Children's Online Privacy Protection Rule, 46643-46653 [2012-19115]
Download as PDF
<![CDATA[
46643
Proposed Rules
Federal Register
Vol. 77, No. 151
Monday, August 6, 2012
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084–AB20
Children’s Online Privacy Protection
Rule
Federal Trade Commission
(‘‘FTC’’ or ‘‘Commission’’).
ACTION: Supplemental notice of
proposed rulemaking; request for
comment.
AGENCY:
The Commission is proposing
to further modify the proposed
definitions of personal information,
support for internal operations, and
Web site or online service directed to
children, that the FTC has proposed
previously under its Rule implementing
the Children’s Online Privacy Protection
Act (‘‘COPPA Rule’’), and further
proposes to revise the Rule’s definition
of operator. These proposed revisions,
which are based on the FTC’s review of
public comments and its enforcement
experience, are intended to clarify the
scope of the Rule and strengthen its
protections for children’s personal
information. The Commission is not
adopting any final amendments to the
COPPA Rule at this time and continues
to consider comments submitted in
response to its Notice of Proposed
Rulemaking issued in September 2011.
DATES: Written comments must be
received on or before September 10,
2012.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘COPPA Rule Review, 16
CFR Part 312, Project No. P104503’’ on
your comment, and file your comment
online at https://
ftcpublic.commentworks.com/ftc/
2012copparulereview, by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
tkelley on DSK3SPTVN1PROD with PROPOSALS
SUMMARY:
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
Commission, Office of the Secretary,
Room H–113 (Annex E), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Phyllis H. Marcus or Mamie Kresses,
Attorneys, Division of Advertising
Practices, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW.,
Washington, DC 20580, (202) 326–2854
or (202) 326–2070.
SUPPLEMENTARY INFORMATION:
I. Background
In September 2011, the FTC issued a
Notice of Proposed Rulemaking setting
forth proposed changes to the
Commission’s COPPA Rule. Among
other things, the Commission proposed
modifying the Rule’s definition of
personal information to include
persistent identifiers and screen or user
names other than where they are used
to support internal operations, and Web
site or online service directed to
children to include additional indicia
that a site or service may be targeted to
children.1 The Commission received
over 350 comments, a number of which
addressed the proposed changes to these
two definitions.2 After reviewing these
comments, and based upon its
experience in enforcing and
administering the Rule, the Commission
now proposes to modify the definition
of operator, and proposes additional
modifications to the definitions of Web
site or online service directed to
children, personal information, and
support for internal operations.
The Commission proposes modifying
the definition of both operator and Web
site or online service directed to
children to allocate and clarify the
responsibilities under COPPA when
independent entities or third parties,
e.g., advertising networks or
downloadable software kits (‘‘plugins’’), collect information from users
through child-directed sites and
services. As described below, previous
Commission statements suggested that
the responsibility for providing notice to
1 Id.
2 Public comments in response to the
Commission’s September 27, 2011, Federal Register
document are located at https://www.ftc.gov/os/
comments/copparulereview2011/. Comments have
been numbered based upon alphabetical order.
Comments are cited herein by commenter name,
comment number, and, where applicable, page
number.
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
parents and obtaining verifiable parental
consent to the collection of personal
information from children rested
entirely with the information collection
entity and not with the child-directed
site operator. The Commission now
believes that the most effective way to
implement the intent of Congress is to
hold both the child-directed site or
service and the information-collecting
site or service responsible as covered cooperators. Sites and services whose
content is directed to children, and who
permit others to collect personal
information from their child visitors,
benefit from that collection and thus
should be responsible under COPPA for
providing notice to and obtaining
consent from parents. Conversely,
online services whose business models
entail the collection of personal
information and that know or have
reason to know that such information is
collected through child-directed
properties should provide COPPA’s
protections.
In addition, the Commission proposes
to modify the previously proposed
revised definition of Web site or online
service directed to children to permit
Web sites or online services that are
designed for both children and a
broader audience to comply with
COPPA without treating all users as
children. The Commission also
proposes modifying the definition of
screen or user name to cover only those
situations where a screen or user name
functions in the same manner as online
contact information. Finally, the
Commission proposes to modify the
revised definition of support for internal
operations and to modify the Rule’s
coverage of persistent identifiers as
personal information.
II. Proposed Modifications to the Rule’s
Definitions (16 CFR 312.2)
A. Definition of Operator
Public comments 3 and the
Commission’s own enforcement
experience 4 highlight the need for the
3 See, e.g., AT&T (comment 8), at 3–4; CDT
(comment 17), at 3–6; CTIA (comment 32), at 16;
Direct Marketing Association (comment 37), at 7;
Future of Privacy Forum (comment 55), at 3;
Information Technology Industry Council
(comment 70), at 3–4; Interactive Advertising
Bureau (comment 73), at 7; and, Tech Freedom
(comment 159), at 12.
4 See FTC staff closing letter to OpenFeint
(‘‘OpenFeint Letter’’), available at https://
E:\FR\FM\06AUP1.SGM
Continued
06AUP1
46644
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
Commission to clarify the
responsibilities of child-directed
properties that integrate independent
social networking or other types of
‘‘plug-ins’’ into their sites or services.
These plug-ins often collect personal
information directly from users of childdirected sites and services. Although the
child-directed site or service benefits by
incorporating the social networking or
other information collection features of
the plug-in, it generally has no
ownership, control, or access to the
personal information collected by the
plug-in. In many ways, the plug-in
scenario mirrors the current situation
with child-directed Web sites and
advertising networks: the site
determines the child-directed nature of
the content, but the third-party
advertising network collects persistent
identifiers for tracking purposes, which
could be considered personal
information under the proposed revised
Rule.
COPPA defines operator in pertinent
part, as
(A) Any person who operates a Web site
located on the Internet or an online service
and who collects or maintains personal
information from or about the users of or
visitors to such Web site or online service, or
on whose behalf such information is
collected or maintained, where such Web site
or online service is operated for commercial
purposes, including any person offering
products or services for sale through that
Web site or online service, involving
commerce * * *.5
tkelley on DSK3SPTVN1PROD with PROPOSALS
In both the 1999 Notice of Proposed
Rulemaking and the 1999 Statement of
Basis and Purpose, the Commission
suggested that some retention of
ownership, control, or access to the
personal information collected was
required to make a party an operator.
The Commission stated that it would
look to a variety of factors—ownership,
control, financial and contractual
arrangements, and the role of the site or
service in data collection or
maintenance—to establish whether an
entity was covered by or subject to
COPPA’s regulatory obligations.6 The
www.ftc.gov/os/closings/
120831openfeintclosingletter.pdf.
5 15 U.S.C. 6501(2). The Rule’s definition of
operator reflects the statutory language. See 16 CFR
312.2.
6 1999 Notice of Proposed Rulemaking and
Request for Public Comment, 64 FR 22750, 22752
(Apr. 27, 1999), available at https://www.ftc.gov/os/
fedreg/1999/april/
990427childrensonlineprivacy.pdf (‘‘In determining
who is the operator for purposes of the proposed
Rule, the Commission will consider such factors as
who owns the information, who controls the
information, who pays for the collection or
maintenance of the information, the pre-existing
contractual relationships surrounding the collection
or maintenance of the information, and the role of
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
Commission also asserted that ‘‘[w]here
the Web site or online service merely
acts as the conduit through which the
personal information collected flows to
another person or to another’s Web site
or online service, and the Web site or
online service does not have access to
the information, then it is not an
operator under the proposed Rule.’’ 7
At that time, the Commission did not
foresee how easy and commonplace it
would become for child-directed sites
and services to integrate social
networking and other personal
information collection features into the
content offered to their users, without
maintaining ownership, control, or
access to the personal data. Given these
changes in technology, the Commission
now believes that an operator of a childdirected site or service that chooses to
integrate into its site or service other
services that collect personal
information from its visitors should be
considered a covered operator under the
Rule. Although the child-directed site or
service does not own, control, or have
access to the information collected, the
personal information is collected on its
behalf. The child-directed site or service
benefits from its use of integrated
services that collect personal
information because the services
provide the site with content,
functionality, and/or advertising
revenue.
Therefore, the Commission proposes
to revise the definition of operator to
add a proviso stating:
The Commission’s interpretation of the
phrase on whose behalf is consistent
both with its plain and common
meaning 9 and with the Commission’s
advocated position on the meaning of
that phrase within the Telephone
Consumer Protection Act, 47 U.S.C. 227,
and the position it has urged the Federal
Communications Commission to adopt
in the implementing regulations, 47 CFR
64.1200.10
In the context of COPPA’s
requirements, an operator of a childdirected site or service is in an
appropriate position to give notice and
obtain consent from parents where any
personal information is being collected
from its visitors on or through its site or
service. The operator is in the best
position to know that its site or service
is directed to children and can control
which plug-ins, software downloads, or
advertising networks it integrates into
its site. To interpret the COPPA statute’s
on whose behalf language more
narrowly does not fully effectuate
Congress’s intent to insure that parents
are consistently given notice and the
opportunity to consent prior to the
collection of children’s personal
information.
B. Definition of Web Site or Online
Service Directed to Children
Neither the COPPA statute nor its
legislative history make clear under
what circumstances third-party data
collection activities would be deemed to
be conducted ‘‘on an operator’s behalf.’’
Nor did the Commission previously
define the phrase on whose behalf such
information is collected or maintained
in the COPPA Rule.
Congress granted the FTC broad
rulemaking authority under COPPA.8
In the September 2011 COPPA NPRM,
the Commission proposed minor
changes to the definition of Web site or
online service directed to children to
include additional indicia of childdirected Web sites and online
services.11 The Commission now
proposes additional modifications to
this definition in order to: (1) Make
clear that a Web site or online service
that knows or has reason to know that
it collects personal information from
children through a child-directed Web
site or online service is itself A‘‘directed
to children’’; and (2) permit a Web site
or online service that is designed for
both children and a broader audience to
comply with COPPA without having to
treat all its users as children.
the Web site or online service in collecting and/or
maintaining the information’’).
7 Id. The Commission reiterated this view in the
1999 Statement of Basis and Purpose to the COPPA
Rule (‘‘1999 Statement of Basis and Purpose’’), 64
FR 59888, 59891 (Nov. 3, 1999), available at https://
www.ftc.gov/os/1999/10/64Fr59888.pdf.
8 Congress delegated to the FTC the authority to
promulgate regulations that require operators
covered by COPPA to: Provide online notice of their
information practices; obtain verifiable parental
consent for the collection, use, or disclosure of
personal information from children; provide
parents with a means to obtain such personal
information and to refuse further collection;
establish and maintain adequate confidentiality and
security for children’s personal information; and
that prohibit conditioning a child’s participation
online on disclosing more personal information
than is necessary. See 15 U.S.C. 6502(b).
9 See Madden v. Cowen & Co., 576 F.3d 957, 974
(9th Cir. 2009).
10 See Comment of the Federal Trade Commission
before the Federal Communications Commission,
CG Docket No. 11–50 (2011), at 7, available at
https://www.ftc.gov/os/2011/05/
110516dishechostar.pdf (stating that the common
dictionary definition of ‘‘on behalf of’’ means in an
entity’s ‘‘interest,’’ in its ‘‘aid,’’ or for its ‘‘benefit’’).
11 See 2011 COPPA NPRM, 76 FR at 59814.
Personal information is collected or
maintained on behalf of an operator where it
is collected in the interest of, as a
representative of, or for the benefit of, the
operator.
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
E:\FR\FM\06AUP1.SGM
06AUP1
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
1. Operators Who Collect Personal
Information Through Child-Directed
Web Sites or Online Services
As noted above, online services such
as advertising networks or
downloadable plug-ins often collect
personal information from users through
another’s site or service, including
properties directed to children.12 When
operating on child-directed properties,
that portion of these services could be
deemed directed to children and the
operator held strictly liable under
COPPA. This position would be
consistent with previous Commission
statements that the Rule covers entities
collecting information through childdirected sites. In its original April 1999
Notice of Proposed Rulemaking, the
Commission stated that the definition of
operator includes ‘‘a person who
collects or maintains [personal]
information through another’s Web site
or online service.’’ 13 In the 1999
Statement of Basis and Purpose, in
discussing the potential liability of
network advertising companies, the
Commission noted that ‘‘[i]f such
companies collect personal information
directly from children who click on ads
placed on Web sites or online services
directed to children, then they will be
considered operators who must comply
with the Act, unless one of the
exceptions applies.’’ 14
Several commenters in response to
the 2011 COPPA NPRM, however, state
that operators of online services that are
designed to be incorporated into another
site or service should not be covered
under COPPA’s requirements when they
appear on child-directed sites or
services.15 For example, the Center for
Democracy and Technology (‘‘CDT’’)
states, ‘‘[o]perators of analytics services,
advertising networks, and social plugins that do not intentionally target their
services to children should not have
independent COPPA notice and consent
obligations simply because a site
directed to children has chosen to use
their service.’’ 16
12 This fact was highlighted in a recent
Commission law enforcement investigation of
OpenFeint, Inc., an online social gaming network
available as a plug-in to mobile applications. See
OpenFeint Letter, supra note 4.
13 1999 Notice of Proposed Rulemaking and
Request for Public Comment, 64 FR 22750, 22752
(Apr. 27, 1999), available at https://www.ftc.gov/os/
fedreg/1999/april/
990427childrensonlineprivacy.pdf.
14 Statement of Basis and Purpose to the COPPA
Rule, 64 FR 59888, 59892 (Nov. 3, 1999), available
at https://www.ftc.gov/os/1999/10/64Fr59888.pdf.
15 See, e.g., CDT (comment 17), at 5; Facebook
(comment 50), at 11; Future of Privacy Forum
(comment 55), at 3; TechFreedom (comment 159),
at 10–11.
16 CDT (comment 17), at 5.
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
The COPPA statute gives the
Commission broad discretion to define
Web site or online service directed to
children. Congress provided only one
limitation to that discretion:
A commercial Web site or online service,
or a portion of a commercial Web site or
online service, shall not be deemed directed
to children solely for referring or linking to
a commercial Web site or online service
directed to children by using information
location tools, including a directory, index,
reference, pointer, or hypertext link.17
The Commission continues to believe
that when an online service collects
personal information through childdirected properties, that portion of the
online service can and should be
deemed directed to children, but only
under certain circumstances. The
Commission believes that the strict
liability standard applicable to
conventional child-directed sites and
services is unworkable for advertising
networks or plug-ins because of the
logistical difficulties such services face
in controlling or monitoring which sites
incorporate their online services.
Accordingly, the Commission proposes
to modify the definition of Web site or
online service directed to children to
include any operator who ‘‘knows or
has reason to know’’ it is collecting
personal information through a host
Web site or online service directed to
children. The proposed new paragraph
is:
Web site or online service directed to
children means a commercial Web site or
online service, or portion thereof, that:
*
*
*
*
*
(d) knows or has reason to know that it is
collecting personal information through any
Web site or online service covered under
paragraphs (a)–(c).
In choosing to use the phrase ‘‘reason
to know’’ as part of the definition, the
Commission is not imposing a duty on
entities such as ad-networks or plug-ins
to monitor or investigate whether their
services are incorporated into childdirected properties; 18 however, such
sites and services will not be free to
17 15
U.S.C. 6501(10).
phrase ‘‘reason to know’’ does not impose
a duty to ascertain unknown facts, but does require
a person to draw a reasonable inference from
information he does have. See Restatement
(Second) of Agency § 9 cmt. d (1958); Restatement
(Second) of Torts § § 12(1), 401 (1965). See also
Novicki v. Cook, 946 F.2d 938, 941 (D.C. Cir. 1991)
(citing the Restatement (Second) of Agency); Alf v.
