Request for Public Comment on the Federal Trade Commission's Implementation of the Children's Online Privacy Protection Rule, 35842-35847 [2019-15754]
Download as PDF
<![CDATA[
35842
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
2003;’’ or Revision ‘‘June 2005,’’ as
applicable.
(h) Maintenance or Inspection Program
Revision
Within 18 months after the effective date
of this AD, revise the existing maintenance
or inspection program, as applicable, to
incorporate the information specified in
Boeing 757 Maintenance Planning Data
(MPD) Document, Section 9, Airworthiness
Limitations (AWLs) and Certification
Maintenance Requirements (CMRs),
D622N001–9, Revision October 2018. The
initial compliance time for doing the new or
updated tasks is at the time specified in
Boeing 757 Maintenance Planning Data
(MPD) Document, Section 9, Airworthiness
Limitations (AWLs) and Certification
Maintenance Requirements (CMRs),
D622N001–9, Revision October 2018, or
within 18 months after the effective date of
this AD, whichever occurs later. The
compliance time for doing the unchanged
tasks is at the time specified in Boeing 757
Maintenance Planning Data (MPD)
Document, Section 9, Airworthiness
Limitations (AWLs) and Certification
Maintenance Requirements (CMRs),
D622N001–9, Revision October 2018.
(i) No Alternative Actions, Intervals, or
Critical Design Configuration Control
Limitations (CDCCLs) for Paragraph (g) of
This AD
Except as required by paragraph (h) of this
AD: After the existing maintenance or
inspection program has been revised as
required by paragraph (g) of this AD, no
alternative actions (e.g., inspections),
intervals, or CDCCLs may be used unless the
actions, intervals, and CDCCLs are approved
as an alternative method of compliance
(AMOC) in accordance with the procedures
specified in paragraph (l) of this AD.
(j) No Alternative Actions, Intervals, or
CDCCLs for Paragraph (h) of This AD
After the existing maintenance or
inspection program has been revised as
required by paragraph (h) of this AD, no
alternative actions (e.g., inspections),
intervals, or CDCCLs may be used unless the
actions, intervals, and CDCCLs are approved
as an AMOC in accordance with the
procedures specified in paragraph (l) of this
AD.
jspears on DSK30JT082PROD with PROPOSALS
(k) Terminating Action for Paragraph (g) of
This AD
Accomplishing the revision required by
paragraph (h) of this AD terminates the
revision required by paragraph (g) of this AD.
(l) Alternative Methods of Compliance
(AMOCs)
(1) The Manager, Los Angeles ACO Branch,
FAA, has the authority to approve AMOCs
for this AD, if requested using the procedures
found in 14 CFR 39.19. In accordance with
14 CFR 39.19, send your request to your
principal inspector or local Flight Standards
District Office, as appropriate. If sending
information directly to the manager of the
certification office, send it to the attention of
the person identified in paragraph (m)(1) of
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
this AD. Information may be emailed to: 9ANM-LAACO-AMOC-Requests@faa.gov.
(2) Before using any approved AMOC,
notify your appropriate principal inspector,
or lacking a principal inspector, the manager
of the local flight standards district office/
certificate holding district office.
(3) An AMOC that provides an acceptable
level of safety may be used for any repair,
modification, or alteration required by this
AD if it is approved by The Boeing Company
Organization Designation Authorization
(ODA) that has been authorized by the
Manager, Los Angeles ACO Branch, FAA, to
make those findings. To be approved, the
repair method, modification deviation, or
alteration deviation must meet the
certification basis of the airplane, and the
approval must specifically refer to this AD.
(4) AMOCs approved previously for AD
2001–20–12 and AD 2006–11–11 are
approved as AMOCs for the corresponding
provisions of this AD.
(m) Related Information
(1) For more information about this AD,
contact Chandraduth Ramdoss, Aerospace
Engineer, Airframe Section, FAA, Los
Angeles ACO Branch, 3960 Paramount
Boulevard, Lakewood, CA 90712–4137;
phone: 562–627–5239; fax: 562–627–5210;
email: chandraduth.ramdoss@faa.gov.
(2) For service information identified in
this AD, contact Boeing Commercial
Airplanes, Attention: Contractual & Data
Services (C&DS), 2600 Westminster Blvd.,
MC 110–SK57, Seal Beach, CA 90740–5600;
phone: 562–797–1717; internet: https://
www.myboeingfleet.com. You may view this
referenced service information at the FAA,
Transport Standards Branch, 2200 South
216th St., Des Moines, WA. For information
on the availability of this material at the
FAA, call 206–231–3195.
Issued in Des Moines, Washington, on July
16, 2019.
Suzanne Masterson,
Acting Director, System Oversight Division,
Aircraft Certification Service.
[FR Doc. 2019–15582 Filed 7–24–19; 8:45 am]
BILLING CODE 4910–13–P
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084–AB20
Request for Public Comment on the
Federal Trade Commission’s
Implementation of the Children’s
Online Privacy Protection Rule
Federal Trade Commission.
Regulatory review; request for
public comment.
AGENCY:
ACTION:
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
requests public comment on its
implementation of the Children’s
Online Privacy Protection Act
(‘‘COPPA’’ or ‘‘the Act’’), through the
SUMMARY:
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
Children’s Online Privacy Protection
Rule (‘‘COPPA Rule’’ or ‘‘the Rule’’).
DATES: Written comments must be
received on or before October 23, 2019.
The Commission will hold a public
workshop to review the COPPA Rule on
October 7, 2019.
ADDRESSES: Interested parties may file a
comment online or on paper by
following the Request for Comment part
of the SUPPLEMENTARY INFORMATION
section below. Write ‘‘COPPA Rule
Review, 16 CFR part 312, Project No.
P195404,’’ on your comment and file
your comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex B), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex B),
Washington, DC 20024.
The workshop will be held at the
Constitution Center, 400 7th Street SW,
Washington, DC. It is free and open to
the public, and members of the public
who wish to participate but cannot
attend can view a live webcast at ftc.gov.
FOR FURTHER INFORMATION CONTACT:
Kristin Cohen (202–326–2276) or Peder
Magee (202–326–3538), Division of
Privacy and Identity Protection, Federal
Trade Commission, 600 Pennsylvania
Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
The Commission typically reviews its
Rules every ten years to ensure that they
have kept up with changes in the
marketplace, technology, and business
models. Although the Commission’s last
COPPA Rule review ended in 2013, the
Commission is conducting its ten-year
review early because of questions that
have arisen about the Rule’s application
to the educational technology sector, to
voice-enabled connected devices, and to
general audience platforms that host
third-party child-directed content. In
addition to requesting comment on
these issues, the Commission requests
comment on the costs and benefits of
the Rule, as well as on whether certain
sections should be retained, eliminated,
or modified. All interested persons are
hereby given notice of the opportunity
to submit written data, views, and
arguments concerning the Rule.
