub. Affairs, Princeton Univ. 
(currently Chief Technologist at the Federal Trade Commission), 
Remarks from The Application of COPPA's Definitions of ``Internet,'' 
``Website,'' and ``Online Service'' to New Devices and Technologies 
Panel at the Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online 13-14 (June 2, 2010), available at https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf 
(``[T]his was and still is a spot-on definition of what ``Internet'' 
means--worldwide interconnection and the use of TCP or IP or any of 
that suite of protocols.'').
    \37\ See CDT (comment 8), at 2. However, two commenters urged 
the Commission to consider modifying or expanding the definition of 
``Internet'' so as to expressly acknowledge the convergence of 
technologies, e.g., mobile devices and other applications that are 
platform neutral or capable of storing and transmitting data in the 
manner of a personal computer. See Electronic Privacy Information 
Center (``EPIC'') (comment 19), at 7-8; Jayne Hitchcock (comment 
29).
---------------------------------------------------------------------------

    While neither the COPPA statute nor the Rule defines a ``Web site 
located on the Internet,'' the term is broadly understood to cover 
content that users can access through a browser on an ordinary computer 
or mobile device.\38\ Likewise, the term ``online service'' broadly 
covers any service available over the Internet, or that connects to the 
Internet or a wide-area network.\39\ The Commission agrees with 
commenters that a host of current technologies that access the Internet 
or a wide area network are ``online services'' currently covered by 
COPPA and the Rule. This includes mobile applications that allow 
children to play network-connected games, engage in social networking 
activities, purchase goods or services online, receive behaviorally 
targeted advertisements, or interact with other content or 
services.\40\ Likewise, Internet-enabled gaming platforms, voice-over-
Internet protocol services, and Internet-enabled location based 
services, also are online services covered by COPPA and the Rule. The 
Commission does not believe that the term ``online service'' needs to 
be further defined either in the statute or in the Rule.\41\
---------------------------------------------------------------------------

    \38\ See AT&T (comment 3), at 5; Spratt (comment 57); Edward 
Felten, supra note 36, at 15.
    \39\ See John B. Morris, Jr., General Counsel and Director, 
Internet Standards, Technology and Policy Project, CDT, and Angela 
Campbell, Institute for Public Representation, Georgetown Univ. Law 
Ctr., Remarks from The Application of COPPA's Definitions of 
``Internet,'' ``Web site,'' and ``Online Service'' to New Devices 
and Technologies Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online 16-17 (June 2, 2010), available at 
https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf. One commenter mentioned that the terms ``Internet'' 
and ``online'' were seemingly intended by Congress to be used 
interchangeably to mean ``the interconnected world-wide network of 
networks.'' See Entertainment Software Association (comment 20), at 
15 (citing the legislative history, 144 Cong. Rec. S8482-83, 
Statement of Sen. Bryan (1998)). But see Edward Felten, supra note 
36, at 19.
    \40\ See, e.g., Angela Campbell, supra note 39, at 30-31.
    \41\ The FTC has brought a number of cases alleging violations 
of COPPA in connection with the operation of an online service, 
including: United States v. W3 Innovations LLC, No. CV-11-03958 
(N.D. Cal., filed Aug. 12, 2011) (child-directed mobile 
applications); United States v. Playdom, Inc., No. SA CV-11-00724 
(C.D. Cal., filed May 11, 2011) (online virtual worlds); United 
States v. Sony BMG Music Entertainment, No. 08 Civ. 10730 (S.D.N.Y, 
filed Dec. 10, 2008) (social networking service); United States v. 
Industrious Kid, Inc., No. CV-08-0639 (N.D. Cal., filed Jan. 28, 
2008) (social networking service); United States v. Xanga.com, Inc., 
No. 06-CIV-6853 (S.D.N.Y., filed Sept. 7, 2006) (social networking 
service); and United States v. Bonzi Software, Inc., No. CV-04-1048 
(C.D. Cal., filed Feb. 14, 2004) (desktop software application).
---------------------------------------------------------------------------