Donley, 666 F. Supp. 2d 60, 67 (D.D.C. 2009)
(following Novicki v. Cook); Feinerman v. Bernardi,
558 F. Supp. 2d 36, 49 (D.D.C. 2008) (following
Novicki v. Cook); Topliff v. Wal-Mart Stores E. LP,
2007 U.S. Dist. LEXIS 20533, 200, CCH Prod. Liab.
Rep. P17,728 (N.D.N.Y Mar. 22, 2007) (‘‘the term
‘had reason to know’ does not impose any duty to
ascertain unknown facts, while the term ‘should
have known’ does impose such a duty).
18 The
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
46645
ignore credible information brought to
their attention indicating that such is
the case.
The Commission believes that this
proposed modification to the definition
of Web site or online service directed to
children, along with the proposed
revisions to the definition of operator
that would hold the child-directed
property to be a co-operator equally
responsible under the Rule for the
personal information collected by the
plug-in or advertising network, will
help ensure that operators in each
position cooperate to meet their
statutory duty to notify parents and
obtain parental consent.
2. Web Sites and Online Services
Directed to Children and Families
As noted in its September 2011
NPRM, the current definition of Web
site or online service directed to
children is, at bottom, a totality of the
circumstances test. In its comment, The
Walt Disney Company argues that this
definition does not adequately address
the reality that Web sites or online
services directed to children fall along
a continuum, targeting or appealing to
children in varying degrees. Under the
Rule’s current structure, regardless of
where a site or service falls on this
continuum, it must still treat all visitors
as children. Disney argues that only
sites falling at the extreme end of the
‘‘child-directed’’ continuum should
have to treat all of their users as
children. It urges the Commission to
adopt a system that would permit Web
sites or online services directed to larger
audiences, specifically those directed to
children and families, to differentiate
among users, requiring such sites and
services to provide notice and obtain
consent only for users who self-identify
as under age 13.19
The Commission finds merit in
Disney’s suggestion. In large measure, it
reflects the prosecutorial discretion the
Commission has applied in enforcing
the Rule. The Commission has charged
sites or services with being directed to
children only where the Commission
believed that children under age 13
were the primary audience.20 If the
Commission believed the site merely
was likely to attract significant numbers
19 The
Walt Disney Co. (comment 170), at 5–6.
United States v. Godwin, d/b/a skid-ekids.com, No. 1:11–cv–03846–JOF (N.D. Ga. Feb. 1,
2012) (alleging that defendant’s skid-e-kids social
networking Web site was directed to children);
United States v. W3 Innovations, LLC, No. CV–11–
03958 (N.D. Cal., filed Aug. 12, 2011) (alleging that
defendants’ ‘‘Emily’s’’ apps were directed to
children); United States v. Playdom, Inc., No. SA
CV11–00724 (C.D. Cal., May 24, 2011) (alleging that
Playdom’s Pony Stars online virtual world was
directed to children).
20 See
E:\FR\FM\06AUP1.SGM
06AUP1
46646
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
of under 13 users, or had popular appeal
with children (among others), the
Commission has instead alleged that the
operator had ‘‘actual knowledge’’ of
collecting personal information from
users who identified themselves as
under 13.21 This enforcement approach
recognizes the burden imposed on
operators in having to obtain notice and
consent for every user when most users
may be over 13, as well as the burden
and restrictions imposed on users over
age 13 in being treated as young
children.
As noted above, Congress gave the
Commission broad discretion to define
Web site or online service directed to
children. The Commission now
proposes to modify that definition to
implement much of what Disney has
proposed and to better reflect the
prosecutorial discretion it has applied.
The proposed revised definition is:
Web site or online service directed to
children means a commercial Web site or
online service, or portion thereof, that:
(a) Knowingly targets children under age
13 as its primary audience; or,
(b) Based on the overall content of the Web
site or online service, is likely to attract
children under age 13 as its primary
audience; or,
(c) Based on the overall content of the Web
site or online service, is likely to attract an
audience that includes a disproportionately
large percentage of children under age 13 as
compared to the percentage of such children
in the general population; provided however
that such Web site or online service shall not
be deemed to be directed to children if it: (i)
Does not collect personal information from
any visitor prior to collecting age
information; and (ii) prevents the collection,
use, or disclosure of personal information
from visitors who identify themselves as
under age 13 without first obtaining
verifiable parental consent;
tkelley on DSK3SPTVN1PROD with PROPOSALS
*
*
*
*
*
The effect of the proposed changes
would be that those sites and services at
the far end of the ‘‘child-directed’’
continuum, i.e., those that knowingly
target, or have content likely to draw,
children under 13 as their primary
audience, must still treat all users as
children, and provide notice and obtain
consent before collecting any personal
information from any user. Those sites
and services with child-oriented content
appealing to a mixed audience, where
children under 13 are likely to be an
over-represented group, will not be
deemed directed to children if, prior to
collecting any personal information,
they age-screen all users. At that point,
for users who identify themselves as
21 See
United States v. Iconix Brand Group, Inc.,
No. 09 Civ. 8864 (S.D.N.Y, Nov. 5, 2009); United
States v. Sony BMG Music Entertainment, No. 08
Civ. 10730 (S.D.N.Y., Dec. 15, 2008).
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
under 13, the site or service will be
deemed to have actual knowledge that
such users are under 13 and must obtain
appropriate parental consent before
collecting any personal information
from them and must also comply with
all other aspects of the Rule.
The Commission recognizes that
many children may choose to lie about
their age. Nevertheless, the Commission
believes the proposed revisions strike
the correct balance. First, it has been the
Commission’s law enforcement
experience, as demonstrated by its
‘‘actual knowledge’’ cases, that many
children do truthfully provide their age
in response to an age screening question
on mixed audience sites.22 Second, as
noted above, as a matter of prosecutorial
discretion, the Commission has not
charged child-friendly mixed audience
sites as being directed to children
because of the burdens it imposes.
Consequently, if those sites collected
personal information without asking
age, the Commission had little basis to
allege that the operator had actual
knowledge of any visitor’s age. The
proposed revisions will require
operators of these child-friendly mixed
audience sites to take an affirmative step
to attain actual knowledge if they do not
wish to treat all visitors as being under
13.
C. Definition of Personal Information
1. Screen or User Names
In the 2011 COPPA NPRM, the
Commission proposed to define as
personal information ‘‘a screen or user
name where such screen or user name
is used for functions other than or in
addition to support for the internal
operations of the Web site or online
service.’’ 23 This change was intended to
address scenarios in which a screen or
user name could be used by a child as
a single credential to access multiple
online properties, thereby permitting
him or her to be directly contacted
online, regardless of whether the screen
or user name contained an email
address.24
Several commenters expressed
concern that the Commission’s screenname proposal would unnecessarily
inhibit functions that are important to
the operation of child-directed Web
sites and online services. For example,
commenters stated that many childdirected properties use a screen or user
name in place of a child’s real name in
22 See United States v. Iconix Brand Group, Inc.;
and United States v. Sony BMG Music
Entertainment, supra note 23.
23 2011 COPPA NPRM, 76 FR at 59810.
24 Id.
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
an effort to minimize data collection.25
Operators also use single screen names
to allow children to sign on to a single
online service that runs on multiple
platforms, as well as to access related
properties across multiple platforms.26
These commenters raised concerns that,
with the limited carve-out for functions
to support internal operations, operators
might be precluded from using screen or
user names within a Web site or online
service, and would certainly be
precluded from doing so across multiple
platforms.
The Commission has long supported
the data minimization purposes behind
operators’ use of screen and user names
in place of individually identifiable
information.27 Indeed, the proposed
changes in paragraph (d) were not
intended to preclude such uses.
Moreover, after reading the comments,
the Commission is persuaded of the
benefits of utilizing single sign-in
identifiers across sites and services, for
example, to permit children seamlessly
to transition between devices or
platforms via a single screen or user
name.28 The Commission therefore
proposes that a screen or user name
should be included within the
definition of personal information only
in those instances in which a screen or
user name rises to the level of online
contact information.29 In such cases, a
screen or user name functions much like
an email address, an instant messaging
identifier, or ‘‘or any other substantially
similar identifier that permits direct
contact with a person online.’’ 30
25 See National Cable & Telecommunications
Association (comment 113), at 12 (‘‘[A]llowing
children to create a unique screen name and
password at a Web site through a registration
process without collecting any personally
identifying information has allowed several leading
children’s Web sites to offer: personalized content
(e.g., horoscopes, weather forecasts, customized
avatars for game play), attribution (e.g.,
acknowledge for a high score or other achievement),
as well as a way to express opinions and participate
in online activities in an interactive fashion (e.g.,
jokes, stories, letters to the editor, polls, challenging
others to gameplay, swapping digital collectibles,
participating in monitored ‘chat’ with celebrities’’);
The Walt Disney Co. (comment 170), at 21.
26 See Direct Marketing Association (comment
37), at 17; Entertainment Software Association
(comment 47), at 9; Scholastic (comment 144), at
12; Adam Thierer (comment 162), at 6; TRUSTe
(comment 164), at 3; The Walt Disney Co. (comment
170), at 21–22.
27 See 1999 Statement of Basis and Purpose, 64
FR at 59892.
28 See Direct Marketing Association (comment
37), at 16–17; Entertainment Software Association
(comment 47), at 9–10; Adam Thierer (comment
162), at 6; TRUSTe (comment 164), at 3–4; The Walt
Disney Co. (comment 170), at 21–22.
29 Id. at 59891, n.49 (‘‘Another example of ‘online
contact information’ could be a screen name that
also serves as an email address’’).
30 See 2011 COPPA NPRM, 76 FR at 59810
(proposed definition of online contact information).
E:\FR\FM\06AUP1.SGM
06AUP1
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
Therefore, the Commission proposes to
modify paragraph (d) of the definition of
personal information as follows:
Personal information means individually
identifiable information about an individual
collected online, including:
*
*
*
*
*
(d) A screen or user name where it
functions in the same manner as online
contact information, as defined in this
Section;
tkelley on DSK3SPTVN1PROD with PROPOSALS
*
*
*
*
*
2. Persistent Identifiers and Support for
Internal Operations
In the September 2011 COPPA NPRM,
the Commission proposed changes to
the definition of personal information
that, among other things, would have
included ‘‘[a] persistent identifier,
including but not limited to, a customer
number held in a cookie, an Internet
Protocol (IP) address, a processor or
device serial number, or unique device
identifier, where such persistent
identifier is used for functions other
than or in addition to support for the
internal operations of the Web site or
online service.’’ 31 The Commission also
proposed to include in the definition of
personal information ‘‘identifiers that
link the activities of a child across
different Web sites or online
services.’’ 32 As stated in the 2011
COPPA NPRM, these changes were
intended to ‘‘require parental
notification and consent prior to the
collection of persistent identifiers where
they are used for purposes such as
amassing data on a child’s online
activities or behaviorally targeting
advertising to the child.’’ 33 By carving
out exceptions for support for internal
operations, the Commission stated it
intended to exempt from COPPA’s
coverage the collection and use of
identifiers for authenticating users,
improving site navigation, maintaining
user preferences, serving contextual
advertisements, protecting against fraud
or theft, or otherwise personalizing,
improving upon, or securing a Web site
or online service.34
The Commission received numerous
comments on the proposed inclusion of
persistent identifiers within the
definition of personal information.
Consumer advocacy organizations,
including the Center for Digital
Democracy (‘‘CDD’’), Consumers Union
(‘‘CU’’), and the Electronic Privacy
Information Center (‘‘EPIC’’), fully
supported the proposal, finding that,
31 See 2011 COPPA NPRM, 76 FR at 59812
(proposed definition of personal information,
paragraph (g)).
32 Id. (proposed definition of paragraph (h)).
33 Id.
34 Id.
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
increasingly, particular devices are
associated with particular individuals,
and the collection of identifiers permits
direct contact with individuals online.35
In addition to these advocacy groups,
nearly 200 individual consumers filed
comments supporting the inclusion of
IP address within the Rule’s definition
of personal information.
By contrast, the overwhelming
majority of the comments filed by Web
site operators, industry associations,
privacy experts, and
telecommunications companies
opposed the Commission’s expansion of
the definition of personal information to
reach persistent identifiers, even with
the limitation to activities other than or
in addition to support for internal
operations. Most of these commenters
claimed that the collection of one or
more persistent identifiers only permits
online contact with a device and not
with a specific individual.36 These
commenters also expressed concern
about the breadth and potential
vagueness of the proposed paragraph (h)
defining as personal information ‘‘an
identifier that links the activities of a
child across different Web sites or
online services.’’ Among the concerns
raised about (h) were the lack of clarity
about the term ‘‘different Web sites or
online services,’’ 37 including whether
this term is intended to cover identifiers
collected by a single operator across
multiple platforms 38 or a child’s
activities within or between affiliated
Web sites or online services.39
Several commenters urged the
Commission to alter its approach to
persistent identifiers to focus more
directly on their use, or potential
misuse, rather than on their collection.40
35 See CU (comment 29), at 3; EPIC (comment 41),
at 8; CDD (comment 71), at 29.
36 See Computer and Communications Industry
Association (comment 27), at 3–5; CTIA (comment
32), at 7–8; eBay (comment 40), at 5; Future of
Privacy Forum (comment 55), at 2–3; Information
Technology Industry Council (comment 70), at 3–
4; Intel (comment 72), at 4–6; IAB (comment 73),
at 4–6; KidSafe Seal Program (comment 81), at 6–
7; TechAmerica (comment 159), at 3–5; Promotion
Marketing Association (comment 133), at 10–12;
TRUSTe (comment 164), at 4–6; Yahoo! (comment
180), at 7–8; Toy Industry Association (comment
163), at 8–10.
37 See IAB (comment 73), at 5; KidSafe Seal
Program (comment 81), at 9; Scholastic (comment
144), at 14; TRUSTe (comment 164), at 5–6; The
Walt Disney Co. (comment 170), at 20–21;
WiredSafety (comment 177), at 11.
38 See Scholastic (comment 144), at 14; TRUSTe
(comment 164), at 5.
39 See The Walt Disney Co. (comment 170), at 22.
40 ‘‘A straightforward way to regulate the ability
of operators to target children with behavioral
advertising would be to simply prohibit operators
from engaging in the practice as it has previously
been defined by the FTC. But the FTC instead
focuses on the types of information operators collect
rather than on how operators use the information.’’
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
46647
Moreover, several commenters
maintained that the proposed definition
of support for internal operations is too
narrow to cover the very types of
activities the Commission intended to
permit, e.g., user authentication,
improving site navigation, maintaining
user preferences, serving contextual
advertisements, and protecting against
fraud or theft.41 Others raised concerns
that it was unclear whether the
collection of data within persistent
identifiers for the purpose of performing
site performance or functioning
analyses, or analytics, would be
included within the definition of
support for internal operations.42
In response to these concerns, the
Commission is proposing revised
language for the definitions regarding
persistent identifiers and support for
internal operations. The proposed
revised language is intended to: (1)
Address the concerns about the
confusion caused by having two
different sub-definitions dealing with
persistent identifiers, paragraphs (g) and
(h); and (2) provide more specificity to
the types of activities that will be
considered support for internal
operations.
The newly proposed definition
regarding persistent identifiers is:
Personal information means individually
identifiable information about an individual
collected online, including:
(g) A persistent identifier that can be used
to recognize a user over time, or across
different Web sites or online services, where
such persistent identifier is used for
functions other than or in addition to support
for the internal operations of the Web site or
online service. Such persistent identifier
includes, but is not limited to, a customer
number held in a cookie, an Internet Protocol
(IP) address, a processor or device serial
number, or unique device identifier;
*
*
*
*
*
This proposal combines the two
previous definitions into one and makes
clear that an operator can only identify
users over time or across Web sites for
the enumerated activities set forth in the
definition of support for internal
operations.
Future of Privacy Forum (comment 55), at 2; see
also VISA, Inc. (comment 168), at 2; WiredTrust
(comment 177), at 11.