The COPPA Rule, issued pursuant to
COPPA, 15 U.S.C. 6501, et seq., became
E:\FR\FM\25JYP1.SGM
25JYP1
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
jspears on DSK30JT082PROD with PROPOSALS
effective on April 21, 2000, and was
revised on January 17, 2013. The Rule
imposes certain requirements on
operators of websites or online services
directed to children under 13 years of
age, and on operators of other websites
or online services that have actual
knowledge that they are collecting
personal information online from a
child under 13 years of age (collectively,
‘‘operators’’).1 Among other things, the
Rule requires that operators provide
notice to parents and obtain verifiable
parental consent prior to collecting,
using, or disclosing personal
information from children under 13
years of age. The Rule also requires
operators to keep secure the information
they collect from children and prohibits
them from conditioning children’s
participation in activities on the
collection of more personal information
than is reasonably necessary to
participate in such activities. Further,
the Rule contains a ‘‘safe harbor’’
provision enabling industry groups or
others to submit to the Commission for
approval self-regulatory guidelines that
would implement the Rule’s
protections.
II. Rule Review
COPPA and § 312.11 of the original
Rule required the Commission to
initiate a review no later than five years
after the Rule’s effective date to evaluate
the Rule’s implementation. The
Commission commenced this
mandatory review on April 21, 2005.
After receiving and considering
extensive public comment on the Rule,
the Commission determined in March
2006 to retain the COPPA Rule without
change.2 In 2010, however, due to
changes in the online environment for
children, the Commission undertook an
extensive Rule review, which
culminated in the amendments to the
Rule adopted on January 17, 2013.3 The
online environment for children
continues to evolve at a rapid pace,
including, for example, the significant
increase in education technology in the
classroom and social media and
platforms with third-party content
appealing to children. The Commission
believes these changes warrant another
reexamination of the Rule at this time.
In this document, the Commission
poses its standard regulatory review
questions to determine whether the Rule
should be retained, eliminated, or
modified. The Commission also asks
whether the 2013 revisions to the Rule
have resulted in stronger protections for
1 16
CFR part 312.
2 See 71 FR 13247 (Mar. 15, 2006).
3 See 78 FR 3972 (Jan. 17, 2013).
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
children and more meaningful parental
control over the collection of personal
information from children, and whether
the revisions have had any negative
consequences. It further poses specific
questions about the existing sections of
the Rule, including:
• Definitions,
• Requirement that operators post
notices of their privacy practices,
• Methods of obtaining verifiable
parental consent before collecting
children’s information,
• Security requirements,
• Parental right to review or delete
children’s information, and
• Safe harbor provisions.
In addition to these questions, the
Commission seeks comment on the
application of the Rule to the
educational technology sector, voiceenabled connected devices, and general
audience platforms that host childdirected third-party content.
Specifically, the Commission requests
comment on whether exceptions to
parental consent are warranted for: (1)
The use of education technology where
the school provides consent for the
collection of personal information from
the child (see Question 23); or (2) the
collection of audio files as a
replacement for text, where the audio
files are promptly deleted (see Question
24), in line with the enforcement policy
statement issued by the Commission.4
Additionally, the Commission seeks
comment on whether there are
circumstances in which general
audience platforms with third-party,
child-directed content should be able to
rebut the presumption that all users
interacting with that content are
children (see Question 25). If allowed to
rebut this presumption, operators of
general audience platforms could, in
certain circumstances, collect personal
information from users on their sites
that they determine are age 13 or older.
Finally, the Commission seeks
comment on whether the COPPA Rule
should be amended to better address
websites and online services that may
not meet the current definition of
‘‘website or online service directed to
children,’’ but that have large number of
child users (see Question 15). For
example, should the definition of
‘‘website or online service directed to
children’’ be amended, consistent with
the statute, to cover these types of
websites and, if so, what type of changes
would be required? Are there other
proposed amendments, consistent with
4 See Enforcement Policy Statement Regarding the
Applicability of the COPPA Rule to the Collection
and Use of Voice Recordings, 82 FR 58076 (Dec. 8,
2017).
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
35843
the statute, for the Commission to
consider to ensure children using these
sites and services receive COPPA
protections?
III. Questions Regarding the COPPA
Rule
The Commission invites members of
the public to comment on any issues or
concerns they believe are relevant or
appropriate to the Commission’s review
of the COPPA Rule, and to submit
written data, views, facts, and
arguments addressing the Rule. All
comments should be filed as prescribed
in the ADDRESSES section of this
document, and must be received by
October 23, 2019. If your comment
proposes any modifications to the Rule,
please also address whether your
proposed modification may conflict
with the statutory provisions of COPPA
and, if so, whether you propose seeking
legislative changes to the Act. The
Commission is particularly interested in
comments addressing the following
questions:
A. General Questions for Comment
1. Is there a continuing need for the
Rule as currently promulgated? Why or
why not?
a. Since the Rule was issued, have
changes in technology, industry, or
economic conditions affected the need
for or effectiveness of the Rule?
b. What are the aggregate costs and
benefits of the Rule?
c. Does the Rule include any
provisions not mandated by the Act that
are unnecessary or whose costs
outweigh their benefits? If so, which
ones and why?
2. What effect, if any, has the Rule
had on children, parents, or other
consumers?
a. Has the Rule benefited children,
parents, or other consumers? If so, how?
b. Has the Rule imposed any costs on
children, parents, or other consumers? If
so, what are these costs?
c. What changes, if any, should be
made to the Rule to increase its benefits,
consistent with the Act’s requirements?
What costs would these changes
impose?
3. What impact, if any, has the Rule
had on operators?
a. Has the Rule provided benefits to
operators? If so, what are these benefits?
b. Has the Rule imposed costs on
operators, including costs of compliance
in time or monetary expenditures? If so,
what are these costs?
c. What changes, if any, should be
made to the Rule to reduce the costs
imposed on operators, consistent with
the Act’s requirements? How would
these changes affect the Rule’s benefits?
E:\FR\FM\25JYP1.SGM
25JYP1
35844
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
jspears on DSK30JT082PROD with PROPOSALS
4. How many small businesses are
subject to the Rule? What costs (types
and amounts) do small businesses incur
in complying with the Rule? How has
the Rule otherwise affected operators
that are small businesses? Have the
costs or benefits of the Rule changed
over time with respect to small
businesses? What about small
businesses that control and process
large sets of data? What regulatory
alternatives, if any, would decrease the
Rule’s burden on small businesses,
consistent with the Act’s requirements?
5. Does the Rule overlap or conflict
with any other federal, state, or local
government laws or regulations? How
should these overlaps or conflicts be
resolved, consistent with the Act’s
requirements?
a. Are there any unnecessary
regulatory burdens created by
overlapping jurisdiction? If so, what can
be done to ease the burdens, consistent
with the Act’s requirements?
b. Are there any gaps where no
federal, state, or local government law
or regulation has addressed a
problematic practice relating to
children’s online privacy? Could or
should any such gaps be remedied by a
modification to the Rule?