    Although many mobile activities are online services, it is less 
clear whether all short message services (``SMS'') and multimedia 
messaging services (``MMS'') are covered by COPPA.\42\ One commenter 
maintained that SMS and MMS text messages cross wireless service 
providers' networks and short message service centers, not the public 
Internet, and therefore that such services are not Internet-based and 
are not ``online services.'' \43\ However, another panelist at the 
Commission's June 2, 2010 roundtable cautioned that not all texting 
programs are exempt from COPPA's coverage.\44\ For instance, mobile 
applications that enable users to send text messages from their web-
enabled devices without routing through a carrier-issued phone number 
constitute online services.\45\ Likewise, retailers' premium texting 
and coupon texting programs that register users online and send text 
messages from the Internet to users' mobile phone numbers are online 
services.\46\
---------------------------------------------------------------------------

    \42\ See 2010 Rule Review, supra note 7, at 17090 (Question 11); 
see also Denise Tayloe, President, Privo, Inc., Remarks from 
Emerging Parental Verification Access and Methods Panel at the 
Federal Trade Commission's Roundtable: Protecting Kids' Privacy 
Online 27 (June 2, 2010), available at https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf (questioning whether 
a ``text to vote'' marketing campaign is covered by COPPA).
    \43\ See CTIA (comment 14), at 2-5 (citing the Federal 
Communications Commission's rules and regulations implementing the 
CAN-SPAM Act of 2003 and the Telephone Consumer Protection Act of 
1991, finding that phone-to-phone SMS is not captured by Section 14 
of CAN-SPAM because such messages do not have references to Internet 
domains). The Commission agrees that where mobile services do not 
traverse the Internet or a wide-area network, COPPA will not apply. 
See Michael Altschul, Senior Vice President and Gen. Counsel, CTIA, 
Remarks from The Application of COPPA's Definitions of ``Internet,'' 
``Web site,'' and ``Online Service'' to New Devices and Technologies 
Panel at the Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online at 19-21 (June 2, 2010), available at https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \44\ See Edward Felten, supra note 36, at 27-28.
    \45\ For example, online texting services offered by TextFree, 
Textie, and textPlus+ that permit users to communicate via text 
message over the Internet.
    \46\ For example, text alert coupon and notification services 
offered by retailers such as Target and JC Penney.
---------------------------------------------------------------------------

    The Commission will continue to assess emerging technologies to 
determine whether or not they constitute ``Web sites located on the 
Internet'' or ``online services'' subject to COPPA's coverage.

V. Proposed Modifications to the Rule

    As discussed above, commenters expressed a consensus that, given 
its flexibility and coverage, the COPPA Rule continues to be useful in 
helping

[[Page 59808]]

to protect children as they engage in a wide variety of online 
activities. The Commission's experience in enforcing the Rule, and 
public input received through the Rule review process, however, 
demonstrate the need to update certain Rule provisions. After extensive 
consideration, the Commission proposes modifications to the Rule in the 
following five areas: Definitions, Notice, Parental Consent, 
Confidentiality and Security of Children's Personal Information, and 
Safe Harbor Programs. In addition to modifying these provisions, the 
Commission proposes adding a new Rule section addressing data retention 
and deletion. Each of these changes is discussed in detail below.

A. Definitions (16 CFR 312.2)

    The Commission proposes to modify particular definitions to update 
the Rule's coverage and, in certain cases, to streamline the Rule's 
language. The Commission proposes modifications to the definitions of 
``collects or collection,'' ``online contact information,'' ``personal 
information,'' ``support for the internal operations of the Web site or 
online service,'' and ``Web site or online service directed to 
children.'' The Commission also proposes a minor structural change to 
the Rule's definition of ``disclosure.''
(1) Collects or Collection
    Section 312.2 of the Rule defines ``collects or collection'' as:

    [T]he gathering of any personal information from a child by any 
means, including but not limited to:
    (a) Requesting that children submit personal information online;
    (b) Enabling children to make personal information publicly 
available through a chat room, message board, or other means, except 
where the operator deletes all individually identifiable information 
from postings by children before they are made public, and also 
deletes such information from the operator's records; or
    (c) The passive tracking or use of any identifying code linked 
to an individual, such as a cookie.