41 See CTIA (comment 32), at 15; KidSafe Seal
Program (comment 81), at 6–7; Scholastic (comment
144), at 13; Toy Industry Association (comment
163), at 10; TRUSTe (comment 164), at 8; The Walt
Disney Co. (comment 170), at 7; WiredSafety
(comment 177), at 13.
42 Association for Competitive Technology
(comment 5), at 5; CTIA (comment 32), at 14; Direct
Marketing Association (comment 37), at 14–15; IAB
(comment 73), at 4; NCTA (comment 113), at 15;
Scholastic (comment 144), at 14; ; TechFreedom
(comment 159), at 9–10; Toy Industry Association
(comment 163), at 7, 9; TRUSTe (comment 164), at
5; WiredTrust (comment 177), at 11.
E:\FR\FM\06AUP1.SGM
06AUP1
46648
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
The newly proposed definition of
support for internal operations is:
Support for the internal operations of the
Web site or online service means those
activities necessary to: (a) Maintain or
analyze the functioning of the Web site or
online service; (b) perform network
communications; (c) authenticate users of, or
personalize the content on, the Web site or
online service; (d) serve contextual
advertising on the Web site or online service;
(e) protect the security or integrity of the
user, Web site, or online service; or (f) fulfill
a request of a child as permitted by ’’
312.5(c)(3) and (4); so long as the information
collected for the activities listed in (a)–(f) is
not used or disclosed to contact a specific
individual or for any other purpose.
This revision incorporates into the
Rule many of the types of activities B
user authentication, maintaining user
preferences, serving contextual
advertisements, and protecting against
fraud or theft B that the Commission
initially discussed as permissible in the
2011 COPPA NPRM.43 It would also
specifically permit the collection of
persistent identifiers for functions
related to site maintenance and analysis,
and to perform network
communications, that many
commenters view as crucial to their
ongoing operations.44 The Commission
notes the importance of the proviso at
the end of the proposed definition: To
be considered support for internal
operations, none of the information
collected may be used or disclosed to
contact a specific individual, including
through the use of behaviorally-targeted
advertising, or for any other purpose.
III. Request for Comment
The Commission invites interested
persons to submit written comments on
any issue of fact, law, or policy that may
bear upon the proposals under
consideration. Please include
explanations for any answers provided,
as well as supporting evidence where
appropriate. After evaluating the
comments, the Commission will
determine whether to issue specific
amendments.
Comments should refer to ‘‘COPPA
Rule Review: FTC File No. P104503’’ to
facilitate the organization of comments.
Please note that your comment B
including your name and your state B
will be placed on the public record of
tkelley on DSK3SPTVN1PROD with PROPOSALS
43 See
2011 COPPA NPRM, 76 FR at 59812.
proposed revised definition is consistent
with the Commission’s position in its recent
privacy report that notice need not be provided to
consumers regarding data practices that are
sufficiently accepted or necessary for public policy
reasons. See FTC, Protecting Consumer Privacy in
an Era of Rapid Change: Recommendations for
Businesses and Policymakers, at 36, 38–40,
available athttps://ftc.gov/os/2012/03/
120326privacyreport.pdf.
44 This
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
this proceeding, including on the
publicly accessible FTC Web site, at
https://www.ftc.gov/os/
publiccomments.shtm. Comments must
be received on or before September 10,
2012, to be considered by the
Commission.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before September 10, 2012. Write
‘‘COPPA Rule Review, 16 CFR Part 312,
Project No. P104503’’ on your comment.
Your comment B including your name
and your state B will be placed on the
public record of this proceeding,
including, to the extent practicable, on
the public Commission Web site, at
https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, such as anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, such as medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential,’’ as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, don’t include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you must follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).45 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
45 In
particular, the written request for
confidential treatment that accompanies the
comment must include the factual and legal basis
for the request, and must identify the specific
portions of the comment to be withheld from the
public record. See FTC Rule 4.9(c), 16 CFR 4.9(c).
PO 00000
Frm 00006
Fmt 4702
Sfmt 4702
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
2012copparulereview, by following the
instructions on the web-based form. If
this document appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘COPPA Rule Review, 16 CFR
Part 312, Project No. P104503’’ on your
comment and on the envelope, and mail
or deliver it to the following address:
Federal Trade Commission, Office of the
Secretary, Room H–113 (Annex E), 600
Pennsylvania Avenue NW., Washington,
DC 20580. If possible, submit your
paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at
https://www.ftc.gov to read this
document and the news release
describing it. The FTC Act and other
laws that the Commission administers
permit the collection of public
comments to consider and use in this
proceeding as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before September 10,
2012.46 You can find more information,
including routine uses permitted by the
Privacy Act, in the Commission’s
privacy policy, at https://www.ftc.gov/
ftc/privacy.htm.
Comments on any proposed
recordkeeping, disclosure, or reporting
requirements subject to review under
the Paperwork Reduction Act should
additionally be submitted to OMB. If
sent by U.S. mail, they should be
addressed to Office of Information and
Regulatory Affairs, Office of
Management and Budget, Attention:
Desk Officer for the Federal Trade
Commission, New Executive Office
Building, Docket Library, Room 10102,
725 17th Street NW.,Washington, DC
20503. Comments sent to OMB by U.S.
postal mail, however, are subject to
delays due to heightened security
precautions. Thus, comments instead
should be sent by facsimile to (202)
395–5167.
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act of 1980
(‘‘RFA’’), 5 U.S.C. 601 et seq., requires
46 Questions for the public regarding proposed
revisions to the Rule are found at Part VII, infra.
E:\FR\FM\06AUP1.SGM
06AUP1
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
a description and analysis of proposed
and final rules that will have significant
economic impact on a substantial
number of small entities. The RFA
requires an agency to provide an Initial
Regulatory Flexibility Analysis
(‘‘IRFA’’) with the proposed Rule, and a
Final Regulatory Flexibility Analysis
(‘‘FRFA’’), if any, with the final Rule.47
The Commission is not required to make
such analyses if a Rule would not have
such an economic effect.48
As described below, the Commission
anticipates that the proposed changes to
the Rule addressed in this Revised
COPPA NPRM will result in more Web
sites and online services being subject to
the Rule and to the Rule’s disclosure,
reporting, and compliance
requirements. The Commission believes
that a number of operators of Web sites
and online services potentially affected
by these revisions are small entities as
defined by the RFA. It is unclear
whether the Revised COPPA NPRM will
have a significant economic impact on
these small entities. Thus, to obtain
more information about the impact of
the Revised COPPA NPRM on small
entities, the Commission has decided to
publish the following IRFA pursuant to
the RFA and to request public comment
on the impact on small businesses of its
Revised COPPA NPRM.
A. Description of the Reasons That
Agency Action Is Being Considered
As described in Part I above, in
September 2011, the Commission issued
a Notice of Proposed Rulemaking setting
forth proposed changes to the
Commission’s COPPA Rule. Among
other things, the Commission proposed
modifying the Rule’s definitions of
personal information to include
persistent identifiers and screen or user
names other than where they are used
to support internal operations, and Web
site or online service directed to
children to include additional indicia
that a site or service may be targeted to
children. The Commission received over
350 comments on the proposed changes,
a number of which addressed the
proposed changes to these two
definitions. After reviewing these
comments, and based upon its
experience in enforcing and
administering the Rule, the Commission
now proposes additional modifications
to the definitions of personal
information, support for internal
operations, and Web site or online
service directed to children, and also
proposes to modify the definition of
operator.
47 See
48 See
5 U.S.C. 603–04.
5 U.S.C. 605.
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
B. Succinct Statement of the Objectives
of, and Legal Basis for, the Additional
Proposed Modifications to the Rule’s
Definitions
The objectives of the additional
proposed modifications to the Rule’s
definitions are to update the Rule to
ensure that children’s online privacy
continues to be protected, as directed by
Congress, even as new online
technologies evolve, and to clarify
existing obligations for operators under
the Rule. The legal basis for the
proposed amendments is the Children’s
Online Privacy Protection Act, 15 U.S.C.
6501 et seq.
C. Description and Estimate of the
Number of Small Entities to Which the
Proposed Modifications to the Rule’s
Definitions Will Apply
The proposed modifications to the
Rule’s definitions will affect operators
of Web sites and online services
directed to children, as well as those
operators that have actual knowledge
that they are collecting personal
information from children. The
proposed Rule amendments will impose
costs on entities that are ‘‘operators’’
under the Rule.
The Commission staff is unaware of
any empirical evidence concerning the
number of operators subject to the Rule.
However, based on the public comments
received and the modifications
proposed here, the Commission staff
estimates that approximately 500
additional operators may newly be
subject to the Rule’s requirements and
that there will be approximately 125
new operators per year for a prospective
three-year period.
Under the Small Business Size
Standards issued by the Small Business
Administration, ‘‘Internet publishing
and broadcasting and web search
portals’’ qualify as small businesses if
they have fewer than 500 employees.49
The Commission staff now estimates
that approximately 85–90% of operators
potentially subject to the Rule qualify as
small entities; this projection is revised
upward from the Commission’s prior
estimate of 80% set forth in the 2011
COPPA NPRM to take into account the
growing market for mobile applications,
many of which may be subject to the
proposed revised Rule. The Commission
staff bases this revised higher estimate
on its experience in this area, which
includes its law enforcement activities,
discussions with industry members,
49 See U.S. Small Business Administration Table
of Small Business Size Standards Matched to North
American Industry Classification System Codes,
available at https://www.sba.gov/sites/default/files/
files/Size_Standards_Table.pdf.
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
46649
privacy professionals, and advocates,
and oversight of COPPA safe harbor
programs. The Commission seeks
comment and information with regard
to the estimated number or nature of
small business entities on which the
proposed Rule would have a significant
economic impact.
D. Description of the Projected
Reporting, Recordkeeping, and Other
Compliance Requirements
The proposed amended Rule would
impose reporting, recordkeeping, and
other compliance requirements within
the meaning of the Paperwork
Reduction Act, as set forth in Part II of
this Notice of Proposed Rulemaking.
Therefore, the Commission is
submitting the proposed revised
modifications to the Rule’s definitions
to OMB for review before issuing a final
rule.
The proposed revised modifications
to the Rule’s definitions likely would
increase the number of operators subject
to the proposed revised Rule’s
recordkeeping, reporting, and other
compliance requirements. In particular,
the proposed revised definition of
operator will potentially cover
additional child-directed Web sites and
online services that choose to integrate
other services that collect personal
information from visitors. Similarly, the
proposed addition of paragraph (d) to
the definition of Web site or online
service directed to children, which
clarifies that the Rule covers a Web site
or online service that knows or has
reason to know it is collecting personal
information through any Web site or
online service directed to children, will
potentially cover additional Web sites
and online services. These proposed
improvements to the Rule may entail
some added cost burden to operators,
including those that qualify as small
entities. However, the proposed
addition of paragraph (c) to the
definition of Web site or online service
directed to children, and the proposed
modifications to the definitions of
personal information and support for
internal operations, may offset the
added burdens discussed above, by
potentially decreasing certain operators’
recordkeeping, reporting, and other
compliance requirements.
The estimated burden imposed by
these proposed modifications to the
Rule’s definitions is discussed in the
Paperwork Reduction Act section of this
document, and there should be no
difference in that burden as applied to
small businesses. While the Rule’s
compliance obligations apply equally to
all entities subject to the Rule, it is
unclear whether the economic burden
E:\FR\FM\06AUP1.SGM
06AUP1
46650
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
on small entities will be the same as or
greater than the burden on other
entities. That determination would
depend upon a particular entity’s
compliance costs, some of which may
be largely fixed for all entities (e.g., Web
site programming) and others that may
be variable (e.g., choosing to operate a
family friendly Web site or online
service), and the entity’s income or
profit from operation of the Web site or
online service (e.g., membership fees) or
from related sources (e.g., revenue from
marketing to children through the site or
service). As explained in the Paperwork
Reduction Act section, in order to
comply with the Rule’s requirements,
operators will require the professional
skills of legal (lawyers or similar
professionals) and technical (e.g.,
computer programmers) personnel. As
explained earlier, the Commission staff
estimates that there are approximately
500 additional Web site or online
services that would newly qualify as
operators under the proposed
modifications to the Rule’s definitions,
that there will be approximately 125
new operators per year for a three-year
period, and that approximately 85–90%
of all such operators would qualify as
small entities under the SBA’s Small
Business Size standards. The
Commission invites comment and
information on these issues.
tkelley on DSK3SPTVN1PROD with PROPOSALS
E. Identification of Other Duplicative,
Overlapping, or Conflicting Federal
Rules
The Commission has not identified
any other federal statutes, rules, or
policies that would duplicate, overlap,
or conflict with the proposed Rule. The
Commission invites comment and
information on this issue.
F. Description of Any Significant
Alternatives to the Proposed
Modifications to the Rule’s Definitions
In drafting the proposed
modifications to the Rule’s definitions,
the Commission has attempted to avoid
unduly burdensome requirements for
entities. The Commission believes that
the proposed modifications will
advance the goal of children’s online
privacy in accordance with COPPA. For
each of the proposed modifications, the
Commission has taken into account the
concerns evidenced by the record to
date. On balance, the Commission
believes that the benefits to children
and their parents outweigh the costs of
implementation to industry.
The Commission has considered, but
has decided not to propose, an
exemption for small businesses. The
primary purpose of COPPA is to protect
children’s online privacy by requiring
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
verifiable parental consent before an
operator collects personal information.
The record and the Commission’s
enforcement experience have shown
that the threats to children’s privacy are
just as great, if not greater, from small
businesses or even individuals than
from large businesses.50 Accordingly, an
exemption for small businesses would
undermine the very purpose of the
statute and Rule.
While the proposed modifications to
the Rule’s definitions potentially will
increase the number of Web site and
online service operators subject to the
Rule, the Rule continues to provide
regulated entities with the flexibility to
select the most appropriate, costeffective, technologies to achieve
COPPA’s objective results. For example,
the proposed new definition of support
for internal operations is intended to
provide operators with the flexibility to
conduct their information collections in
a manner they choose consistent with
ordinary operation, enhancement, or
security measures. Moreover, the
proposed changes to Web site or online
service directed to children would
provide greater flexibility to family
friendly sites and services in developing
mechanisms to provide the COPPA
protections to child visitors.
The Commission seeks comments on
ways in which the Rule could be
modified to reduce any costs or burdens
for small entities.
V. Paperwork Reduction Act
The existing Rule contains
recordkeeping, disclosure, and reporting
requirements that constitute
‘‘information collection requirements’’
as defined by 5 CFR 1320.3(c) under the
OMB regulations that implement the
Paperwork Reduction Act (‘‘PRA’’), 44
U.S.C. 3501 et seq. OMB has approved
the Rule’s existing information
collection requirements through July 31,
2014 (OMB Control No. 3084–0117).
The proposed modifications to the
Rule’s definitions would change the
definitions of operator and Web site or
online service directed to children,
potentially increasing the number of
operators subject to the Rule. However,
50 See, e.g., United States v. RockYou, Inc., No.
3:12–cv–01487–SI (N.D. Cal., entered Mar. 27,
2012); United States v. Godwin, No. 1:11–cv–
03846–JOF (N.D. Ga., entered Feb. 1, 2012); United
States v. W3 Innovations, LLC, No. CV–11–03958
(N.D. Cal., filed Aug. 12, 2011); United States v.
Industrious Kid, Inc., No. CV–08–0639 (N.D. Cal.,
filed Jan. 28, 2008); United States v. Xanga.com,
Inc., No. 06–CIV–6853 (S.D.N.Y., entered Sept. 11,
2006); United States v. Bonzi Software, Inc., No.
CV–04–1048 (C.D. Cal., filed Feb. 17, 2004); United
States v. Looksmart, Ltd., Civil Action No. 01–605–
A (E.D. Va., filed Apr. 18, 2001); United States v.