6. Has the Rule affected practices
relating to the collection and disclosure
of information relating to children
online? If so, how?
7. Has the Rule affected children’s
ability to access information of their
choice online? If so, how?
8. Has the Rule affected the
availability of websites or online
services directed to children? If so,
how?
a. Has the number or type of websites
or online services directed to children
changed since the Rule became
effective? If so, how? Did the Rule cause
these changes?
b. Approximately how many new
websites and online services are created
each year that are directed to children?
B. Definitions
9. Do the definitions set forth in
§ 312.2 of the Rule accomplish COPPA’s
goal of protecting children’s online
privacy and safety?
10. Are the definitions in § 312.2 clear
and appropriate? If not, how can they be
improved, consistent with the Act’s
requirements?
11. The 2013 COPPA Rule
amendments made several
modifications to the definitions under
the Rule, including to the terms
‘‘Collects or collection,’’ ‘‘Online
contact information,’’ ‘‘Operator,’’
‘‘Personal information,’’ ‘‘Support for
the internal operations of the website or
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
online service,’’ and ‘‘website or online
service directed to children.’’ Have
these revised definitions resulted in
stronger protections for children’s
online privacy and safety? Have they
had any negative consequences that
require revision?
12. The 2013 revised COPPA Rule
amended the definition of ‘‘Personal
information’’ to include, among other
items, a ‘‘persistent identifier that can
be used to recognize a user over time
and across different websites or online
services.’’ Has this revision resulted in
stronger privacy protection for children?
Has it had any negative consequences?
13. Should the Commission consider
further revision to the definition of
‘‘Personal information’’? Are there
additional categories of information that
should be expressly included in this
definition, such as genetic data,
fingerprints, retinal patterns, or other
biometric data? What about personal
information that is inferred about, but
not directly collected from, children?
What about other data that serve as
proxies for personal information
covered under this definition? Does this
type of information permit the physical
or online contacting of a specific
individual?
14. Should the definition of ‘‘Support
for the internal operations of the website
or online service’’ be modified? Are
there practices in addition to behavioral
targeting and profiling that should be
expressly excluded from the definition?
Should additional activities be
expressly permitted under the
definition? For example, should the
definition expressly include advertising
attribution? Advertising attribution is
the method used to determine whether
a particular advertisement led the user
to take a particular step, such as
downloading an app.
15. Does § 312.2 correctly articulate
the factors to consider in determining
whether a website or online service is
directed to children? Do any of the
current factors need to be clarified? Are
there additional factors that should be
considered? For example, should the
definition be amended, consistent with
the statute, to better address websites
and online services that do not include
traditionally child-oriented activities,
but that have large numbers of child
users? If so, what types of changes to the
definition should be considered? Are
there other proposed amendments,
consistent with the statute, for the
Commission to consider to ensure
children using these types of websites
and online services receive COPPA
protections?
16. Has the 2013 addition, found in
part (3) of the definition of ‘‘website or
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
online service directed to children,’’
which permits those sites that do not
target children as their primary
audience to age screen users, resulted in
stronger protections for children’s
privacy? Should the Rule be more
specific about the appropriate methods
for determining the age of users?
17. What are the implications for
COPPA enforcement raised by
technologies such as interactive
television, interactive gaming, chatbots,
or other similar interactive media?
C. Notice
18. Section 312.4 of the Rule sets out
the requirements for the content and
delivery of operators’ notices of their
information practices with regard to
children.
a. Are the requirements in this
Section clear and appropriate? If not,
how can they be improved? Should the
Rule, for example, more clearly state
that an operator’s direct notice should
include not just the types of personal
information collected, but also how the
operator intends to use the personal
information that is collected? Should
the Rule require the notice to include
information about the categories of third
parties, such as advertisers, that may
make use of the information collected?
The Rule’s direct notice requirement
found in § 312.4(c) presupposes that the
operator has collected the parent’s
online contact information. Should the
Rule more clearly state the content of
direct notices where the operator does
not collect a parent’s online contact
information?
b. Should the notice requirements be
clarified or modified in any way to
reflect changes in the types or uses of
children’s information collected by
operators or changes in communications
options available between operators and
parents?
D. Parental Consent
19. Section 312.5 of the Rule requires
operators to obtain verifiable parental
consent before collecting, using, or
disclosing personal information from
children, including consent to any
material change to practices to which
the parent previously consented. This
Section further requires operators to
make reasonable efforts to obtain this
consent, and the efforts must be
reasonably calculated to ensure that the
person providing consent is the child’s
parent, taking into consideration
available technology.
a. Has the consent requirement been
effective in protecting children’s online
privacy and safety?
b. What data exist on: (1) Operators’
use of parental consent mechanisms; (2)
E:\FR\FM\25JYP1.SGM
25JYP1
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
jspears on DSK30JT082PROD with PROPOSALS
parents’ awareness of the Rule’s
parental consent requirements; or (3)
parents’ response to operators’ parental
consent requests?
20. Section 312.5(b)(2) of the Rule
provides a non-exhaustive list of
approved methods to obtain verifiable
parental consent, including: Providing a
consent form to be signed by the parent
and returned to the operator; requiring
a parent to use a credit card, debit card,
or other online payment system in
connection with a monetary transaction;
having a parent call a toll-free number
staffed by trained personnel; having a
parent connect to trained personnel via
video-conference; and verifying a
parent’s identity by checking a form of
government-issued identification
against databases of such information.
In addition, pursuant to the process set
forth in § 312.12(a), the Commission has
approved the use of knowledge-based
authentication 5 and facial recognition
technology.6 Section 312.5(b)(2) also
sets forth a mechanism that operators
can use to obtain verifiable parental
consent for uses of information other
than ‘‘disclosures’’ (the ‘‘email plus
mechanism’’). The email plus
mechanism permits the use of an email
coupled with additional steps to
provide assurances that the person
providing consent is the parent,
including sending a confirmatory email
to the parent following receipt of
consent or obtaining a postal address or
telephone number from the parent and
confirming the parent’s consent by letter
or telephone call.
a. To what extent are operators using
each of the enumerated methods? Please
provide as much specific data as
possible, including the costs and
benefits associated with each method
described.
b. Are there additional methods to
obtain verifiable parental consent, based
on current or emerging technological
changes, which should be added to
§ 312.5 of the Rule? What are the costs
and benefits of these additional
methods?
c. Should any of the currently
enumerated methods to obtain verifiable
parental consent be removed from the
Rule? If so, please explain which one(s)
and why.
d. Should the Commission consider
any changes to the Rule to encourage
5 See Letter to Imperium, LLC (Dec. 23, 2013),
https://www.ftc.gov/sites/default/files/attachments/
press-releases/ftc-grants-approval-new-coppaverifiable-parental-consent-method/
131223imperiumcoppa-app.pdf.