The Commission proposes amending paragraph (a) to change the term 
``requesting that children submit personal information online'' to 
``requesting, prompting, or encouraging a child to submit personal 
information online'' in order to clarify that the Rule covers the 
online collection of personal information both when an operator 
mandatorily requires it, and when an operator merely prompts or 
encourages a child to provide such information.
    Section 312.2(b) currently defines ``collects or collection'' to 
include enabling children to publicly post personal information (e.g., 
on social networking sites or on blogs), ``except where the operator 
deletes all individually identifiable information from postings by 
children before they are made public, and also deletes such information 
from the operator's records.'' \47\ This aspect of COPPA's definition 
of ``collects or collection'' has come to be known as the ``100% 
deletion standard.'' \48\ Several commenters indicated that this 
standard, while well-meaning, serves as an impediment to operators' 
implementation of sophisticated filtering technologies that might aid 
in the detection and removal of personal information.\49\ Some 
commenters urged the Commission to revise the Rule to specify the 
particular types of filtering mechanisms--for example, white lists, 
black lists, or algorithmic systems--that the Commission believes 
conform to the Rule's current 100% deletion requirement.\50\ One 
commenter urged the Commission to exercise caution in modifying the 
Rule to permit the use of automated filtering systems to strip personal 
information from posts prior to posting; this commenter urged the 
Commission to make clear that the use of an automated system would not 
provide an operator with a safe harbor from enforcement action in the 
case of an inadvertent disclosure of personal information.\51\
---------------------------------------------------------------------------

    \47\ Operators who offer services such as social networking, 
chat, bulletin boards and who do not pre-strip (i.e., completely 
delete) such information are deemed to have ``disclosed'' personal 
information under COPPA's definition of ``disclosure.'' See 16 CFR 
312.2.
    \48\ See Phyllis Marcus, Remarks from COPPA's Exceptions to 
Parental Consent Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online 310 (June 2, 2010), available at 
https://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \49\ See Entertainment Software Association (comment 20), at 13-
14; Rebecca Newton (comment 46), at 4; see also WiredSafety.org 
(comment 68), at 15.
    \50\ See Berin Szoka (comment 59), Szoka Responses to Questions 
for the Record, at 19 (``[T]he FTC could * * * allow operators, at 
least in some circumstances, to use ``an automated system of review 
and/or posting'' to satisfy the existing ``deletion exception to the 
definition of collection.'' In other words, sites could potentially 
allow children to communicate with each other through chat rooms, 
message boards, and other social networking tools without having to 
obtain verifiable parental consent if they had in place algorithmic 
filters that would automatically detect personal information such as 
a string of seven or ten digits that seems to correspond to a phone 
number, a string of eight digits that might correspond to a Social 
Security number, a street address, a name, or even a personal 
photo--and prevent children from sharing that information in ways 
that make the information ``publicly available''); see also Privo 
(comment 50), at 5.
    \51\ See EPIC (comment 19), at 6-7.
---------------------------------------------------------------------------

    The Commission has undertaken this Rule review with an eye towards 
encouraging the continuing growth of engaging, diverse, and appropriate 
online content for children that includes strong privacy protections by 
design. Children increasingly seek interactive online environments 
where they can express themselves, and operators should be encouraged 
to develop innovative technologies to attract children to age-
appropriate online communities while preventing them from divulging 
their personal information. Unfortunately, Web sites that provide 
children with only limited communications options often fail to capture 
their imaginations for very long. After careful consideration, the 
Commission believes that the 100% deletion standard has set an 
unrealistic hurdle to operators' development and implementation of 
automated filtering systems.\52\ In its place, the Commission proposes 
a ``reasonable measures'' standard whereby operators who employ 
technologies reasonably designed to capture all or virtually all 
personal information inputted by children should not be deemed to have 
``collected'' personal information. This proposed change is intended to 
encourage the development of systems, either automated, manual, or a 
combination thereof, to detect and delete all or virtually all personal 
information that may be submitted by children prior to its public 
posting.\53\
---------------------------------------------------------------------------

    \52\ In fact, inquiries about automated filtering systems, and 
whether they could ever meet the Commission's current 100% deletion 
standard, are among the most frequent calls to the Commission's 
COPPA hotline.
    \53\ In the Commission's experience, establishing a broad 
standard of reasonableness permits industry to innovate specific 
security methods that best suit particular needs, and the Commission 
has set similar ``reasonableness'' standards in other enforcement 
arenas. For example, in its law enforcement actions involving 
breaches of data security, the Commission consistently has required 
respondents to establish and maintain comprehensive information 
security programs that are ``reasonably designed to protect the 
security, confidentiality, and integrity of personal information 
collected from or about consumers.'' See, e.g., Ceridian Corp., FTC 
Dkt. No. C-4325 (June 15, 2011); Lookout Servs., Inc., FTC Dkt. No. 
C-4326 (June 15, 2011).
---------------------------------------------------------------------------