Bigmailbox.Com, Inc., Civil Action No. 01–606–B
(E.D. Va., filed Apr. 18, 2001).
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
the proposed modifications to the
definitions of personal information and
support for internal operations may
offset these added burdens by
potentially decreasing certain operators’
recordkeeping, reporting, and other
compliance requirements. Thus, the
Commission is providing PRA burden
estimates for the proposed
modifications, set forth below.
The Commission invites comments
on: (1) Whether the proposed collection
of information is necessary for the
proper performance of the functions of
the agency, including whether the
information shall have practical utility;
(2) the accuracy of the FTC’s estimate of
the burden of the proposed collection of
information; (3) ways to enhance the
quality, utility, and clarity of the
information to be collected; and (4)
ways to minimize the burden of
collecting information.
Estimated Additional Annual Hours
Burden
A. Number of Respondents
Commission staff estimates that there
will be approximately 500 existing
operators of Web sites or online services
that likely will be newly covered as a
result of the modifications proposed
herein. This projected number is based
upon the Commission staff’s expectation
that altering the definitions of operator
and Web site or online service directed
to children will expand the pool of
covered operators. Other proposed
modifications, however, should offset
some of this potential expansion.
Specifically, these offsets include
clarification of the definition of support
for internal operations and the carve-out
from the definition of Web site or online
service directed to children of family
friendly sites and services that take
particular measures. The Commission
also anticipates that some operators of
Web sites or online services will make
adjustments to their information
collection practices so that they will not
be collecting personal information from
children, as defined by the proposed
revised Rule.
Further, Commission staff estimates
that 125 additional new operators per
year (over a prospective three-year PRA
clearance period 51) will be covered by
the Rule through the proposed
modifications. This is incremental to the
previously cleared FTC estimates of 100
new operators per year for the current
Rule.
51 Under the PRA, agencies may seek a maximum
of three years’ clearance for a collection of
information. 44 U.S.C. 3507(g).
E:\FR\FM\06AUP1.SGM
06AUP1
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
B. Recordkeeping Hours
E. Labor Costs
The proposed modifications to the
Rule’s definitions will not impose
incremental recordkeeping requirements
on operators.
(1) Recordkeeping
C. Disclosure Hours
The Commission staff assumes that
the time spent on compliance for new
operators and existing operators that
would be newly covered by the Rule’s
proposed modifications would be
apportioned five to one between legal
(lawyers or similar professionals) and
technical (e.g., computer programmers,
software developers, and information
security analysts) personnel.53
Moreover, based on Bureau of Labor
Statistics compiled data, FTC staff
assumes for compliance cost estimates a
mean hourly rate of $180 for legal
assistance and $42 for technical labor
support.54
Thus, for the estimated 125 additional
new operators per year, 7,500
cumulative disclosure hours would be
composed of 6,250 hours of legal
assistance and 1,250 hours of technical
support. Applied to hourly rates of $180
and respectively. $42, respectively,
associated labor costs for the 125
additional new operators potentially
subject to the proposed amendments
would be $1,177,500.
Similarly, for the estimated 500
existing operators that would be newly
covered by the proposed definitional
changes, 10,000 cumulative disclosure
hours would consist of 8,333 hours of
legal assistance and 1,667 hours for
technical support. Applied at hourly
rates of $180 and $42, respectively,
associated labor costs would total
$1,569,954. Thus, cumulative labor
costs for new and existing operators that
would be additionally subject to the
Rule through the proposed amendments
would be $2,747,454.
(1) New Operators’ Disclosure Burden
Under the existing OMB clearance for
the Rule, the FTC has estimated that
new operators will each spend
approximately 60 hours to craft a
privacy policy, design mechanisms to
provide the required online privacy
notice and, where applicable, direct
notice to parents in order to obtain
verifiable consent. Several commenters
noted that this 60-hour estimate failed
to take into account accurate costs of
compliance with the Rule.52 None of
these commenters, however, provided
the Commission with empirical data or
specific evidence on the number of
hours such activities require. Thus, the
Commission does not have sufficient
information at present to revise its
earlier hours estimate. Applying this
estimate of 60 hours per new operator
to the above-stated estimate of 125 new
operators yields an estimated 7,500
additional disclosure hours,
cumulatively.
(2) Existing Operators’ Disclosure
Burden
tkelley on DSK3SPTVN1PROD with PROPOSALS
The proposed modifications to the
Rule’s definitions will not impose
incremental disclosure time per entity,
but, as noted above, would result in an
estimated 500 additional existing
operators that would be covered by the
Rule. These entities will have a onetime burden to re-design their existing
privacy policies and direct notice
procedures that would not carry over to
the second and third years of
prospective PRA clearance. The
Commission estimates that an existing
operator’s time to make these changes
would be no more than that for a new
entrant crafting its online and direct
notices for the first time, i.e., 60 hours.
Annualized over three years of PRA
clearance, this amounts to 20 hours ((60
hours + 0 + 0) ÷ 3) per year. Aggregated
for the estimated 500 existing operators
that would be newly subject to the Rule,
annualized disclosure burden would be
10,000 hours.
D. Reporting Hours
The proposed modifications to the
Rule’s definitions will not impose
incremental reporting hours
requirements.
52 See Nancy Savitt (comment 142), at 1; NCTA
(comment 113), at 23–24.
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
None.
(2) Disclosure
(3) Reporting
None.
F. Non-Labor/Capital Costs
None.
53 See 76 FR 7211, 7212–7213 (Feb. 9, 2011); 76
FR 31334, 31335 n. 1 (May 31, 2011) (FTC notices
for renewing OMB clearance for the COPPA Rule).
54 The estimated rate of $180 per hour is roughly
midway between Bureau of Labor Statistics (BLS)
mean hourly wages for lawyers ($62.74) in the most
recent annual compilation available online and
what Commission staff believes more generally
reflects hourly attorney costs ($300) associated with
Commission information collection activities. The
estimate of mean hourly wages of $42 is based on
an average of the salaries for computer
programmers, software developers, information
security analysts, and web developers as reported
by the Bureau of Labor Standards. See National
Occupational and Wages—May 2011, available at
https://www.bls.gov/news.release/archives/
ocwage_03272012.pdf.
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
46651
VI. Communications by Outside Parties
to the Commissioners or Their Advisors
Written communications and
summaries or transcripts of oral
communications respecting the merits
of this proceeding, from any outside
party to any Commissioner or
Commissioner’s advisor, will be placed
on the public record. See 16 CFR
1.26(b)(5).
VII. Questions for the Proposed
Revisions to the Rule
The Commission is seeking comment
on various aspects of the proposed Rule,
and is particularly interested in
receiving comment on the questions that
follow. These questions are designed to
assist the public and should not be
construed as a limitation on the issues
on which public comment may be
submitted in response to this notice.
Responses to these questions should cite
the numbers and subsection of the
questions being answered. For all
comments submitted, please submit any
relevant data, statistics, or any other
evidence upon which those comments
are based.
Definition of On Whose Behalf Such
Information Is Collected or Maintained
1. The Commission proposes to revise
the definition of operator to indicate
that personal information is collected or
maintained on behalf of an operator
where it is collected in the interest of,
as a representative of, or for the benefit
of, the operator.
a. Is the proposed language
sufficiently clear to cover Web sites or
online services where they permit the
collection of personal information by
parties such as advertising networks,
providers of downloadable software
kits, or ‘‘social plug-ins’’?
b. Do the proposed requirements of
this provision provide sufficient
guidance and clarity for an operator
who does not otherwise collect personal
information from children?
c. Is the proposed language
sufficiently narrow to exclude entities
that merely provide access to the
Internet without providing content or
collecting information from children?
d. Does the proposed language present
any practical or technical challenges for
implementation by the operator? If so,
please describe such challenges in
detail.
Definition of Web Site or Online Service
Directed to Children
2. The Commission proposes to
identify four categories of Web sites or
online services directed to children
(paragraphs (a)–(d)). Does the proposed
revised definition adequately capture all
E:\FR\FM\06AUP1.SGM
06AUP1
46652
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
instances where a Web site or online
service may be directed to children?
3. Is the newly proposed paragraph (c)
within the definition of Web site or
online service directed to children
sufficiently clear to provide guidance to
an operator as to when the operator is
permitted to screen users for age and is
required to comply with COPPA?
4. The Commission proposes to cover
as a Web site or online service directed
to children an operator who knows or
has reason to know that it is collecting
personal information through a childdirected site or service (paragraph (d)).
a. Is the ‘‘knows or has reason to
know’’ standard appropriate in this
case? Should the standard be
broadened, or should it be narrowed, in
any way?
b. What are the costs and benefits to
operators, parents, and children of the
proposed revisions?
c. Does the proposed language present
any practical or technical challenges for
implementation by the operator? If so,
please describe such challenges in
detail.
5. Is there currently technology in use
or available that would enable Web sites
or online services to publicly signal
(through code or otherwise) that they
are sites or services ‘‘directed to
children’’? What are the costs and
benefits of the voluntary use of such
technology?
Definition of Personal Information
tkelley on DSK3SPTVN1PROD with PROPOSALS
Screen or User Names
6. The Commission proposes revising
the definition of personal information to
include screen or user name where it
functions in the same manner as online
contact information, i.e., where it acts as
an identifier that permits direct contact
with a person online. Are there any
other instances not identified by the
Commission in which a screen or user
name can be used to contact a specific
child?
Persistent Identifiers and Support for
Internal Operations
7. The Commission proposes to
combine the sub-definitions of personal
information in proposed paragraphs (g)
and (h) covering persistent identifiers,
and to broaden the definition of support
for internal operations.
a. Is the proposed language
sufficiently clear?
b. What are the costs and benefits to
operators, parents, and children of the
proposed revisions?
c. Do the proposed revisions present
any practical or technical challenges for
implementation by the operator? If so,
please describe such challenges in
detail.
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
Paperwork Reduction Act
8. The Commission solicits comments
on whether the changes to the
definitions (§ 312.2) constitute
‘‘collections of information’’ within the
meaning of the Paperwork Reduction
Act. The Commission requests
comments that will enable it to:
a. Evaluate whether the proposed
collections of information are necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
b. Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collections of information,
including the validity of the
methodology and assumptions used;
c. Enhance the quality, utility, and
clarity of the information to be
collected; and,
d. Minimize the burden of the
collections of information on those who
must comply, including through the use
of appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology.
VIII. Proposed Revisions to the Rule
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer
protection, Electronic mail, Email,
Internet, Online service, Privacy, Record
retention, Safety, Science and
technology, Trade practices, Web site,
Youth.
For the reasons discussed above, the
Commission proposes to amend part
312 of Title 16, Code of Federal
Regulations, as follows:
PART 312—CHILDREN’S ONLINE
PRIVACY PROTECTION RULE
1. The authority citation for part 312
continues to read as follows:
Authority: 15 U.S.C. 6501–6508.
2. Amend § 312.2 by revising the
definitions of operator, personal
information, and Web sites or online
services directed to children, and by
adding after the definition of personal
information a new definition of support
for internal operations of the Web site or
online service, to read as follows:
§ 312.2
Definitions.
*
*
*
*
*
Operator means any person who
operates a Web site located on the
Internet or an online service and who
collects or maintains personal
information from or about the users of
or visitors to such Web site or online
service, or on whose behalf such
information is collected or maintained,
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
or offers products or services for sale
through that Web site or online service,
where such Web site or online service
is operated for commercial purposes
involving commerce:
(a) Among the several States or with
1 or more foreign nations;
(b) In any territory of the United
States or in the District of Columbia, or
between any such territory and
(1) Another such territory, or,
(2) Any State or foreign nation; or,
(c) Between the District of Columbia
and any State, territory, or foreign
nation. This definition does not include
any nonprofit entity that would
otherwise be exempt from coverage
under Section 5 of the Federal Trade
Commission Act (15 U.S.C. 45).
Personal information is collected or
maintained on behalf of an operator
where it is collected in the interest of,
as a representative of, or for the benefit
of, the operator.
*
*
*
*
*
Personal information means
individually identifiable information
about an individual collected online,
including:
(a) A first and last name;
(b) A home or other physical address
including street name and name of a
city or town;
(c) Online contact information as
defined in this Section;
(d) A screen or user name where it
functions in the same manner as online
contact information, as defined in this
Section;
(e) A telephone number;
(f) A Social Security number;
(g) A persistent identifier that can be
used to recognize a user over time, or
across different Web sites or online
services, where such persistent
identifier is used for functions other
than or in addition to support for the
internal operations of the Web site or
online service. Such persistent identifier
includes, but is not limited to, a
customer number held in a cookie, an
Internet Protocol (IP) address, a
processor or device serial number, or
unique device identifier;
(h) A photograph, video, or audio file
where such file contains a child’s image
or voice;
(i) Geolocation information sufficient
to identify street name and name of a
city or town; or,
(j) Information concerning the child or
the parents of that child that the
operator collects online from the child
and combines with an identifier
described in this definition.
Support for the internal operations of
the Web site or online service means
those activities necessary to: (a)
E:\FR\FM\06AUP1.SGM
06AUP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / Proposed Rules
Maintain or analyze the functioning of
the Web site or online service; (b)
perform network communications; (c)
authenticate users of, or personalize the
content on, the Web site or online
service; (d) serve contextual advertising
on the Web site or online service; (e)
protect the security or integrity of the
user, Web site, or online service; or (f)
fulfill a request of a child as permitted
by §§ 312.5(c)(3) and (4); so long as the
information collected for the activities
listed in (a)–(f) is not used or disclosed
to contact a specific individual or for
any other purpose.
*
*
*
*
*
Web site or online service directed to
children means a commercial Web site
or online service, or portion thereof,
that:
(a) Knowingly targets children under
age 13 as its primary audience; or,
(b) based on the overall content of the
Web site or online service, is likely to
attract children under age 13 as its
primary audience; or,
(c) based on the overall content of the
Web site or online service, is likely to
attract an audience that includes a
disproportionately large percentage of
children under age 13 as compared to
the percentage of such children in the
general population; provided however
that such Web site or online service
shall not be deemed to be directed to
children if it: (i) Does not collect
personal information from any visitor
prior to collecting age information; and
(ii) prevents the collection, use, or
disclosure of personal information from
visitors who identify themselves as
under age 13 without first obtaining
verifiable parental consent; or,
(d) knows or has reason to know that
it is collecting personal information
through any Web site or online service
covered under paragraphs (a)–(c).
In determining whether a commercial
Web site or online service, or a portion
thereof, is directed to children, the
Commission will consider its subject
matter, visual content, use of animated
characters or child-oriented activities
and incentives, music or other audio
content, age of models, presence of
child celebrities or celebrities who
appeal to children, language or other
characteristics of the Web site or online
service, as well as whether advertising
promoting or appearing on the Web site
or online service is directed to children.
The Commission will also consider
competent and reliable empirical
evidence regarding audience
composition, and evidence regarding
the intended audience. A commercial
Web site or online service, or a portion
thereof, shall not be deemed directed to
VerDate Mar<15>2010
16:04 Aug 03, 2012
Jkt 226001
children solely because it refers or links
to a commercial Web site or online
service directed to children by using
information location tools, including a
directory, index, reference, pointer, or
hypertext link.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2012–19115 Filed 8–3–12; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF THE TREASURY
Internal Revenue Service
26 CFR Part 51
[REG–112805–10]
RIN 1545–BJ39
Branded Prescription Drug Fee;
Hearing
Internal Revenue Service (IRS),
Treasury.
ACTION: Notice of public hearing on
notice proposed rulemaking by crossreference to temporary regulations.
AGENCY:
This document provides
notice of public hearing on proposed
regulations relating to the branded
prescription drug fee imposed by the
Affordable Care Act.
DATES: The public hearing is being held
on Friday, November 9, 2012, at 10:00
a.m. The IRS must receive outlines of
the topics to be discussed at the public
hearing by Friday, October 5, 2012.