6 See Letter to Jest8 Limited (Trading as Riyo)
(Nov. 18, 2015), https://www.ftc.gov/system/files/
documents/public_statements/881633/
151119riyocoppaletter.pdf.
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
the development of new methods of
parental consent?
E. Exceptions to Verifiable Parental
Consent
21. COPPA and § 312.5(c) of the Rule
set forth eight exceptions to the prior
parental consent requirement. Are the
exceptions in § 312.5(c) clear and
appropriate? If not, how can they be
improved, consistent with the Act’s
requirements?
22. Should the Commission consider
additional exceptions to parental
consent, consistent with the Act’s
requirements?
23. In the Statement of Basis and
Purpose to the 1999 COPPA Rule, the
Commission noted that the Rule ‘‘does
not preclude schools from acting as
intermediaries between operators and
schools in the notice and consent
process, or from serving as the parents’
agent in the process.’’ 7 Since that time,
there has been a significant expansion of
education technology used in
classrooms. Should the Commission
consider a specific exception to parental
consent for the use of education
technology used in the schools? Should
this exception have similar
requirements to the ‘‘school official
exception’’ found in the Family
Educational Rights and Privacy Act
(‘‘FERPA’’),8 and as described in
Protecting Student Privacy While Using
Online Educational Services:
Requirements and Best Practices? 9 If
the Commission were to amend the
COPPA Rule to include such an
exception:
a. Should the Rule specify who at the
school can provide consent?
b. Should operators be able to use the
personal information collected from
children to improve the product?
Should operators be able to use the
personal information collected from
children to improve other educational
or non-educational products? Should
de-identification of the personal
information be required for such uses?
Is de-identification of such personal
information effective at preventing reFR 59888, 59903 (Nov. 3, 1999).
requirements would, for example: Prohibit
operators from using personal information without
the school official’s consent; limit operators’ use of
information to the specified educational purpose
and no other commercial purpose; ensure that the
school maintains control of the information,
including the right to review, correct, and delete the
information; and prohibit operators from disclosing
the information to third parties.
9 See U.S. Department of Education, Privacy
Technical Assistance Center, Protecting Student
Privacy While Using Online Educational Services:
Requirements and Best Practices, https://
tech.ed.gov/wp-content/uploads/2014/09/StudentPrivacy-and-Online-Educational-Services-February2014.pdf (2014).
PO 00000
7 65
8 Such
Frm 00006
Fmt 4702
Sfmt 4702
35845
identification? What kinds of specific
technical, administrative, operational or
other procedural safeguards have
proved effective at preventing reidentification of de-identified data? Are
there instances in which de-identified
information has been sold or hacked
and then re-identified?
c. Should parents be able to request
deletion of personal information
collected by operators under such an
exception?
d. Should an operator require the
school to notify the parent of the
operator’s information practices and, if
so, how should the school provide such
notice?
e. Should such an exception result in
a preemption of state laws? If so, would
that result negatively affect children’s
privacy?
f. Should the scope of the school’s
authority to consent be limited to
defined educational purposes? Should
such purposes be defined, and if so,
how? Should operators seeking consent
in the school setting be prohibited from
using information for particular
purposes, such as marketing to students
or parents?
24. In 2017, the Commission issued
an enforcement policy statement
addressing the use of audio files
containing a child’s voice.10 The
Commission explained that it would not
take an enforcement action against an
operator for not obtaining parental
consent before collecting an audio file
with a child’s voice when the audio file
is collected solely as a replacement for
written words, such as to perform a
search, so long as the audio file is held
for a brief time and used only for that
purpose. Should the Commission
amend the Rule to specifically include
such an exception? If the Commission
were to include such an exception,
should an operator be able to de-identify
these audio files and use them to
improve its products? If so, for how long
should operators be permitted to retain
such de-identified audio files? Is deidentification of audio files effective at
preventing re-identification? Are there
specific technical, administrative,
operational or other procedural
safeguards that have proved effective at
preventing re-identification of deidentified data? Are there instances in
which de-identified information has
been sold or hacked and then reidentified?
25. In some circumstances, operators
of general audience platforms do not
10 See Enforcement Policy Statement Regarding
the Applicability of the COPPA Rule to the
Collection and Use of Voice Recordings, 82 FR
58076 (Dec. 8, 2017).
E:\FR\FM\25JYP1.SGM
25JYP1
jspears on DSK30JT082PROD with PROPOSALS
35846
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
have COPPA liability for their collection
of personal information from users of
child-directed content on their platform
uploaded by third parties, absent the
platforms’ actual knowledge that the
content is directed to children.
Operators of such platforms therefore
may have an incentive to avoid gaining
actual knowledge of the presence of
child-directed content on their platform.
To encourage such platforms to take
steps to identify and police childdirected content uploaded by others,
should the Commission make
modifications to the COPPA Rule? For
example, should such platforms that
identify and police child-directed
content be able to rebut the presumption
that all users of the child-directed thirdparty content are children thereby
allowing the platform to treat under and
over age 13 users differently? 11 Given
that most users of a general audience
platform are adults, there may be a
greater likelihood that adults are
viewing or interacting with childdirected content than on traditional
child-directed sites. In considering this
issue, the Commission specifically
requests comment on the following:
a. Would allowing these types of
general audience platforms to treat over
and under age 13 users differently
encourage them to take affirmative steps
to identify child-directed content
generated by third parties and treat it in
accordance with COPPA?
b. Would allowing such a rebuttal of
the presumption that all users are
children in this context require a Rule
change? If so, would such a Rule change
be consistent with the Act?
c. If the Commission were to allow
such a rebuttal of the presumption that
all users of this content are children,
what factors should it consider in
determining whether the presumption
has been rebutted? What methods could
a general audience platform use to
effectively rebut the presumption that
all users of the third-party childdirected content are children?
d. Could a general audience platform
hosting third-party, child-directed
content effectively rebut this
presumption by doing the following:
i. Taking measures reasonably
calculated to identify child-directed
content generated by third parties for
commercial purposes;
ii. Permitting users that identify
themselves through a neutral age gate to
create an account on the platform;
11 See 78 FR 3972, 3984 (Jan. 17, 2013) (‘‘The
Commission retains its longstanding position that
child-directed sites or services whose primary target
audience is children must continue to presume all
users are children and to provide COPPA
protections accordingly.’’).
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
iii. Taking measures reasonably
calculated, in light of available
technology, to ensure that if personal
information is to be collected from a
user accessing child-directed content,
the user is the person who created an
account and identified as being 13 or
older, and not a child in the household,
such as through periodic authentication;
and
iv. Providing clear and conspicuous
notice at the time the user is interacting
with child-directed content of its
information collection practices, and
separately communicating those
information practices through out-ofband notices, such as through online
contact information provided as part of
the account creation process?