    Finally, the Commission proposes simplifying paragraph (c) of the 
Rule's definition of ``collects or collection'' to clarify that it 
includes all means of passive tracking of a child online, irrespective 
of the technology used. The proposed paragraph removes the language 
``or use of any identifying code linked to an individual, such as a 
cookie'' and simply states ``passive tracking of a child online.''
    Therefore, the Commission proposes to amend the definition of 
``collects or collection'' so that it reads:


[[Page 59809]]


    Collects or collection means the gathering of any personal 
information from a child by any means, including but not limited to:
    (a) Requesting, prompting, or encouraging a child to submit 
personal information online;
    (b) Enabling a child to make personal information publicly 
available in identifiable form. An operator shall not be considered 
to have collected personal information under this paragraph if it 
takes reasonable measures to delete all or virtually all personal 
information from a child's postings before they are made public and 
also to delete such information from its records; or,
    (c) The passive tracking of a child online.\54\
---------------------------------------------------------------------------

    \54\ One commenter, EPIC, expressed the opinion that the Rule's 
reference to information collected ``by any means'' in the 
definition of ``collects or collection'' is ambiguous with regard to 
information acquired offline that is uploaded, stored, or 
distributed to third parties by operators. See EPIC (comment 19), at 
5. However, Congress limited the scope of COPPA to information that 
an operator collects online from a child; COPPA does not govern 
information collected offline. See 15 U.S.C. 6501(8) (defining the 
personal information as ``individually identifiable information 
about an individual collected online. * * *''); 144 Cong. Rec. 
S11657 (Oct. 7, 1998) (Statement of Sen. Bryan) (``This is an online 
children's privacy bill, and its reach is limited to information 
collected online from a child.'').

(2) Disclosure
    Section 312.2 of the Rule defines ``disclosure'' as:

    (a) The release of personal information collected from a child 
in identifiable form by an operator for any purpose, except where an 
operator provides such information to a person who provides support 
for the internal operations of the Web site or online service and 
who does not disclose or use that information for any other purpose. 
For purposes of this definition:
    (1) Release of personal information means the sharing, selling, 
renting, or any other means of providing personal information to any 
third party, and
    (2) Support for the internal operations of the Web site or 
online service means those activities necessary to maintain the 
technical functioning of the Web site or online service, or to 
fulfill a request of a child as permitted by Sec. Sec.  312.5(c)(2) 
and (3); or, (b) Making personal information collected from a child 
by an operator publicly available in identifiable form, by any 
means, including by a public posting through the Internet, or 
through a personal home page posted on a Web site or online service; 
a pen pal service; an electronic mail service; a message board; or a 
chat room.

The Commission proposes making several minor modifications to this 
definition that are consistent with the statutory definition. First, 
the Commission proposes broadening the title of this definition from 
``disclosure'' to ``disclose or disclosure'' to clarify that in every 
instance in which the Rule refers to instances where an operator 
``disclose[s]'' information, the definition of disclosure shall apply. 
In addition, the Commmission proposes moving the definitions of 
``release of personal information'' and ``support for the internal 
operations of the Web site or online service'' contained within the 
definition of ``disclosure'' to stand-alone definitions within ' 312.2 
of the Rule.\55\ This change will clarify what is intended by the terms 
``release of personal information'' and ``support for the internal 
operations of the Web site or online service'' where those terms are 
referenced elsewhere in the Rule and where they are not directly 
connected with the terms ``disclose'' or ``disclosure.'' \56\
---------------------------------------------------------------------------

    \55\ The Commission also proposes minor changes to the 
definition of ``support for the internal operations of a Web site or 
online service,'' as described in Part V.A(5). below.
    \56\ For example, the term ``support for the internal operations 
of the Web site or online service'' is included within the proposed 
revisions to the definition of ``personal information.'' See infra 
Part V.A.(5). The term ``release of personal information'' is 
included within the proposed revised provision to ' 312.8 regarding 
``Confidentiality, security, and integrity of personal information 
collected from children.'' See infra Part V.D.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend the definition of 
``disclosure'' to read:

    Disclose or disclosure means, with respect to personal 
information:
    (a) The release of personal information collected by an operator 
from a child in identifiable form for any purpose, except where an 
operator provides such information to a person who provides support 
for the internal operations of the Web site or online service; and,
    (b) Making personal information collected by an operator from a 
child publicly available in identifiable form by any means, 
including but not limited to a public posting through the Internet, 
or through a personal home page or screen posted on a Web site or 
online service; a pen pal service; an electronic mail service; a 
message board; or a chat room.
(3) ``Release of personal information''
    The Commission proposes to define the term ``release of personal 
information'' separately from its current inclusion within the 
definition of ``disclosure.'' Since the term applies to provisions of 
the Rule that do not relate solely to disclosures,\57\ this stand-alone 
definition will provide greater clarity as to the terms' applicability 
throughout the Rule. In addition, the Commission proposes technical 
changes to clarify that the term ``release of personal information'' 
primarily addresses business-to-business uses of personal information. 
Public disclosure of personal information is covered by paragraph (b) 
of the definition of ``disclosure.'' Therefore, the Commission proposes 
to revise the definition of ``release of personal information'' so that 
it reads:
---------------------------------------------------------------------------

    \57\ See, e.g., discussion regarding 16 CFR 312.8 
(confidentiality, security and integrity of children's personal 
information), infra Part V.D.

    Release of personal information means the sharing, selling, 
renting, or transfer of personal information to any third party.
(4) ``Support for the internal operations of the Web site or online 
service''
    The Commission also proposes separating out the term ``support for 
the internal operations of the Web site or online service'' from the 
definition of ``disclosure.'' The Commission recognizes that the term 
``support for internal operations of the Web site or online service''--
i.e., activities necessary to maintain the technical functioning of the 
Web site or online service--is an important limiting concept that 
warrants further explanation. The Rule recognizes that information that 
is collected by operators for the sole purpose of support for internal 
operations should be treated differently than information that is used 
for broader purposes.
    The term currently is a part of the definitions of ``disclosure'' 
and ``third party'' within the Rule. As explained below, the Commission 
proposes to expand the definition of ``personal information'' to 
include ``screen or user names'' and ``persistent identifiers,'' when 
such items are used for functions other than or in addition to 
``support for the internal operations of the Web site or online 
service.'' \58\ In proposing to create a separate definition of 
``support for the internal operations of a Web site or online 
service,'' the Commission also proposes to expand that definition to 
include ``activities necessary to protect the security or integrity of 
the Web site or online service.'' With this change, the Commission 
recognizes operators' need to protect themselves or their users from 
security threats, fraud, denial of service attacks, user misbehavior, 
or other threats to operators' internal operations.\59\ In addition, 
the Commission proposes adding the limitation that information 
collected for such purposes may not be used or disclosed for any other 
purpose, so that if there is a secondary use of the information, it 
becomes ``personal information'' under the Rule.
---------------------------------------------------------------------------

    \58\ See infra Part V.(5)(b) and (c).
    \59\ See WiredSafety.org (comment 68), at 17.
---------------------------------------------------------------------------

    The Commission recognizes that operators use persistent identifiers 
and screen names to aid the functionality and technical stability of 
Web sites and online services and to provide a good user experience, 
and the Commission does not intend to limit operators'

[[Page 59810]]

ability to collect such information from children for those purposes. 
However, the Commission also recognizes that such identifiers may be 
used in more expansive ways that affect children's privacy. In the 
sections that follow, the Commission sets forth the parameters within 
which operators may collect and use screen names and persistent 
identifiers without triggering COPPA's application.\60\
---------------------------------------------------------------------------

    \60\ Id.
---------------------------------------------------------------------------

    The Commission proposes to revise the definition of ``support for 
the internal operations of Web site or online service'' so that it 
states:

    Support for the internal operations of the Web site or online 
service means those activities necessary to maintain the technical 
functioning of the Web site or online service, to protect the 
security or integrity of the Web site or online service, or to 
fulfill a request of a child as permitted by Sec.  312.5(c)(3) and 
(4), and the information collected for such purposes is not used or 
disclosed for any other purpose.
(5) Online Contact Information
    Section 312.2 of the Rule defines ``online contact information'' as 
``an e-mail address or any other substantially similar identifier that 
permits direct contact with a person online.'' The Commission proposes 
to clarify this definition to flag that the term covers all identifiers 
that permit direct contact with a person online, and to eliminate any 
inconsistency between the stand-alone definition of online contact 
information and the use of the same term within the Rule's definition 
of ``personal information.'' \61\ The revised definition set forth 
below adds commonly used forms of online identifiers, including instant 
messaging user identifiers, voice over internet protocol (VOIP) 
identifiers, and video chat user identifiers. The proposed definition 
makes clear, however, that the identifiers included are not intended to 
be exhaustive, and may include other substantially similar identifiers 
that permit direct contact with a person online.
---------------------------------------------------------------------------

    \61\ The Rule currently defines as personal information ``an e-
mail address or other online contact information, including but not 
limited to an instant messaging user identifier, or a screen name 
that reveals an individual's e-mail address.'' 16 CFR 312.2 
(paragraph (c), definition of ``personal information''). The 
Commission also proposes removing the listing of identifiers from 
the definition of personal information and substituting the simple 
phrase ``online contact information'' instead. See infra Part 
V.A.(4)(a). By doing so, the Commission hopes to streamline the 
Rule's definitions in a way that is useful and accessible for 
operators.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend the definition of 
``online contact information'' to state:

    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct contact with a 
person online, including but not limited to, an instant messaging 
user identifier, a voice over internet protocol (VOIP) identifier, 
or a video chat user identifier.
(6) Personal Information
    The COPPA statute defines personal information as individually 
identifiable information about an individual collected online, 
including:
    (A) A first and last name;
    (B) A home or other physical address including street name and name 
of a city or town;
    (C) An e-mail address;
    (D) A telephone number; \62\
---------------------------------------------------------------------------

    \62\ The term ``telephone number'' includes landline, web-based, 
and mobile phone numbers.
---------------------------------------------------------------------------

    (E) A Social Security number;
    (F) Any other identifier that the Commission determines permits the 
physical or online contacting of a specific individual; or
    (G) information concerning the child or the parents of that child 
that the Web site collects online from the child and combines with an 
identifier described in this paragraph.\63\
---------------------------------------------------------------------------

    \63\ 15 U.S.C. 6502(8). The Federal Trade Commission originally 
used the authority granted under Section 6502(8)(F) to define 
personal information under the COPPA Rule to include the following 
pieces of information not specifically listed in the statute:
     Other online contact information, including but not 
limited to an instant messaging user identifier;
     A screen name that reveals an individual's e-mail 
address;
     A persistent identifier, such as a customer number held 
in a cookie or a processor serial number, where such identifier is 
associated with individually identifiable information; and,
     A combination of a last name or photograph of the 
individual with other information such that the combination permits 
physical or online contacting.
---------------------------------------------------------------------------

    As explained below, the Commission proposes to use this statutorily 
granted authority in paragraph (F) to modify, and in certain cases, 
expand, upon the Rule's definition of ``personal information'' to 
reflect technological changes.
a. Online Contact Information (Revised Paragraph (c))
    The Commission proposes to replace existing paragraph (c) of the 
Rule's definition of ``personal information,'' which refers to ``an e-
mail address or other online contact information including but not 
limited to an instant messaging user identifier, or a screen name that 
reveals an individual's e-mail address,'' with the broader term 
``online contact information,'' as newly defined.\64\ Moreover, as 
discussed immediately below, the Commission proposes to move the 
existing reference to a ``screen name'' to a separate item within the 
definition of ``personal information.''
---------------------------------------------------------------------------

    \64\ See supra Part V.A.(4)(a).
---------------------------------------------------------------------------

b. Screen or User Names (Revised Paragraph (d))
    Currently, screen names are considered ``personal information'' 
under COPPA only when they reveal an individual's e-mail address. The 
Commission proposes instead that screen (or user) names be categorized 
as personal information when they are used for functions other than, or 
in addition to, support for the internal operations of the Web site or 
online service. This change reflects the reality that screen and user 
names increasingly have become portable across multiple Web sites or 
online services, and permit the direct contact of a specific individual 
online regardless of whether the screen or user names contain an e-mail 
address.\65\
---------------------------------------------------------------------------

    \65\ See, e.g., OpenId, Windows Live ID, and the Facebook 
Platform.
-------------------------------------------------