ADDRESSES: The public hearing is being
held in the IRS Auditorium, Internal
Revenue Service Building, 1111
Constitution Avenue NW., Washington,
DC 20224. Send Submissions to
CC:PA:LPD:PR (REG–112805–10), room
5205, Internal Revenue Service, P.O.
Box 7604, Ben Franklin Station,
Washington, DC 20044. Submissions
may be hand-delivered Monday through
Friday to CC:PA:LPD:PR (REG–112805–
10), Couriers Desk, Internal Revenue
Service, 1111 Constitution Avenue NW.,
Washington, DC or sent electronically
via the Federal eRulemaking Portal at
www.regulations.gov (REG–112805–10).
FOR FURTHER INFORMATION CONTACT:
Concerning the regulations, Celia
Gabrysh (202) 622–3130; concerning
submissions of comments, the hearing
and/or to be placed on the building
access list to attend the hearing Funmi
Taylor at (202) 622–7180 (not toll-free
numbers).
SUMMARY:
The
subject of the public hearing is the
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00011
Fmt 4702
Sfmt 4702
46653
notice of proposed rulemaking by crossreference to temporary regulations
(REG–112805–10) that was published in
the Federal Register on Thursday,
August 18, 2011 (76 FR 51310).
The rules of 26 CFR 601.601(a)(3)
apply to the hearing. Persons who wish
to present oral comments at the hearing
that submitted written comments by
November 16, 2011, must submit an
outline of the topics to be addressed and
the amount of time to be denoted to
each topic.
A period of 10 minutes is allotted to
each person for presenting oral
comments. After the deadline for
receiving outlines has passed, the IRS
will prepare an agenda containing the
schedule of speakers. Copies of the
agenda will be made available, free of
charge, at the hearing or in the Freedom
of Information Reading Room (FOIA RR)
(room 1621) which is located at the 11th
and Pennsylvania Avenue NW.,
entrance, 1111 constitution Avenue
NW., Washington, DC.
Because of access restrictions, the IRS
will not admit visitors beyond the
immediate entrance area more than 30
minutes before the hearing starts. For
information about having your name
placed on the building access list to
attend the hearing, see the FOR FURTHER
INFORMATION CONTACT section of this
document.
LaNita VanDyke,
Chief, Publications and Regulations Branch,
Legal Processing Division, Associate Chief
Counsel (Procedure and Administration).
[FR Doc. 2012–19074 Filed 8–3–12; 8:45 am]
BILLING CODE 4830–01–P
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 323
RIN 0790–AI86
[Docket ID: DOD–2012–OS–0018]
Defense Logistics Agency Privacy
Program
Defense Logistics Agency, DoD.
Proposed rule with request for
comments.
AGENCY:
ACTION:
The Defense Logistics Agency
(DLA) is proposing to amend the DLA
Privacy Program Regulation. The DLA
Privacy Offices have been repositioned
under the DLA General Counsel;
therefore, responsibilities have been
updated to reflect the repositioning. In
addition, DLA has adopted revisions to
the DoD Privacy Program.
SUMMARY:
E:\FR\FM\06AUP1.SGM
06AUP1
]]>Agencies
[Federal Register Volume 77, Number 151 (Monday, August 6, 2012)]
[Proposed Rules]
[Pages 46643-46653]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-19115]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 /
Proposed Rules��
[[Page 46643]]
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084-AB20
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').
ACTION: Supplemental notice of proposed rulemaking; request for
comment.
-----------------------------------------------------------------------
SUMMARY: The Commission is proposing to further modify the proposed
definitions of personal information, support for internal operations,
and Web site or online service directed to children, that the FTC has
proposed previously under its Rule implementing the Children's Online
Privacy Protection Act (``COPPA Rule''), and further proposes to revise
the Rule's definition of operator. These proposed revisions, which are
based on the FTC's review of public comments and its enforcement
experience, are intended to clarify the scope of the Rule and
strengthen its protections for children's personal information. The
Commission is not adopting any final amendments to the COPPA Rule at
this time and continues to consider comments submitted in response to
its Notice of Proposed Rulemaking issued in September 2011.
DATES: Written comments must be received on or before September 10,
2012.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``COPPA Rule Review, 16
CFR Part 312, Project No. P104503'' on your comment, and file your
comment online at https://ftcpublic.commentworks.com/ftc/2012copparulereview, by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail or deliver your
comment to the following address: Federal Trade Commission, Office of
the Secretary, Room H-113 (Annex E), 600 Pennsylvania Avenue NW.,
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Phyllis H. Marcus or Mamie Kresses,
Attorneys, Division of Advertising Practices, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW.,
Washington, DC 20580, (202) 326-2854 or (202) 326-2070.
SUPPLEMENTARY INFORMATION:
I. Background
In September 2011, the FTC issued a Notice of Proposed Rulemaking
setting forth proposed changes to the Commission's COPPA Rule. Among
other things, the Commission proposed modifying the Rule's definition
of personal information to include persistent identifiers and screen or
user names other than where they are used to support internal
operations, and Web site or online service directed to children to
include additional indicia that a site or service may be targeted to
children.\1\ The Commission received over 350 comments, a number of
which addressed the proposed changes to these two definitions.\2\ After
reviewing these comments, and based upon its experience in enforcing
and administering the Rule, the Commission now proposes to modify the
definition of operator, and proposes additional modifications to the
definitions of Web site or online service directed to children,
personal information, and support for internal operations.
---------------------------------------------------------------------------
\1\ Id.
\2\ Public comments in response to the Commission's September
27, 2011, Federal Register document are located at https://www.ftc.gov/os/comments/copparulereview2011/. Comments have been
numbered based upon alphabetical order. Comments are cited herein by
commenter name, comment number, and, where applicable, page number.
---------------------------------------------------------------------------
The Commission proposes modifying the definition of both operator
and Web site or online service directed to children to allocate and
clarify the responsibilities under COPPA when independent entities or
third parties, e.g., advertising networks or downloadable software kits
(``plug-ins''), collect information from users through child-directed
sites and services. As described below, previous Commission statements
suggested that the responsibility for providing notice to parents and
obtaining verifiable parental consent to the collection of personal
information from children rested entirely with the information
collection entity and not with the child-directed site operator. The
Commission now believes that the most effective way to implement the
intent of Congress is to hold both the child-directed site or service
and the information-collecting site or service responsible as covered
co-operators. Sites and services whose content is directed to children,
and who permit others to collect personal information from their child
visitors, benefit from that collection and thus should be responsible
under COPPA for providing notice to and obtaining consent from parents.
Conversely, online services whose business models entail the collection
of personal information and that know or have reason to know that such
information is collected through child-directed properties should
provide COPPA's protections.
In addition, the Commission proposes to modify the previously
proposed revised definition of Web site or online service directed to
children to permit Web sites or online services that are designed for
both children and a broader audience to comply with COPPA without
treating all users as children. The Commission also proposes modifying
the definition of screen or user name to cover only those situations
where a screen or user name functions in the same manner as online
contact information. Finally, the Commission proposes to modify the
revised definition of support for internal operations and to modify the
Rule's coverage of persistent identifiers as personal information.
II. Proposed Modifications to the Rule's Definitions (16 CFR 312.2)
A. Definition of Operator
Public comments \3\ and the Commission's own enforcement experience
\4\ highlight the need for the
[[Page 46644]]
Commission to clarify the responsibilities of child-directed properties
that integrate independent social networking or other types of ``plug-
ins'' into their sites or services. These plug-ins often collect
personal information directly from users of child-directed sites and
services. Although the child-directed site or service benefits by
incorporating the social networking or other information collection
features of the plug-in, it generally has no ownership, control, or
access to the personal information collected by the plug-in. In many
ways, the plug-in scenario mirrors the current situation with child-
directed Web sites and advertising networks: the site determines the
child-directed nature of the content, but the third-party advertising
network collects persistent identifiers for tracking purposes, which
could be considered personal information under the proposed revised
Rule.
---------------------------------------------------------------------------
\3\ See, e.g., AT&T (comment 8), at 3-4; CDT (comment 17), at 3-
6; CTIA (comment 32), at 16; Direct Marketing Association (comment
37), at 7; Future of Privacy Forum (comment 55), at 3; Information
Technology Industry Council (comment 70), at 3-4; Interactive
Advertising Bureau (comment 73), at 7; and, Tech Freedom (comment
159), at 12.
\4\ See FTC staff closing letter to OpenFeint (``OpenFeint
Letter''), available at https://www.ftc.gov/os/closings/120831openfeintclosingletter.pdf.
---------------------------------------------------------------------------
COPPA defines operator in pertinent part, as
(A) Any person who operates a Web site located on the Internet
or an online service and who collects or maintains personal
information from or about the users of or visitors to such Web site
or online service, or on whose behalf such information is collected
or maintained, where such Web site or online service is operated for
commercial purposes, including any person offering products or
services for sale through that Web site or online service, involving
commerce * * *.\5\
---------------------------------------------------------------------------
\5\ 15 U.S.C. 6501(2). The Rule's definition of operator
reflects the statutory language. See 16 CFR 312.2.
In both the 1999 Notice of Proposed Rulemaking and the 1999
Statement of Basis and Purpose, the Commission suggested that some
retention of ownership, control, or access to the personal information
collected was required to make a party an operator. The Commission
stated that it would look to a variety of factors--ownership, control,
financial and contractual arrangements, and the role of the site or
service in data collection or maintenance--to establish whether an
entity was covered by or subject to COPPA's regulatory obligations.\6\
The Commission also asserted that ``[w]here the Web site or online
service merely acts as the conduit through which the personal
information collected flows to another person or to another's Web site
or online service, and the Web site or online service does not have
access to the information, then it is not an operator under the
proposed Rule.'' \7\
---------------------------------------------------------------------------
\6\ 1999 Notice of Proposed Rulemaking and Request for Public
Comment, 64 FR 22750, 22752 (Apr. 27, 1999), available at https://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf
(``In determining who is the operator for purposes of the proposed
Rule, the Commission will consider such factors as who owns the
information, who controls the information, who pays for the
collection or maintenance of the information, the pre-existing
contractual relationships surrounding the collection or maintenance
of the information, and the role of the Web site or online service
in collecting and/or maintaining the information'').
\7\ Id. The Commission reiterated this view in the 1999
Statement of Basis and Purpose to the COPPA Rule (``1999 Statement
of Basis and Purpose''), 64 FR 59888, 59891 (Nov. 3, 1999),
available at https://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------
At that time, the Commission did not foresee how easy and
commonplace it would become for child-directed sites and services to
integrate social networking and other personal information collection
features into the content offered to their users, without maintaining
ownership, control, or access to the personal data. Given these changes
in technology, the Commission now believes that an operator of a child-
directed site or service that chooses to integrate into its site or
service other services that collect personal information from its
visitors should be considered a covered operator under the Rule.
Although the child-directed site or service does not own, control, or
have access to the information collected, the personal information is
collected on its behalf. The child-directed site or service benefits
from its use of integrated services that collect personal information
because the services provide the site with content, functionality, and/
or advertising revenue.
Therefore, the Commission proposes to revise the definition of
operator to add a proviso stating:
Personal information is collected or maintained on behalf of an
operator where it is collected in the interest of, as a
representative of, or for the benefit of, the operator.
Neither the COPPA statute nor its legislative history make clear
under what circumstances third-party data collection activities would
be deemed to be conducted ``on an operator's behalf.'' Nor did the
Commission previously define the phrase on whose behalf such
information is collected or maintained in the COPPA Rule.
Congress granted the FTC broad rulemaking authority under COPPA.\8\
The Commission's interpretation of the phrase on whose behalf is
consistent both with its plain and common meaning \9\ and with the
Commission's advocated position on the meaning of that phrase within
the Telephone Consumer Protection Act, 47 U.S.C. 227, and the position
it has urged the Federal Communications Commission to adopt in the
implementing regulations, 47 CFR 64.1200.\10\
---------------------------------------------------------------------------
\8\ Congress delegated to the FTC the authority to promulgate
regulations that require operators covered by COPPA to: Provide
online notice of their information practices; obtain verifiable
parental consent for the collection, use, or disclosure of personal
information from children; provide parents with a means to obtain
such personal information and to refuse further collection;
establish and maintain adequate confidentiality and security for
children's personal information; and that prohibit conditioning a
child's participation online on disclosing more personal information
than is necessary. See 15 U.S.C. 6502(b).
\9\ See Madden v. Cowen & Co., 576 F.3d 957, 974 (9th Cir.
2009).
\10\ See Comment of the Federal Trade Commission before the
Federal Communications Commission, CG Docket No. 11-50 (2011), at 7,
available at https://www.ftc.gov/os/2011/05/110516dishechostar.pdf
(stating that the common dictionary definition of ``on behalf of''
means in an entity's ``interest,'' in its ``aid,'' or for its
``benefit'').
---------------------------------------------------------------------------
In the context of COPPA's requirements, an operator of a child-
directed site or service is in an appropriate position to give notice
and obtain consent from parents where any personal information is being
collected from its visitors on or through its site or service. The
operator is in the best position to know that its site or service is
directed to children and can control which plug-ins, software
downloads, or advertising networks it integrates into its site. To
interpret the COPPA statute's on whose behalf language more narrowly
does not fully effectuate Congress's intent to insure that parents are
consistently given notice and the opportunity to consent prior to the
collection of children's personal information.
B. Definition of Web Site or Online Service Directed to Children
In the September 2011 COPPA NPRM, the Commission proposed minor
changes to the definition of Web site or online service directed to
children to include additional indicia of child-directed Web sites and
online services.\11\ The Commission now proposes additional
modifications to this definition in order to: (1) Make clear that a Web
site or online service that knows or has reason to know that it
collects personal information from children through a child-directed
Web site or online service is itself A``directed to children''; and (2)
permit a Web site or online service that is designed for both children
and a broader audience to comply with COPPA without having to treat all
its users as children.
---------------------------------------------------------------------------
\11\ See 2011 COPPA NPRM, 76 FR at 59814.
---------------------------------------------------------------------------
[[Page 46645]]
1. Operators Who Collect Personal Information Through Child-Directed
Web Sites or Online Services
As noted above, online services such as advertising networks or
downloadable plug-ins often collect personal information from users
through another's site or service, including properties directed to
children.\12\ When operating on child-directed properties, that portion
of these services could be deemed directed to children and the operator
held strictly liable under COPPA. This position would be consistent
with previous Commission statements that the Rule covers entities
collecting information through child-directed sites. In its original
April 1999 Notice of Proposed Rulemaking, the Commission stated that
the definition of operator includes ``a person who collects or
maintains [personal] information through another's Web site or online
service.'' \13\ In the 1999 Statement of Basis and Purpose, in
discussing the potential liability of network advertising companies,
the Commission noted that ``[i]f such companies collect personal
information directly from children who click on ads placed on Web sites
or online services directed to children, then they will be considered
operators who must comply with the Act, unless one of the exceptions
applies.'' \14\
---------------------------------------------------------------------------
\12\ This fact was highlighted in a recent Commission law
enforcement investigation of OpenFeint, Inc., an online social
gaming network available as a plug-in to mobile applications. See
OpenFeint Letter, supra note 4.
\13\ 1999 Notice of Proposed Rulemaking and Request for Public
Comment, 64 FR 22750, 22752 (Apr. 27, 1999), available at https://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf.
\14\ Statement of Basis and Purpose to the COPPA Rule, 64 FR
59888, 59892 (Nov. 3, 1999), available at https://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------
Several commenters in response to the 2011 COPPA NPRM, however,
state that operators of online services that are designed to be
incorporated into another site or service should not be covered under
COPPA's requirements when they appear on child-directed sites or
services.\15\ For example, the Center for Democracy and Technology
(``CDT'') states, ``[o]perators of analytics services, advertising
networks, and social plug-ins that do not intentionally target their
services to children should not have independent COPPA notice and
consent obligations simply because a site directed to children has
chosen to use their service.'' \16\
---------------------------------------------------------------------------
\15\ See, e.g., CDT (comment 17), at 5; Facebook (comment 50),
at 11; Future of Privacy Forum (comment 55), at 3; TechFreedom
(comment 159), at 10-11.