The Commission seeks comment on
whether these measures, or any others,
could effectively rebut the presumption
that all users of this child-directed
content are children, and also on the
ways in which an operator could
implement these measures.
e. What, if any, risk is presented by
permitting general audience sites to
rebut the presumption that all users of
child-directed content are children?
Would it prove challenging to reliably
distinguish between a parent and a
child who accesses content while logged
in to a parent’s account? In considering
whether to permit general audience sites
to rebut the presumption, should the
Commission consider costs and benefits
unrelated to privacy, such as whether
children may be exposed to ageinappropriate content if they are treated
as an adult?
F. Right of a Parent To Review or Have
Personal Information Deleted
26. Section 312.6(a) of the Rule
requires operators to give parents, upon
their request: (1) A description of the
specific types of personal information
collected from children; (2) the
opportunity to refuse to permit the
further use or collection of personal
information from the child and to direct
the deletion of the information; and (3)
a means of reviewing any personal
information collected from the child. In
the case of a parent who wishes to
review the personal information
collected from the child, § 312.6(a)(3) of
the Rule requires operators to provide a
means of review that ensures that the
requestor is a parent of that child (taking
into account available technology) and
is not unduly burdensome to the parent.
a. To what extent are parents
exercising their rights under
§ 312.6(a)(1) to obtain from operators a
description of the specific types of
personal information collected from
children?
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
b. To what extent are parents
exercising their rights under
§ 312.6(a)(2) to refuse to permit the
further use or collection of personal
information from the child and to direct
the deletion of the information?
c. To what extent are parents
exercising their rights under
§ 312.6(a)(3) to review any personal
information collected from the child?
d. Do the costs and burdens to
operators or parents differ depending on
whether a parent seeks a description of
the information collected, access to the
child’s information, or to have the
child’s information deleted?
e. Is it difficult for operators to ensure,
taking into account available
technology, that a requester seeking to
review the personal information
collected from a child is a parent of that
child?
f. Do operators use different processes
or procedures to respond to parents who
exercise rights under § 312.6(a)? Which
processes or procedures are easiest for
parents to use? Which are the most
difficult? Do any mechanisms exist to
facilitate the exercise of these rights
with more than one operator at a time?
g. Where operators serve as service
providers to schools, should parents be
able to request the operators to delete
personal information collected by them
that are education records, such as
grades or test scores?
h. Are the requirements of § 312.6
clear and appropriate? If not, how can
they be improved, consistent with the
Act’s requirements?
G. Prohibition Against Conditioning a
Child’s Participation on Collection of
Personal Information
27. COPPA and § 312.7 of the Rule
prohibit operators from conditioning a
child’s participation in an activity on
disclosing more personal information
than is reasonably necessary to
participate in such activity.
a. Do operators take this requirement
into account when shaping their online
offerings to children?
b. Has the prohibition been effective
in protecting children’s online privacy
and safety?
c. Is § 312.7 of the Rule clear and
appropriate? If not, how could it be
improved, consistent with the Act’s
requirements?
H. Confidentiality, Security, and
Integrity of Personal Information
28. Section 312.8 of the Rule requires
operators to establish and maintain
reasonable procedures to protect the
confidentiality, security, and integrity of
personal information collected from a
child, and to release children’s personal
E:\FR\FM\25JYP1.SGM
25JYP1
Federal Register / Vol. 84, No. 143 / Thursday, July 25, 2019 / Proposed Rules
jspears on DSK30JT082PROD with PROPOSALS
information only to service providers
and third parties who are capable of
maintaining the confidentiality,
security, and integrity of the personal
information, and who provide
assurances that they will do so.
a. Have operators implemented
sufficient safeguards to protect the
confidentiality, security, and integrity of
personal information collected from a
child?
b. Is § 312.8 of the Rule clear and
adequate? If not, how could it be
improved, consistent with the Act’s
requirements? Should the Rule include
more specific information security
requirements, for example to require
encryption of certain personal
information?
I. Safe Harbors
29. Section 312.11(g) of the Rule
provides that an operator will be
deemed in compliance with the Rule’s
requirements if the operator complies
with Commission-approved selfregulatory guidelines (the ‘‘safe harbor’’
process).
a. Has the safe harbor process been
effective in enhancing compliance with
the Rule?
b. Should the criteria for Commission
approval of a safe harbor program
currently enumerated in § 312.11(b) be
modified in any way? To what extent
should the Commission consider the
financial structure and incentives of
organizations operating safe harbors? Is
there any evidence that the corporate
structure of a safe harbor program
impacts its effectiveness? Should the
Commission consider applying any
restrictions on the types of organizations
that may operate safe harbors?
c. Should § 312.11(g) of the Rule,
regarding the Commission’s discretion
to initiate an investigation or bring an
enforcement action against an operator
participating in a safe harbor program,
be clarified or modified in any way?
d. Should any other changes be made
to the criteria for approval of selfregulatory guidelines, consistent with
the Act’s requirements?
e. Should the Commission consider
any changes to the safe harbor
monitoring process, including any
changes to promote greater
transparency?
f. Should the Rule include factors for
the Commission to consider in revoking
approval for a safe harbor program?
IV. Request for Comment
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before October 23, 2019. Write ‘‘COPPA
Rule Review, 16 CFR part 312, Project
VerDate Sep<11>2014
16:36 Jul 24, 2019
Jkt 247001
No. P195404,’’ on the comment. Your
comment, including your name and
your state, will be placed on the public
record of this proceeding, including, to
the extent practicable, on the https://
www.regulations.gov website.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comment online. To make sure that the
Commission considers your online
comment, you must file it at https://
www.regulations.gov by following the
instructions on the web-based form.
If you file your comment on paper,
write ‘‘COPPA Rule Review, 16 CFR
part 312, Project No. P195404,’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Suite CC–5610 (Annex B),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW, 5th Floor, Suite 5610 (Annex
B), Washington, DC 20024. If possible,
please submit your paper comment to
the Commission by courier or overnight
service.
Because your comments will be
placed on the publicly accessible
website, https://www.regulations.gov,
you are solely responsible for making
sure that your comment does not
include any sensitive personal
information, such as your or anyone
else’s Social Security number, date of
birth, driver’s license number or other
state identification number or foreign
country equivalent, passport number,
financial account number, or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘[t]rade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided in Section
6(f) of the Federal Trade Commission
Act (‘‘FTC Act’’), 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
35847
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comments to be withheld from the
public record. Your comment will be
kept confidential only if the FTC
General Counsel grants your request in
accordance with the law and the public
interest. Once your comment has been
posted publicly at
www.regulations.gov—as legally
required by FTC Rule 4.9(c)—we cannot
redact or remove your comment from
the FTC website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants the request.