\16\ CDT (comment 17), at 5.
---------------------------------------------------------------------------
The COPPA statute gives the Commission broad discretion to define
Web site or online service directed to children. Congress provided only
one limitation to that discretion:
A commercial Web site or online service, or a portion of a
commercial Web site or online service, shall not be deemed directed
to children solely for referring or linking to a commercial Web site
or online service directed to children by using information location
tools, including a directory, index, reference, pointer, or
hypertext link.\17\
---------------------------------------------------------------------------
\17\ 15 U.S.C. 6501(10).
The Commission continues to believe that when an online service
collects personal information through child-directed properties, that
portion of the online service can and should be deemed directed to
children, but only under certain circumstances. The Commission believes
that the strict liability standard applicable to conventional child-
directed sites and services is unworkable for advertising networks or
plug-ins because of the logistical difficulties such services face in
controlling or monitoring which sites incorporate their online
services. Accordingly, the Commission proposes to modify the definition
of Web site or online service directed to children to include any
operator who ``knows or has reason to know'' it is collecting personal
information through a host Web site or online service directed to
---------------------------------------------------------------------------
children. The proposed new paragraph is:
Web site or online service directed to children means a
commercial Web site or online service, or portion thereof, that:
* * * * *
(d) knows or has reason to know that it is collecting personal
information through any Web site or online service covered under
paragraphs (a)-(c).
In choosing to use the phrase ``reason to know'' as part of the
definition, the Commission is not imposing a duty on entities such as
ad-networks or plug-ins to monitor or investigate whether their
services are incorporated into child-directed properties; \18\ however,
such sites and services will not be free to ignore credible information
brought to their attention indicating that such is the case.
---------------------------------------------------------------------------
\18\ The phrase ``reason to know'' does not impose a duty to
ascertain unknown facts, but does require a person to draw a
reasonable inference from information he does have. See Restatement
(Second) of Agency Sec. 9 cmt. d (1958); Restatement (Second) of
Torts Sec. Sec. 12(1), 401 (1965). See also Novicki v. Cook, 946
F.2d 938, 941 (D.C. Cir. 1991) (citing the Restatement (Second) of
Agency); Alf v. Donley, 666 F. Supp. 2d 60, 67 (D.D.C. 2009)
(following Novicki v. Cook); Feinerman v. Bernardi, 558 F. Supp. 2d
36, 49 (D.D.C. 2008) (following Novicki v. Cook); Topliff v. Wal-
Mart Stores E. LP, 2007 U.S. Dist. LEXIS 20533, 200, CCH Prod. Liab.
Rep. P17,728 (N.D.N.Y Mar. 22, 2007) (``the term `had reason to
know' does not impose any duty to ascertain unknown facts, while the
term `should have known' does impose such a duty).
---------------------------------------------------------------------------
The Commission believes that this proposed modification to the
definition of Web site or online service directed to children, along
with the proposed revisions to the definition of operator that would
hold the child-directed property to be a co-operator equally
responsible under the Rule for the personal information collected by
the plug-in or advertising network, will help ensure that operators in
each position cooperate to meet their statutory duty to notify parents
and obtain parental consent.
2. Web Sites and Online Services Directed to Children and Families
As noted in its September 2011 NPRM, the current definition of Web
site or online service directed to children is, at bottom, a totality
of the circumstances test. In its comment, The Walt Disney Company
argues that this definition does not adequately address the reality
that Web sites or online services directed to children fall along a
continuum, targeting or appealing to children in varying degrees. Under
the Rule's current structure, regardless of where a site or service
falls on this continuum, it must still treat all visitors as children.
Disney argues that only sites falling at the extreme end of the
``child-directed'' continuum should have to treat all of their users as
children. It urges the Commission to adopt a system that would permit
Web sites or online services directed to larger audiences, specifically
those directed to children and families, to differentiate among users,
requiring such sites and services to provide notice and obtain consent
only for users who self-identify as under age 13.\19\
---------------------------------------------------------------------------
\19\ The Walt Disney Co. (comment 170), at 5-6.
---------------------------------------------------------------------------
The Commission finds merit in Disney's suggestion. In large
measure, it reflects the prosecutorial discretion the Commission has
applied in enforcing the Rule. The Commission has charged sites or
services with being directed to children only where the Commission
believed that children under age 13 were the primary audience.\20\ If
the Commission believed the site merely was likely to attract
significant numbers
[[Page 46646]]
of under 13 users, or had popular appeal with children (among others),
the Commission has instead alleged that the operator had ``actual
knowledge'' of collecting personal information from users who
identified themselves as under 13.\21\ This enforcement approach
recognizes the burden imposed on operators in having to obtain notice
and consent for every user when most users may be over 13, as well as
the burden and restrictions imposed on users over age 13 in being
treated as young children.
---------------------------------------------------------------------------
\20\ See United States v. Godwin, d/b/a skid-e-kids.com, No.
1:11-cv-03846-JOF (N.D. Ga. Feb. 1, 2012) (alleging that defendant's
skid-e-kids social networking Web site was directed to children);
United States v. W3 Innovations, LLC, No. CV-11-03958 (N.D. Cal.,
filed Aug. 12, 2011) (alleging that defendants' ``Emily's'' apps
were directed to children); United States v. Playdom, Inc., No. SA
CV11-00724 (C.D. Cal., May 24, 2011) (alleging that Playdom's Pony
Stars online virtual world was directed to children).
\21\ See United States v. Iconix Brand Group, Inc., No. 09 Civ.
8864 (S.D.N.Y, Nov. 5, 2009); United States v. Sony BMG Music
Entertainment, No. 08 Civ. 10730 (S.D.N.Y., Dec. 15, 2008).
---------------------------------------------------------------------------
As noted above, Congress gave the Commission broad discretion to
define Web site or online service directed to children. The Commission
now proposes to modify that definition to implement much of what Disney
has proposed and to better reflect the prosecutorial discretion it has
applied. The proposed revised definition is:
Web site or online service directed to children means a
commercial Web site or online service, or portion thereof, that:
(a) Knowingly targets children under age 13 as its primary
audience; or,
(b) Based on the overall content of the Web site or online
service, is likely to attract children under age 13 as its primary
audience; or,
(c) Based on the overall content of the Web site or online
service, is likely to attract an audience that includes a
disproportionately large percentage of children under age 13 as
compared to the percentage of such children in the general
population; provided however that such Web site or online service
shall not be deemed to be directed to children if it: (i) Does not
collect personal information from any visitor prior to collecting
age information; and (ii) prevents the collection, use, or
disclosure of personal information from visitors who identify
themselves as under age 13 without first obtaining verifiable
parental consent;
* * * * *
The effect of the proposed changes would be that those sites and
services at the far end of the ``child-directed'' continuum, i.e.,
those that knowingly target, or have content likely to draw, children
under 13 as their primary audience, must still treat all users as
children, and provide notice and obtain consent before collecting any
personal information from any user. Those sites and services with
child-oriented content appealing to a mixed audience, where children
under 13 are likely to be an over-represented group, will not be deemed
directed to children if, prior to collecting any personal information,
they age-screen all users. At that point, for users who identify
themselves as under 13, the site or service will be deemed to have
actual knowledge that such users are under 13 and must obtain
appropriate parental consent before collecting any personal information
from them and must also comply with all other aspects of the Rule.
The Commission recognizes that many children may choose to lie
about their age. Nevertheless, the Commission believes the proposed
revisions strike the correct balance. First, it has been the
Commission's law enforcement experience, as demonstrated by its
``actual knowledge'' cases, that many children do truthfully provide
their age in response to an age screening question on mixed audience
sites.\22\ Second, as noted above, as a matter of prosecutorial
discretion, the Commission has not charged child-friendly mixed
audience sites as being directed to children because of the burdens it
imposes. Consequently, if those sites collected personal information
without asking age, the Commission had little basis to allege that the
operator had actual knowledge of any visitor's age. The proposed
revisions will require operators of these child-friendly mixed audience
sites to take an affirmative step to attain actual knowledge if they do
not wish to treat all visitors as being under 13.
---------------------------------------------------------------------------
\22\ See United States v. Iconix Brand Group, Inc.; and United
States v. Sony BMG Music Entertainment, supra note 23.
---------------------------------------------------------------------------
C. Definition of Personal Information
1. Screen or User Names
In the 2011 COPPA NPRM, the Commission proposed to define as
personal information ``a screen or user name where such screen or user
name is used for functions other than or in addition to support for the
internal operations of the Web site or online service.'' \23\ This
change was intended to address scenarios in which a screen or user name
could be used by a child as a single credential to access multiple
online properties, thereby permitting him or her to be directly
contacted online, regardless of whether the screen or user name
contained an email address.\24\
---------------------------------------------------------------------------
\23\ 2011 COPPA NPRM, 76 FR at 59810.
\24\ Id.
---------------------------------------------------------------------------
Several commenters expressed concern that the Commission's screen-
name proposal would unnecessarily inhibit functions that are important
to the operation of child-directed Web sites and online services. For
example, commenters stated that many child-directed properties use a
screen or user name in place of a child's real name in an effort to
minimize data collection.\25\ Operators also use single screen names to
allow children to sign on to a single online service that runs on
multiple platforms, as well as to access related properties across
multiple platforms.\26\ These commenters raised concerns that, with the
limited carve-out for functions to support internal operations,
operators might be precluded from using screen or user names within a
Web site or online service, and would certainly be precluded from doing
so across multiple platforms.
---------------------------------------------------------------------------
\25\ See National Cable & Telecommunications Association
(comment 113), at 12 (``[A]llowing children to create a unique
screen name and password at a Web site through a registration
process without collecting any personally identifying information
has allowed several leading children's Web sites to offer:
personalized content (e.g., horoscopes, weather forecasts,
customized avatars for game play), attribution (e.g., acknowledge
for a high score or other achievement), as well as a way to express
opinions and participate in online activities in an interactive
fashion (e.g., jokes, stories, letters to the editor, polls,
challenging others to gameplay, swapping digital collectibles,
participating in monitored `chat' with celebrities''); The Walt
Disney Co. (comment 170), at 21.
\26\ See Direct Marketing Association (comment 37), at 17;
Entertainment Software Association (comment 47), at 9; Scholastic
(comment 144), at 12; Adam Thierer (comment 162), at 6; TRUSTe
(comment 164), at 3; The Walt Disney Co. (comment 170), at 21-22.
---------------------------------------------------------------------------
The Commission has long supported the data minimization purposes
behind operators' use of screen and user names in place of individually
identifiable information.\27\ Indeed, the proposed changes in paragraph
(d) were not intended to preclude such uses. Moreover, after reading
the comments, the Commission is persuaded of the benefits of utilizing
single sign-in identifiers across sites and services, for example, to
permit children seamlessly to transition between devices or platforms
via a single screen or user name.\28\ The Commission therefore proposes
that a screen or user name should be included within the definition of
personal information only in those instances in which a screen or user
name rises to the level of online contact information.\29\ In such
cases, a screen or user name functions much like an email address, an
instant messaging identifier, or ``or any other substantially similar
identifier that permits direct contact with a person online.'' \30\
[[Page 46647]]
Therefore, the Commission proposes to modify paragraph (d) of the
---------------------------------------------------------------------------
definition of personal information as follows:
\27\ See 1999 Statement of Basis and Purpose, 64 FR at 59892.
\28\ See Direct Marketing Association (comment 37), at 16-17;
Entertainment Software Association (comment 47), at 9-10; Adam
Thierer (comment 162), at 6; TRUSTe (comment 164), at 3-4; The Walt
Disney Co. (comment 170), at 21-22.
\29\ Id. at 59891, n.49 (``Another example of `online contact
information' could be a screen name that also serves as an email
address'').
\30\ See 2011 COPPA NPRM, 76 FR at 59810 (proposed definition of
online contact information).
---------------------------------------------------------------------------
Personal information means individually identifiable information
about an individual collected online, including:
* * * * *
(d) A screen or user name where it functions in the same manner
as online contact information, as defined in this Section;
* * * * *
2. Persistent Identifiers and Support for Internal Operations
In the September 2011 COPPA NPRM, the Commission proposed changes
to the definition of personal information that, among other things,
would have included ``[a] persistent identifier, including but not
limited to, a customer number held in a cookie, an Internet Protocol
(IP) address, a processor or device serial number, or unique device
identifier, where such persistent identifier is used for functions
other than or in addition to support for the internal operations of the
Web site or online service.'' \31\ The Commission also proposed to
include in the definition of personal information ``identifiers that
link the activities of a child across different Web sites or online
services.'' \32\ As stated in the 2011 COPPA NPRM, these changes were
intended to ``require parental notification and consent prior to the
collection of persistent identifiers where they are used for purposes
such as amassing data on a child's online activities or behaviorally
targeting advertising to the child.'' \33\ By carving out exceptions
for support for internal operations, the Commission stated it intended
to exempt from COPPA's coverage the collection and use of identifiers
for authenticating users, improving site navigation, maintaining user
preferences, serving contextual advertisements, protecting against
fraud or theft, or otherwise personalizing, improving upon, or securing
a Web site or online service.\34\
---------------------------------------------------------------------------
\31\ See 2011 COPPA NPRM, 76 FR at 59812 (proposed definition of
personal information, paragraph (g)).
\32\ Id. (proposed definition of paragraph (h)).
\33\ Id.
\34\ Id.
---------------------------------------------------------------------------
The Commission received numerous comments on the proposed inclusion
of persistent identifiers within the definition of personal
information. Consumer advocacy organizations, including the Center for
Digital Democracy (``CDD''), Consumers Union (``CU''), and the
Electronic Privacy Information Center (``EPIC''), fully supported the
proposal, finding that, increasingly, particular devices are associated
with particular individuals, and the collection of identifiers permits
direct contact with individuals online.\35\ In addition to these
advocacy groups, nearly 200 individual consumers filed comments
supporting the inclusion of IP address within the Rule's definition of
personal information.
---------------------------------------------------------------------------
\35\ See CU (comment 29), at 3; EPIC (comment 41), at 8; CDD
(comment 71), at 29.
---------------------------------------------------------------------------
By contrast, the overwhelming majority of the comments filed by Web
site operators, industry associations, privacy experts, and
telecommunications companies opposed the Commission's expansion of the
definition of personal information to reach persistent identifiers,
even with the limitation to activities other than or in addition to
support for internal operations. Most of these commenters claimed that
the collection of one or more persistent identifiers only permits
online contact with a device and not with a specific individual.\36\
These commenters also expressed concern about the breadth and potential
vagueness of the proposed paragraph (h) defining as personal
information ``an identifier that links the activities of a child across
different Web sites or online services.'' Among the concerns raised
about (h) were the lack of clarity about the term ``different Web sites
or online services,'' \37\ including whether this term is intended to
cover identifiers collected by a single operator across multiple
platforms \38\ or a child's activities within or between affiliated Web
sites or online services.\39\
---------------------------------------------------------------------------
\36\ See Computer and Communications Industry Association
(comment 27), at 3-5; CTIA (comment 32), at 7-8; eBay (comment 40),
at 5; Future of Privacy Forum (comment 55), at 2-3; Information
Technology Industry Council (comment 70), at 3-4; Intel (comment
72), at 4-6; IAB (comment 73), at 4-6; KidSafe Seal Program (comment
81), at 6-7; TechAmerica (comment 159), at 3-5; Promotion Marketing
Association (comment 133), at 10-12; TRUSTe (comment 164), at 4-6;
Yahoo! (comment 180), at 7-8; Toy Industry Association (comment
163), at 8-10.
\37\ See IAB (comment 73), at 5; KidSafe Seal Program (comment
81), at 9; Scholastic (comment 144), at 14; TRUSTe (comment 164), at
5-6; The Walt Disney Co. (comment 170), at 20-21; WiredSafety
(comment 177), at 11.
\38\ See Scholastic (comment 144), at 14; TRUSTe (comment 164),
at 5.
\39\ See The Walt Disney Co. (comment 170), at 22.
---------------------------------------------------------------------------
Several commenters urged the Commission to alter its approach to
persistent identifiers to focus more directly on their use, or
potential misuse, rather than on their collection.\40\ Moreover,
several commenters maintained that the proposed definition of support
for internal operations is too narrow to cover the very types of
activities the Commission intended to permit, e.g., user
authentication, improving site navigation, maintaining user
preferences, serving contextual advertisements, and protecting against
fraud or theft.\41\ Others raised concerns that it was unclear whether
the collection of data within persistent identifiers for the purpose of
performing site performance or functioning analyses, or analytics,
would be included within the definition of support for internal
operations.\42\
---------------------------------------------------------------------------
\40\ ``A straightforward way to regulate the ability of
operators to target children with behavioral advertising would be to
simply prohibit operators from engaging in the practice as it has
previously been defined by the FTC. But the FTC instead focuses on
the types of information operators collect rather than on how
operators use the information.'' Future of Privacy Forum (comment
55), at 2; see also VISA, Inc. (comment 168), at 2; WiredTrust
(comment 177), at 11.
\41\ See CTIA (comment 32), at 15; KidSafe Seal Program (comment
81), at 6-7; Scholastic (comment 144), at 13; Toy Industry
Association (comment 163), at 10; TRUSTe (comment 164), at 8; The
Walt Disney Co. (comment 170), at 7; WiredSafety (comment 177), at
13.
\42\ Association for Competitive Technology (comment 5), at 5;
CTIA (comment 32), at 14; Direct Marketing Association (comment 37),
at 14-15; IAB (comment 73), at 4; NCTA (comment 113), at 15;
Scholastic (comment 144), at 14; ; TechFreedom (comment 159), at 9-
10; Toy Industry Association (comment 163), at 7, 9; TRUSTe (comment
164), at 5; WiredTrust (comment 177), at 11.
---------------------------------------------------------------------------
In response to these concerns, the Commission is proposing revised
language for the definitions regarding persistent identifiers and
support for internal operations. The proposed revised language is
intended to: (1) Address the concerns about the confusion caused by
having two different sub-definitions dealing with persistent
identifiers, paragraphs (g) and (h); and (2) provide more specificity
to the types of activities that will be considered support for internal
operations.
The newly proposed definition regarding persistent identifiers is:
Personal information means individually identifiable information
about an individual collected online, including:
(g) A persistent identifier that can be used to recognize a user
over time, or across different Web sites or online services, where
such persistent identifier is used for functions other than or in
addition to support for the internal operations of the Web site or
online service. Such persistent identifier includes, but is not
limited to, a customer number held in a cookie, an Internet Protocol
(IP) address, a processor or device serial number, or unique device
identifier;
* * * * *
This proposal combines the two previous definitions into one and makes
clear that an operator can only identify users over time or across Web
sites for the enumerated activities set forth in the definition of
support for internal operations.
[[Page 46648]]
The newly proposed definition of support for internal operations
is:
Support for the internal operations of the Web site or online
service means those activities necessary to: (a) Maintain or analyze
the functioning of the Web site or online service; (b) perform
network communications; (c) authenticate users of, or personalize
the content on, the Web site or online service; (d) serve contextual
advertising on the Web site or online service; (e) protect the
security or integrity of the user, Web site, or online service; or
(f) fulfill a request of a child as permitted by '' 312.5(c)(3) and
(4); so long as the information collected for the activities listed
in (a)-(f) is not used or disclosed to contact a specific individual
or for any other purpose.
This revision incorporates into the Rule many of the types of
activities B user authentication, maintaining user preferences, serving
contextual advertisements, and protecting against fraud or theft B that
the Commission initially discussed as permissible in the 2011 COPPA
NPRM.\43\ It would also specifically permit the collection of
persistent identifiers for functions related to site maintenance and
analysis, and to perform network communications, that many commenters
view as crucial to their ongoing operations.\44\ The Commission notes
the importance of the proviso at the end of the proposed definition: To
be considered support for internal operations, none of the information
collected may be used or disclosed to contact a specific individual,
including through the use of behaviorally-targeted advertising, or for
any other purpose.
---------------------------------------------------------------------------
\43\ See 2011 COPPA NPRM, 76 FR at 59812.
\44\ This proposed revised definition is consistent with the
Commission's position in its recent privacy report that notice need
not be provided to consumers regarding data practices that are
sufficiently accepted or necessary for public policy reasons. See
FTC, Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers, at 36, 38-40,
available athttps://ftc.gov/os/2012/03/120326privacyreport.pdf.
---------------------------------------------------------------------------
III. Request for Comment
The Commission invites interested persons to submit written
comments on any issue of fact, law, or policy that may bear upon the
proposals under consideration. Please include explanations for any
answers provided, as well as supporting evidence where appropriate.
After evaluating the comments, the Commission will determine whether to
issue specific amendments.
Comments should refer to ``COPPA Rule Review: FTC File No.
P104503'' to facilitate the organization of comments. Please note that
your comment B including your name and your state B will be placed on
the public record of this proceeding, including on the publicly
accessible FTC Web site, at https://www.ftc.gov/os/publiccomments.shtm.
Comments must be received on or before September 10, 2012, to be
considered by the Commission.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before September 10,
2012. Write ``COPPA Rule Review, 16 CFR Part 312, Project No. P104503''
on your comment. Your comment B including your name and your state B
will be placed on the public record of this proceeding, including, to
the extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the
Commission tries to remove individuals' home contact information from
comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, such as anyone's Social Security
number, date of birth, driver's license number or other state
identification number or foreign country equivalent, passport number,
financial account number, or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which is obtained from any person and which is privileged or
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't
include competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you must follow the procedure explained in
FTC Rule 4.9(c), 16 CFR 4.9(c).\45\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\45\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/2012copparulereview, by following the instructions on the web-based
form. If this document appears at https://www.regulations.gov/#!home,
you also may file a comment through that Web site.
If you file your comment on paper, write ``COPPA Rule Review, 16
CFR Part 312, Project No. P104503'' on your comment and on the
envelope, and mail or deliver it to the following address: Federal
Trade Commission, Office of the Secretary, Room H-113 (Annex E), 600
Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your
paper comment to the Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
document and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before September 10, 2012.\46\ You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------
\46\ Questions for the public regarding proposed revisions to
the Rule are found at Part VII, infra.
---------------------------------------------------------------------------
Comments on any proposed recordkeeping, disclosure, or reporting
requirements subject to review under the Paperwork Reduction Act should
additionally be submitted to OMB. If sent by U.S. mail, they should be
addressed to Office of Information and Regulatory Affairs, Office of
Management and Budget, Attention: Desk Officer for the Federal Trade
Commission, New Executive Office Building, Docket Library, Room 10102,
725 17th Street NW.,Washington, DC 20503. Comments sent to OMB by U.S.
postal mail, however, are subject to delays due to heightened security
precautions. Thus, comments instead should be sent by facsimile to
(202) 395-5167.
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act of 1980 (``RFA''), 5 U.S.C. 601 et
seq., requires
[[Page 46649]]
a description and analysis of proposed and final rules that will have
significant economic impact on a substantial number of small entities.
The RFA requires an agency to provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with the proposed Rule, and a Final Regulatory
Flexibility Analysis (``FRFA''), if any, with the final Rule.\47\ The
Commission is not required to make such analyses if a Rule would not
have such an economic effect.\48\
---------------------------------------------------------------------------
\47\ See 5 U.S.C. 603-04.
\48\ See 5 U.S.C. 605.
---------------------------------------------------------------------------
As described below, the Commission anticipates that the proposed
changes to the Rule addressed in this Revised COPPA NPRM will result in
more Web sites and online services being subject to the Rule and to the
Rule's disclosure, reporting, and compliance requirements. The
Commission believes that a number of operators of Web sites and online
services potentially affected by these revisions are small entities as
defined by the RFA. It is unclear whether the Revised COPPA NPRM will
have a significant economic impact on these small entities. Thus, to
obtain more information about the impact of the Revised COPPA NPRM on
small entities, the Commission has decided to publish the following
IRFA pursuant to the RFA and to request public comment on the impact on
small businesses of its Revised COPPA NPRM.
A. Description of the Reasons That Agency Action Is Being Considered
As described in Part I above, in September 2011, the Commission
issued a Notice of Proposed Rulemaking setting forth proposed changes
to the Commission's COPPA Rule. Among other things, the Commission
proposed modifying the Rule's definitions of personal information to
include persistent identifiers and screen or user names other than
where they are used to support internal operations, and Web site or
online service directed to children to include additional indicia that
a site or service may be targeted to children. The Commission received
over 350 comments on the proposed changes, a number of which addressed
the proposed changes to these two definitions. After reviewing these
comments, and based upon its experience in enforcing and administering
the Rule, the Commission now proposes additional modifications to the
definitions of personal information, support for internal operations,
and Web site or online service directed to children, and also proposes
to modify the definition of operator.
B. Succinct Statement of the Objectives of, and Legal Basis for, the
Additional Proposed Modifications to the Rule's Definitions
The objectives of the additional proposed modifications to the
Rule's definitions are to update the Rule to ensure that children's
online privacy continues to be protected, as directed by Congress, even
as new online technologies evolve, and to clarify existing obligations
for operators under the Rule. The legal basis for the proposed
amendments is the Children's Online Privacy Protection Act, 15 U.S.C.
6501 et seq.
C. Description and Estimate of the Number of Small Entities to Which
the Proposed Modifications to the Rule's Definitions Will Apply
The proposed modifications to the Rule's definitions will affect
operators of Web sites and online services directed to children, as
well as those operators that have actual knowledge that they are
collecting personal information from children. The proposed Rule
amendments will impose costs on entities that are ``operators'' under
the Rule.
The Commission staff is unaware of any empirical evidence
concerning the number of operators subject to the Rule. However, based
on the public comments received and the modifications proposed here,
the Commission staff estimates that approximately 500 additional
operators may newly be subject to the Rule's requirements and that
there will be approximately 125 new operators per year for a
prospective three-year period.
Under the Small Business Size Standards issued by the Small
Business Administration, ``Internet publishing and broadcasting and web
search portals'' qualify as small businesses if they have fewer than
500 employees.\49\ The Commission staff now estimates that
approximately 85-90% of operators potentially subject to the Rule
qualify as small entities; this projection is revised upward from the
Commission's prior estimate of 80% set forth in the 2011 COPPA NPRM to
take into account the growing market for mobile applications, many of
which may be subject to the proposed revised Rule. The Commission staff
bases this revised higher estimate on its experience in this area,
which includes its law enforcement activities, discussions with
industry members, privacy professionals, and advocates, and oversight
of COPPA safe harbor programs. The Commission seeks comment and
information with regard to the estimated number or nature of small
business entities on which the proposed Rule would have a significant
economic impact.
---------------------------------------------------------------------------
\49\ See U.S. Small Business Administration Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes, available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf.
---------------------------------------------------------------------------
D. Description of the Projected Reporting, Recordkeeping, and Other
Compliance Requirements
The proposed amended Rule would impose reporting, recordkeeping,
and other compliance requirements within the meaning of the Paperwork
Reduction Act, as set forth in Part II of this Notice of Proposed
Rulemaking. Therefore, the Commission is submitting the proposed
revised modifications to the Rule's definitions to OMB for review
before issuing a final rule.
The proposed revised modifications to the Rule's definitions likely
would increase the number of operators subject to the proposed revised
Rule's recordkeeping, reporting, and other compliance requirements. In
particular, the proposed revised definition of operator will
potentially cover additional child-directed Web sites and online
services that choose to integrate other services that collect personal
information from visitors. Similarly, the proposed addition of
paragraph (d) to the definition of Web site or online service directed
to children, which clarifies that the Rule covers a Web site or online
service that knows or has reason to know it is collecting personal
information through any Web site or online service directed to
children, will potentially cover additional Web sites and online
services. These proposed improvements to the Rule may entail some added
cost burden to operators, including those that qualify as small
entities. However, the proposed addition of paragraph (c) to the
definition of Web site or online service directed to children, and the
proposed modifications to the definitions of personal information and
support for internal operations, may offset the added burdens discussed
above, by potentially decreasing certain operators' recordkeeping,
reporting, and other compliance requirements.
The estimated burden imposed by these proposed modifications to the
Rule's definitions is discussed in the Paperwork Reduction Act section
of this document, and there should be no difference in that burden as
applied to small businesses. While the Rule's compliance obligations
apply equally to all entities subject to the Rule, it is unclear
whether the economic burden
[[Page 46650]]
on small entities will be the same as or greater than the burden on
other entities. That determination would depend upon a particular
entity's compliance costs, some of which may be largely fixed for all
entities (e.g., Web site programming) and others that may be variable
(e.g., choosing to operate a family friendly Web site or online
service), and the entity's income or profit from operation of the Web
site or online service (e.g., membership fees) or from related sources
(e.g., revenue from marketing to children through the site or service).
As explained in the Paperwork Reduction Act section, in order to comply
with the Rule's requirements, operators will require the professional
skills of legal (lawyers or similar professionals) and technical (e.g.,
computer programmers) personnel. As explained earlier, the Commission
staff estimates that there are approximately 500 additional Web site or
online services that would newly qualify as operators under the
proposed modifications to the Rule's definitions, that there will be
approximately 125 new operators per year for a three-year period, and
that approximately 85-90% of all such operators would qualify as small
entities under the SBA's Small Business Size standards. The Commission
invites comment and information on these issues.
E. Identification of Other Duplicative, Overlapping, or Conflicting
Federal Rules
The Commission has not identified any other federal statutes,
rules, or policies that would duplicate, overlap, or conflict with the
proposed Rule. The Commission invites comment and information on this
issue.
F. Description of Any Significant Alternatives to the Proposed
Modifications to the Rule's Definitions
In drafting the proposed modifications to the Rule's definitions,
the Commission has attempted to avoid unduly burdensome requirements
for entities. The Commission believes that the proposed modifications
will advance the goal of children's online privacy in accordance with
COPPA. For each of the proposed modifications, the Commission has taken
into account the concerns evidenced by the record to date. On balance,
the Commission believes that the benefits to children and their parents
outweigh the costs of implementation to industry.
The Commission has considered, but has decided not to propose, an
exemption for small businesses. The primary purpose of COPPA is to
protect children's online privacy by requiring verifiable parental
consent before an operator collects personal information. The record
and the Commission's enforcement experience have shown that the threats
to children's privacy are just as great, if not greater, from small
businesses or even individuals than from large businesses.\50\
Accordingly, an exemption for small businesses would undermine the very
purpose of the statute and Rule.
---------------------------------------------------------------------------
\50\ See, e.g., United States v. RockYou, Inc., No. 3:12-cv-
01487-SI (N.D. Cal., entered Mar. 27, 2012); United States v.
Godwin, No. 1:11-cv-03846-JOF (N.D. Ga., entered Feb. 1, 2012);
United States v. W3 Innovations, LLC, No. CV-11-03958 (N.D. Cal.,
filed Aug. 12, 2011); United States v. Industrious Kid, Inc., No.
CV-08-0639 (N.D. Cal., filed Jan. 28, 2008); United States v.
Xanga.com, Inc., No. 06-CIV-6853 (S.D.N.Y., entered Sept. 11, 2006);
United States v. Bonzi Software, Inc., No. CV-04-1048 (C.D. Cal.,
filed Feb. 17, 2004); United States v. Looksmart, Ltd., Civil Action
No. 01-605-A (E.D. Va., filed Apr. 18, 2001); United States v.