Visit the FTC website to read this
Notice and the news release describing
it. The FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before October 23, 2019. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019–15754 Filed 7–24–19; 8:45 am]
BILLING CODE 6750–01–P
COMMODITY FUTURES TRADING
COMMISSION
17 CFR Parts 23, 43, 45, and 49
RIN 3038–AE32
Certain Swap Data Repository and
Data Reporting Requirements;
Extension of Comment Period
Commodity Futures Trading
Commission.
ACTION: Proposed rule; extension of
comment period.
AGENCY:
On May 13, 2019, the
Commodity Futures Trading
Commission (Commission) published in
the Federal Register a notice of
proposed rulemaking (NPRM) titled
Certain Swap Data Repository and Data
Reporting Requirements. The comment
period for the NPRM closes on July 29,
2019. The Commission is extending the
comment period for this NPRM by an
additional 90 days.
SUMMARY:
E:\FR\FM\25JYP1.SGM
25JYP1
]]>Agencies
[Federal Register Volume 84, Number 143 (Thursday, July 25, 2019)]
[Proposed Rules]
[Pages 35842-35847]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-15754]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084-AB20
Request for Public Comment on the Federal Trade Commission's
Implementation of the Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Regulatory review; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'')
requests public comment on its implementation of the Children's Online
Privacy Protection Act (``COPPA'' or ``the Act''), through the
Children's Online Privacy Protection Rule (``COPPA Rule'' or ``the
Rule'').
DATES: Written comments must be received on or before October 23, 2019.
The Commission will hold a public workshop to review the COPPA Rule on
October 7, 2019.
ADDRESSES: Interested parties may file a comment online or on paper by
following the Request for Comment part of the SUPPLEMENTARY INFORMATION
section below. Write ``COPPA Rule Review, 16 CFR part 312, Project No.
P195404,'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC
20024.
The workshop will be held at the Constitution Center, 400 7th
Street SW, Washington, DC. It is free and open to the public, and
members of the public who wish to participate but cannot attend can
view a live webcast at ftc.gov.
FOR FURTHER INFORMATION CONTACT: Kristin Cohen (202-326-2276) or Peder
Magee (202-326-3538), Division of Privacy and Identity Protection,
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC
20580.
SUPPLEMENTARY INFORMATION:
I. Background
The Commission typically reviews its Rules every ten years to
ensure that they have kept up with changes in the marketplace,
technology, and business models. Although the Commission's last COPPA
Rule review ended in 2013, the Commission is conducting its ten-year
review early because of questions that have arisen about the Rule's
application to the educational technology sector, to voice-enabled
connected devices, and to general audience platforms that host third-
party child-directed content. In addition to requesting comment on
these issues, the Commission requests comment on the costs and benefits
of the Rule, as well as on whether certain sections should be retained,
eliminated, or modified. All interested persons are hereby given notice
of the opportunity to submit written data, views, and arguments
concerning the Rule.
The COPPA Rule, issued pursuant to COPPA, 15 U.S.C. 6501, et seq.,
became
[[Page 35843]]
effective on April 21, 2000, and was revised on January 17, 2013. The
Rule imposes certain requirements on operators of websites or online
services directed to children under 13 years of age, and on operators
of other websites or online services that have actual knowledge that
they are collecting personal information online from a child under 13
years of age (collectively, ``operators'').\1\ Among other things, the
Rule requires that operators provide notice to parents and obtain
verifiable parental consent prior to collecting, using, or disclosing
personal information from children under 13 years of age. The Rule also
requires operators to keep secure the information they collect from
children and prohibits them from conditioning children's participation
in activities on the collection of more personal information than is
reasonably necessary to participate in such activities. Further, the
Rule contains a ``safe harbor'' provision enabling industry groups or
others to submit to the Commission for approval self-regulatory
guidelines that would implement the Rule's protections.
---------------------------------------------------------------------------
\1\ 16 CFR part 312.
---------------------------------------------------------------------------
II. Rule Review
COPPA and Sec. 312.11 of the original Rule required the Commission
to initiate a review no later than five years after the Rule's
effective date to evaluate the Rule's implementation. The Commission
commenced this mandatory review on April 21, 2005. After receiving and
considering extensive public comment on the Rule, the Commission
determined in March 2006 to retain the COPPA Rule without change.\2\ In
2010, however, due to changes in the online environment for children,
the Commission undertook an extensive Rule review, which culminated in
the amendments to the Rule adopted on January 17, 2013.\3\ The online
environment for children continues to evolve at a rapid pace,
including, for example, the significant increase in education
technology in the classroom and social media and platforms with third-
party content appealing to children. The Commission believes these
changes warrant another reexamination of the Rule at this time.
---------------------------------------------------------------------------
\2\ See 71 FR 13247 (Mar. 15, 2006).
\3\ See 78 FR 3972 (Jan. 17, 2013).
---------------------------------------------------------------------------
In this document, the Commission poses its standard regulatory
review questions to determine whether the Rule should be retained,
eliminated, or modified. The Commission also asks whether the 2013
revisions to the Rule have resulted in stronger protections for
children and more meaningful parental control over the collection of
personal information from children, and whether the revisions have had
any negative consequences. It further poses specific questions about
the existing sections of the Rule, including:
Definitions,
Requirement that operators post notices of their privacy
practices,
Methods of obtaining verifiable parental consent before
collecting children's information,
Security requirements,
Parental right to review or delete children's information,
and
Safe harbor provisions.
In addition to these questions, the Commission seeks comment on the
application of the Rule to the educational technology sector, voice-
enabled connected devices, and general audience platforms that host
child-directed third-party content. Specifically, the Commission
requests comment on whether exceptions to parental consent are
warranted for: (1) The use of education technology where the school
provides consent for the collection of personal information from the
child (see Question 23); or (2) the collection of audio files as a
replacement for text, where the audio files are promptly deleted (see
Question 24), in line with the enforcement policy statement issued by
the Commission.\4\
---------------------------------------------------------------------------
\4\ See Enforcement Policy Statement Regarding the Applicability
of the COPPA Rule to the Collection and Use of Voice Recordings, 82
FR 58076 (Dec. 8, 2017).
---------------------------------------------------------------------------
Additionally, the Commission seeks comment on whether there are
circumstances in which general audience platforms with third-party,
child-directed content should be able to rebut the presumption that all
users interacting with that content are children (see Question 25). If
allowed to rebut this presumption, operators of general audience
platforms could, in certain circumstances, collect personal information
from users on their sites that they determine are age 13 or older.
Finally, the Commission seeks comment on whether the COPPA Rule
should be amended to better address websites and online services that
may not meet the current definition of ``website or online service
directed to children,'' but that have large number of child users (see
Question 15). For example, should the definition of ``website or online
service directed to children'' be amended, consistent with the statute,
to cover these types of websites and, if so, what type of changes would
be required? Are there other proposed amendments, consistent with the
statute, for the Commission to consider to ensure children using these
sites and services receive COPPA protections?
III. Questions Regarding the COPPA Rule
The Commission invites members of the public to comment on any
issues or concerns they believe are relevant or appropriate to the
Commission's review of the COPPA Rule, and to submit written data,
views, facts, and arguments addressing the Rule. All comments should be
filed as prescribed in the ADDRESSES section of this document, and must
be received by October 23, 2019. If your comment proposes any
modifications to the Rule, please also address whether your proposed
modification may conflict with the statutory provisions of COPPA and,
if so, whether you propose seeking legislative changes to the Act. The
Commission is particularly interested in comments addressing the
following questions:
A. General Questions for Comment
1. Is there a continuing need for the Rule as currently
promulgated? Why or why not?
a. Since the Rule was issued, have changes in technology, industry,
or economic conditions affected the need for or effectiveness of the
Rule?
b. What are the aggregate costs and benefits of the Rule?
c. Does the Rule include any provisions not mandated by the Act
that are unnecessary or whose costs outweigh their benefits? If so,
which ones and why?
2. What effect, if any, has the Rule had on children, parents, or
other consumers?
a. Has the Rule benefited children, parents, or other consumers? If
so, how?
b. Has the Rule imposed any costs on children, parents, or other
consumers? If so, what are these costs?
c. What changes, if any, should be made to the Rule to increase its
benefits, consistent with the Act's requirements? What costs would
these changes impose?
3. What impact, if any, has the Rule had on operators?
a. Has the Rule provided benefits to operators? If so, what are
these benefits?
b. Has the Rule imposed costs on operators, including costs of
compliance in time or monetary expenditures? If so, what are these
costs?
c. What changes, if any, should be made to the Rule to reduce the
costs imposed on operators, consistent with the Act's requirements? How
would these changes affect the Rule's benefits?
[[Page 35844]]
4. How many small businesses are subject to the Rule? What costs
(types and amounts) do small businesses incur in complying with the
Rule? How has the Rule otherwise affected operators that are small
businesses? Have the costs or benefits of the Rule changed over time
with respect to small businesses? What about small businesses that
control and process large sets of data? What regulatory alternatives,
if any, would decrease the Rule's burden on small businesses,
consistent with the Act's requirements?
5. Does the Rule overlap or conflict with any other federal, state,
or local government laws or regulations? How should these overlaps or
conflicts be resolved, consistent with the Act's requirements?
a. Are there any unnecessary regulatory burdens created by
overlapping jurisdiction? If so, what can be done to ease the burdens,
consistent with the Act's requirements?
b. Are there any gaps where no federal, state, or local government
law or regulation has addressed a problematic practice relating to
children's online privacy? Could or should any such gaps be remedied by
a modification to the Rule?
6. Has the Rule affected practices relating to the collection and
disclosure of information relating to children online? If so, how?
7. Has the Rule affected children's ability to access information
of their choice online? If so, how?
8. Has the Rule affected the availability of websites or online
services directed to children? If so, how?
a. Has the number or type of websites or online services directed
to children changed since the Rule became effective? If so, how? Did
the Rule cause these changes?
b. Approximately how many new websites and online services are
created each year that are directed to children?
B. Definitions
9. Do the definitions set forth in Sec. 312.2 of the Rule
accomplish COPPA's goal of protecting children's online privacy and
safety?
10. Are the definitions in Sec. 312.2 clear and appropriate? If
not, how can they be improved, consistent with the Act's requirements?
11. The 2013 COPPA Rule amendments made several modifications to
the definitions under the Rule, including to the terms ``Collects or
collection,'' ``Online contact information,'' ``Operator,'' ``Personal
information,'' ``Support for the internal operations of the website or
online service,'' and ``website or online service directed to
children.'' Have these revised definitions resulted in stronger
protections for children's online privacy and safety? Have they had any
negative consequences that require revision?
12. The 2013 revised COPPA Rule amended the definition of
``Personal information'' to include, among other items, a ``persistent
identifier that can be used to recognize a user over time and across
different websites or online services.'' Has this revision resulted in
stronger privacy protection for children? Has it had any negative
consequences?
13. Should the Commission consider further revision to the
definition of ``Personal information''? Are there additional categories
of information that should be expressly included in this definition,
such as genetic data, fingerprints, retinal patterns, or other
biometric data? What about personal information that is inferred about,
but not directly collected from, children? What about other data that
serve as proxies for personal information covered under this
definition? Does this type of information permit the physical or online
contacting of a specific individual?
14. Should the definition of ``Support for the internal operations
of the website or online service'' be modified? Are there practices in
addition to behavioral targeting and profiling that should be expressly
excluded from the definition? Should additional activities be expressly
permitted under the definition? For example, should the definition
expressly include advertising attribution? Advertising attribution is
the method used to determine whether a particular advertisement led the
user to take a particular step, such as downloading an app.
15. Does Sec. 312.2 correctly articulate the factors to consider
in determining whether a website or online service is directed to
children? Do any of the current factors need to be clarified? Are there
additional factors that should be considered? For example, should the
definition be amended, consistent with the statute, to better address
websites and online services that do not include traditionally child-
oriented activities, but that have large numbers of child users? If so,
what types of changes to the definition should be considered? Are there
other proposed amendments, consistent with the statute, for the
Commission to consider to ensure children using these types of websites
and online services receive COPPA protections?
16. Has the 2013 addition, found in part (3) of the definition of
``website or online service directed to children,'' which permits those
sites that do not target children as their primary audience to age
screen users, resulted in stronger protections for children's privacy?
Should the Rule be more specific about the appropriate methods for
determining the age of users?
17. What are the implications for COPPA enforcement raised by
technologies such as interactive television, interactive gaming,
chatbots, or other similar interactive media?
C. Notice
18. Section 312.4 of the Rule sets out the requirements for the
content and delivery of operators' notices of their information
practices with regard to children.
a. Are the requirements in this Section clear and appropriate? If
not, how can they be improved? Should the Rule, for example, more
clearly state that an operator's direct notice should include not just
the types of personal information collected, but also how the operator
intends to use the personal information that is collected? Should the
Rule require the notice to include information about the categories of
third parties, such as advertisers, that may make use of the
information collected? The Rule's direct notice requirement found in
Sec. 312.4(c) presupposes that the operator has collected the parent's
online contact information. Should the Rule more clearly state the
content of direct notices where the operator does not collect a
parent's online contact information?
b. Should the notice requirements be clarified or modified in any
way to reflect changes in the types or uses of children's information
collected by operators or changes in communications options available
between operators and parents?