Bigmailbox.Com, Inc., Civil Action No. 01-606-B (E.D. Va., filed
Apr. 18, 2001).
---------------------------------------------------------------------------
While the proposed modifications to the Rule's definitions
potentially will increase the number of Web site and online service
operators subject to the Rule, the Rule continues to provide regulated
entities with the flexibility to select the most appropriate, cost-
effective, technologies to achieve COPPA's objective results. For
example, the proposed new definition of support for internal operations
is intended to provide operators with the flexibility to conduct their
information collections in a manner they choose consistent with
ordinary operation, enhancement, or security measures. Moreover, the
proposed changes to Web site or online service directed to children
would provide greater flexibility to family friendly sites and services
in developing mechanisms to provide the COPPA protections to child
visitors.
The Commission seeks comments on ways in which the Rule could be
modified to reduce any costs or burdens for small entities.
V. Paperwork Reduction Act
The existing Rule contains recordkeeping, disclosure, and reporting
requirements that constitute ``information collection requirements'' as
defined by 5 CFR 1320.3(c) under the OMB regulations that implement the
Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq. OMB has
approved the Rule's existing information collection requirements
through July 31, 2014 (OMB Control No. 3084-0117).
The proposed modifications to the Rule's definitions would change
the definitions of operator and Web site or online service directed to
children, potentially increasing the number of operators subject to the
Rule. However, the proposed modifications to the definitions of
personal information and support for internal operations may offset
these added burdens by potentially decreasing certain operators'
recordkeeping, reporting, and other compliance requirements. Thus, the
Commission is providing PRA burden estimates for the proposed
modifications, set forth below.
The Commission invites comments on: (1) Whether the proposed
collection of information is necessary for the proper performance of
the functions of the agency, including whether the information shall
have practical utility; (2) the accuracy of the FTC's estimate of the
burden of the proposed collection of information; (3) ways to enhance
the quality, utility, and clarity of the information to be collected;
and (4) ways to minimize the burden of collecting information.
Estimated Additional Annual Hours Burden
A. Number of Respondents
Commission staff estimates that there will be approximately 500
existing operators of Web sites or online services that likely will be
newly covered as a result of the modifications proposed herein. This
projected number is based upon the Commission staff's expectation that
altering the definitions of operator and Web site or online service
directed to children will expand the pool of covered operators. Other
proposed modifications, however, should offset some of this potential
expansion. Specifically, these offsets include clarification of the
definition of support for internal operations and the carve-out from
the definition of Web site or online service directed to children of
family friendly sites and services that take particular measures. The
Commission also anticipates that some operators of Web sites or online
services will make adjustments to their information collection
practices so that they will not be collecting personal information from
children, as defined by the proposed revised Rule.
Further, Commission staff estimates that 125 additional new
operators per year (over a prospective three-year PRA clearance period
\51\) will be covered by the Rule through the proposed modifications.
This is incremental to the previously cleared FTC estimates of 100 new
operators per year for the current Rule.
---------------------------------------------------------------------------
\51\ Under the PRA, agencies may seek a maximum of three years'
clearance for a collection of information. 44 U.S.C. 3507(g).
---------------------------------------------------------------------------
[[Page 46651]]
B. Recordkeeping Hours
The proposed modifications to the Rule's definitions will not
impose incremental recordkeeping requirements on operators.
C. Disclosure Hours
(1) New Operators' Disclosure Burden
Under the existing OMB clearance for the Rule, the FTC has
estimated that new operators will each spend approximately 60 hours to
craft a privacy policy, design mechanisms to provide the required
online privacy notice and, where applicable, direct notice to parents
in order to obtain verifiable consent. Several commenters noted that
this 60-hour estimate failed to take into account accurate costs of
compliance with the Rule.\52\ None of these commenters, however,
provided the Commission with empirical data or specific evidence on the
number of hours such activities require. Thus, the Commission does not
have sufficient information at present to revise its earlier hours
estimate. Applying this estimate of 60 hours per new operator to the
above-stated estimate of 125 new operators yields an estimated 7,500
additional disclosure hours, cumulatively.
---------------------------------------------------------------------------
\52\ See Nancy Savitt (comment 142), at 1; NCTA (comment 113),
at 23-24.
---------------------------------------------------------------------------
(2) Existing Operators' Disclosure Burden
The proposed modifications to the Rule's definitions will not
impose incremental disclosure time per entity, but, as noted above,
would result in an estimated 500 additional existing operators that
would be covered by the Rule. These entities will have a one-time
burden to re-design their existing privacy policies and direct notice
procedures that would not carry over to the second and third years of
prospective PRA clearance. The Commission estimates that an existing
operator's time to make these changes would be no more than that for a
new entrant crafting its online and direct notices for the first time,
i.e., 60 hours. Annualized over three years of PRA clearance, this
amounts to 20 hours ((60 hours + 0 + 0) / 3) per year. Aggregated for
the estimated 500 existing operators that would be newly subject to the
Rule, annualized disclosure burden would be 10,000 hours.
D. Reporting Hours
The proposed modifications to the Rule's definitions will not
impose incremental reporting hours requirements.
E. Labor Costs
(1) Recordkeeping
None.
(2) Disclosure
The Commission staff assumes that the time spent on compliance for
new operators and existing operators that would be newly covered by the
Rule's proposed modifications would be apportioned five to one between
legal (lawyers or similar professionals) and technical (e.g., computer
programmers, software developers, and information security analysts)
personnel.\53\ Moreover, based on Bureau of Labor Statistics compiled
data, FTC staff assumes for compliance cost estimates a mean hourly
rate of $180 for legal assistance and $42 for technical labor
support.\54\
---------------------------------------------------------------------------
\53\ See 76 FR 7211, 7212-7213 (Feb. 9, 2011); 76 FR 31334,
31335 n. 1 (May 31, 2011) (FTC notices for renewing OMB clearance
for the COPPA Rule).
\54\ The estimated rate of $180 per hour is roughly midway
between Bureau of Labor Statistics (BLS) mean hourly wages for
lawyers ($62.74) in the most recent annual compilation available
online and what Commission staff believes more generally reflects
hourly attorney costs ($300) associated with Commission information
collection activities. The estimate of mean hourly wages of $42 is
based on an average of the salaries for computer programmers,
software developers, information security analysts, and web
developers as reported by the Bureau of Labor Standards. See
National Occupational and Wages--May 2011, available at https://www.bls.gov/news.release/archives/ocwage_03272012.pdf.
---------------------------------------------------------------------------
Thus, for the estimated 125 additional new operators per year,
7,500 cumulative disclosure hours would be composed of 6,250 hours of
legal assistance and 1,250 hours of technical support. Applied to
hourly rates of $180 and respectively. $42, respectively, associated
labor costs for the 125 additional new operators potentially subject to
the proposed amendments would be $1,177,500.
Similarly, for the estimated 500 existing operators that would be
newly covered by the proposed definitional changes, 10,000 cumulative
disclosure hours would consist of 8,333 hours of legal assistance and
1,667 hours for technical support. Applied at hourly rates of $180 and
$42, respectively, associated labor costs would total $1,569,954. Thus,
cumulative labor costs for new and existing operators that would be
additionally subject to the Rule through the proposed amendments would
be $2,747,454.
(3) Reporting
None.
F. Non-Labor/Capital Costs
None.
VI. Communications by Outside Parties to the Commissioners or Their
Advisors
Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding, from any
outside party to any Commissioner or Commissioner's advisor, will be
placed on the public record. See 16 CFR 1.26(b)(5).
VII. Questions for the Proposed Revisions to the Rule
The Commission is seeking comment on various aspects of the
proposed Rule, and is particularly interested in receiving comment on
the questions that follow. These questions are designed to assist the
public and should not be construed as a limitation on the issues on
which public comment may be submitted in response to this notice.
Responses to these questions should cite the numbers and subsection of
the questions being answered. For all comments submitted, please submit
any relevant data, statistics, or any other evidence upon which those
comments are based.
Definition of On Whose Behalf Such Information Is Collected or
Maintained
1. The Commission proposes to revise the definition of operator to
indicate that personal information is collected or maintained on behalf
of an operator where it is collected in the interest of, as a
representative of, or for the benefit of, the operator.
a. Is the proposed language sufficiently clear to cover Web sites
or online services where they permit the collection of personal
information by parties such as advertising networks, providers of
downloadable software kits, or ``social plug-ins''?
b. Do the proposed requirements of this provision provide
sufficient guidance and clarity for an operator who does not otherwise
collect personal information from children?
c. Is the proposed language sufficiently narrow to exclude entities
that merely provide access to the Internet without providing content or
collecting information from children?
d. Does the proposed language present any practical or technical
challenges for implementation by the operator? If so, please describe
such challenges in detail.
Definition of Web Site or Online Service Directed to Children
2. The Commission proposes to identify four categories of Web sites
or online services directed to children (paragraphs (a)-(d)). Does the
proposed revised definition adequately capture all
[[Page 46652]]
instances where a Web site or online service may be directed to
children?
3. Is the newly proposed paragraph (c) within the definition of Web
site or online service directed to children sufficiently clear to
provide guidance to an operator as to when the operator is permitted to
screen users for age and is required to comply with COPPA?
4. The Commission proposes to cover as a Web site or online service
directed to children an operator who knows or has reason to know that
it is collecting personal information through a child-directed site or
service (paragraph (d)).
a. Is the ``knows or has reason to know'' standard appropriate in
this case? Should the standard be broadened, or should it be narrowed,
in any way?
b. What are the costs and benefits to operators, parents, and
children of the proposed revisions?
c. Does the proposed language present any practical or technical
challenges for implementation by the operator? If so, please describe
such challenges in detail.
5. Is there currently technology in use or available that would
enable Web sites or online services to publicly signal (through code or
otherwise) that they are sites or services ``directed to children''?
What are the costs and benefits of the voluntary use of such
technology?
Definition of Personal Information
Screen or User Names
6. The Commission proposes revising the definition of personal
information to include screen or user name where it functions in the
same manner as online contact information, i.e., where it acts as an
identifier that permits direct contact with a person online. Are there
any other instances not identified by the Commission in which a screen
or user name can be used to contact a specific child?
Persistent Identifiers and Support for Internal Operations
7. The Commission proposes to combine the sub-definitions of
personal information in proposed paragraphs (g) and (h) covering
persistent identifiers, and to broaden the definition of support for
internal operations.
a. Is the proposed language sufficiently clear?
b. What are the costs and benefits to operators, parents, and
children of the proposed revisions?
c. Do the proposed revisions present any practical or technical
challenges for implementation by the operator? If so, please describe
such challenges in detail.
Paperwork Reduction Act
8. The Commission solicits comments on whether the changes to the
definitions (Sec. 312.2) constitute ``collections of information''
within the meaning of the Paperwork Reduction Act. The Commission
requests comments that will enable it to:
a. Evaluate whether the proposed collections of information are
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
b. Evaluate the accuracy of the agency's estimate of the burden of
the proposed collections of information, including the validity of the
methodology and assumptions used;
c. Enhance the quality, utility, and clarity of the information to
be collected; and,
d. Minimize the burden of the collections of information on those
who must comply, including through the use of appropriate automated,
electronic, mechanical, or other technological collection techniques or
other forms of information technology.
VIII. Proposed Revisions to the Rule
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer protection, Electronic mail,
Email, Internet, Online service, Privacy, Record retention, Safety,
Science and technology, Trade practices, Web site, Youth.
For the reasons discussed above, the Commission proposes to amend
part 312 of Title 16, Code of Federal Regulations, as follows:
PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE
1. The authority citation for part 312 continues to read as
follows:
Authority: 15 U.S.C. 6501-6508.
2. Amend Sec. 312.2 by revising the definitions of operator,
personal information, and Web sites or online services directed to
children, and by adding after the definition of personal information a
new definition of support for internal operations of the Web site or
online service, to read as follows:
Sec. 312.2 Definitions.
* * * * *
Operator means any person who operates a Web site located on the
Internet or an online service and who collects or maintains personal
information from or about the users of or visitors to such Web site or
online service, or on whose behalf such information is collected or
maintained, or offers products or services for sale through that Web
site or online service, where such Web site or online service is
operated for commercial purposes involving commerce:
(a) Among the several States or with 1 or more foreign nations;
(b) In any territory of the United States or in the District of
Columbia, or between any such territory and
(1) Another such territory, or,
(2) Any State or foreign nation; or,
(c) Between the District of Columbia and any State, territory, or
foreign nation. This definition does not include any nonprofit entity
that would otherwise be exempt from coverage under Section 5 of the
Federal Trade Commission Act (15 U.S.C. 45).
Personal information is collected or maintained on behalf of an
operator where it is collected in the interest of, as a representative
of, or for the benefit of, the operator.
* * * * *
Personal information means individually identifiable information
about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name
of a city or town;
(c) Online contact information as defined in this Section;
(d) A screen or user name where it functions in the same manner as
online contact information, as defined in this Section;
(e) A telephone number;
(f) A Social Security number;
(g) A persistent identifier that can be used to recognize a user
over time, or across different Web sites or online services, where such
persistent identifier is used for functions other than or in addition
to support for the internal operations of the Web site or online
service. Such persistent identifier includes, but is not limited to, a
customer number held in a cookie, an Internet Protocol (IP) address, a
processor or device serial number, or unique device identifier;
(h) A photograph, video, or audio file where such file contains a
child's image or voice;
(i) Geolocation information sufficient to identify street name and
name of a city or town; or,
(j) Information concerning the child or the parents of that child
that the operator collects online from the child and combines with an
identifier described in this definition.
Support for the internal operations of the Web site or online
service means those activities necessary to: (a)
[[Page 46653]]
Maintain or analyze the functioning of the Web site or online service;
(b) perform network communications; (c) authenticate users of, or
personalize the content on, the Web site or online service; (d) serve
contextual advertising on the Web site or online service; (e) protect
the security or integrity of the user, Web site, or online service; or
(f) fulfill a request of a child as permitted by Sec. Sec. 312.5(c)(3)
and (4); so long as the information collected for the activities listed
in (a)-(f) is not used or disclosed to contact a specific individual or
for any other purpose.
* * * * *
Web site or online service directed to children means a commercial
Web site or online service, or portion thereof, that:
(a) Knowingly targets children under age 13 as its primary
audience; or,
(b) based on the overall content of the Web site or online service,
is likely to attract children under age 13 as its primary audience; or,
(c) based on the overall content of the Web site or online service,
is likely to attract an audience that includes a disproportionately
large percentage of children under age 13 as compared to the percentage
of such children in the general population; provided however that such
Web site or online service shall not be deemed to be directed to
children if it: (i) Does not collect personal information from any
visitor prior to collecting age information; and (ii) prevents the
collection, use, or disclosure of personal information from visitors
who identify themselves as under age 13 without first obtaining
verifiable parental consent; or,
(d) knows or has reason to know that it is collecting personal
information through any Web site or online service covered under
paragraphs (a)-(c).
In determining whether a commercial Web site or online service, or a
portion thereof, is directed to children, the Commission will consider
its subject matter, visual content, use of animated characters or
child-oriented activities and incentives, music or other audio content,
age of models, presence of child celebrities or celebrities who appeal
to children, language or other characteristics of the Web site or
online service, as well as whether advertising promoting or appearing
on the Web site or online service is directed to children. The
Commission will also consider competent and reliable empirical evidence
regarding audience composition, and evidence regarding the intended
audience. A commercial Web site or online service, or a portion
thereof, shall not be deemed directed to children solely because it
refers or links to a commercial Web site or online service directed to
children by using information location tools, including a directory,
index, reference, pointer, or hypertext link.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2012-19115 Filed 8-3-12; 8:45 am]
BILLING CODE 6750-01-P