D. Parental Consent
19. Section 312.5 of the Rule requires operators to obtain
verifiable parental consent before collecting, using, or disclosing
personal information from children, including consent to any material
change to practices to which the parent previously consented. This
Section further requires operators to make reasonable efforts to obtain
this consent, and the efforts must be reasonably calculated to ensure
that the person providing consent is the child's parent, taking into
consideration available technology.
a. Has the consent requirement been effective in protecting
children's online privacy and safety?
b. What data exist on: (1) Operators' use of parental consent
mechanisms; (2)
[[Page 35845]]
parents' awareness of the Rule's parental consent requirements; or (3)
parents' response to operators' parental consent requests?
20. Section 312.5(b)(2) of the Rule provides a non-exhaustive list
of approved methods to obtain verifiable parental consent, including:
Providing a consent form to be signed by the parent and returned to the
operator; requiring a parent to use a credit card, debit card, or other
online payment system in connection with a monetary transaction; having
a parent call a toll-free number staffed by trained personnel; having a
parent connect to trained personnel via video-conference; and verifying
a parent's identity by checking a form of government-issued
identification against databases of such information. In addition,
pursuant to the process set forth in Sec. 312.12(a), the Commission
has approved the use of knowledge-based authentication \5\ and facial
recognition technology.\6\ Section 312.5(b)(2) also sets forth a
mechanism that operators can use to obtain verifiable parental consent
for uses of information other than ``disclosures'' (the ``email plus
mechanism''). The email plus mechanism permits the use of an email
coupled with additional steps to provide assurances that the person
providing consent is the parent, including sending a confirmatory email
to the parent following receipt of consent or obtaining a postal
address or telephone number from the parent and confirming the parent's
consent by letter or telephone call.
---------------------------------------------------------------------------
\5\ See Letter to Imperium, LLC (Dec. 23, 2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf.
\6\ See Letter to Jest8 Limited (Trading as Riyo) (Nov. 18,
2015), https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf.
---------------------------------------------------------------------------
a. To what extent are operators using each of the enumerated
methods? Please provide as much specific data as possible, including
the costs and benefits associated with each method described.
b. Are there additional methods to obtain verifiable parental
consent, based on current or emerging technological changes, which
should be added to Sec. 312.5 of the Rule? What are the costs and
benefits of these additional methods?
c. Should any of the currently enumerated methods to obtain
verifiable parental consent be removed from the Rule? If so, please
explain which one(s) and why.
d. Should the Commission consider any changes to the Rule to
encourage the development of new methods of parental consent?
E. Exceptions to Verifiable Parental Consent
21. COPPA and Sec. 312.5(c) of the Rule set forth eight exceptions
to the prior parental consent requirement. Are the exceptions in Sec.
312.5(c) clear and appropriate? If not, how can they be improved,
consistent with the Act's requirements?
22. Should the Commission consider additional exceptions to
parental consent, consistent with the Act's requirements?
23. In the Statement of Basis and Purpose to the 1999 COPPA Rule,
the Commission noted that the Rule ``does not preclude schools from
acting as intermediaries between operators and schools in the notice
and consent process, or from serving as the parents' agent in the
process.'' \7\ Since that time, there has been a significant expansion
of education technology used in classrooms. Should the Commission
consider a specific exception to parental consent for the use of
education technology used in the schools? Should this exception have
similar requirements to the ``school official exception'' found in the
Family Educational Rights and Privacy Act (``FERPA''),\8\ and as
described in Protecting Student Privacy While Using Online Educational
Services: Requirements and Best Practices? \9\ If the Commission were
to amend the COPPA Rule to include such an exception:
---------------------------------------------------------------------------
\7\ 65 FR 59888, 59903 (Nov. 3, 1999).
\8\ Such requirements would, for example: Prohibit operators
from using personal information without the school official's
consent; limit operators' use of information to the specified
educational purpose and no other commercial purpose; ensure that the
school maintains control of the information, including the right to
review, correct, and delete the information; and prohibit operators
from disclosing the information to third parties.
\9\ See U.S. Department of Education, Privacy Technical
Assistance Center, Protecting Student Privacy While Using Online
Educational Services: Requirements and Best Practices, https://tech.ed.gov/wp-content/uploads/2014/09/Student-Privacy-and-Online-Educational-Services-February-2014.pdf (2014).
---------------------------------------------------------------------------
a. Should the Rule specify who at the school can provide consent?
b. Should operators be able to use the personal information
collected from children to improve the product? Should operators be
able to use the personal information collected from children to improve
other educational or non-educational products? Should de-identification
of the personal information be required for such uses? Is de-
identification of such personal information effective at preventing re-
identification? What kinds of specific technical, administrative,
operational or other procedural safeguards have proved effective at
preventing re-identification of de-identified data? Are there instances
in which de-identified information has been sold or hacked and then re-
identified?
c. Should parents be able to request deletion of personal
information collected by operators under such an exception?
d. Should an operator require the school to notify the parent of
the operator's information practices and, if so, how should the school
provide such notice?
e. Should such an exception result in a preemption of state laws?
If so, would that result negatively affect children's privacy?
f. Should the scope of the school's authority to consent be limited
to defined educational purposes? Should such purposes be defined, and
if so, how? Should operators seeking consent in the school setting be
prohibited from using information for particular purposes, such as
marketing to students or parents?
24. In 2017, the Commission issued an enforcement policy statement
addressing the use of audio files containing a child's voice.\10\ The
Commission explained that it would not take an enforcement action
against an operator for not obtaining parental consent before
collecting an audio file with a child's voice when the audio file is
collected solely as a replacement for written words, such as to perform
a search, so long as the audio file is held for a brief time and used
only for that purpose. Should the Commission amend the Rule to
specifically include such an exception? If the Commission were to
include such an exception, should an operator be able to de-identify
these audio files and use them to improve its products? If so, for how
long should operators be permitted to retain such de-identified audio
files? Is de-identification of audio files effective at preventing re-
identification? Are there specific technical, administrative,
operational or other procedural safeguards that have proved effective
at preventing re-identification of de-identified data? Are there
instances in which de-identified information has been sold or hacked
and then re-identified?
---------------------------------------------------------------------------
\10\ See Enforcement Policy Statement Regarding the
Applicability of the COPPA Rule to the Collection and Use of Voice
Recordings, 82 FR 58076 (Dec. 8, 2017).
---------------------------------------------------------------------------
25. In some circumstances, operators of general audience platforms
do not
[[Page 35846]]
have COPPA liability for their collection of personal information from
users of child-directed content on their platform uploaded by third
parties, absent the platforms' actual knowledge that the content is
directed to children. Operators of such platforms therefore may have an
incentive to avoid gaining actual knowledge of the presence of child-
directed content on their platform. To encourage such platforms to take
steps to identify and police child-directed content uploaded by others,
should the Commission make modifications to the COPPA Rule? For
example, should such platforms that identify and police child-directed
content be able to rebut the presumption that all users of the child-
directed third-party content are children thereby allowing the platform
to treat under and over age 13 users differently? \11\ Given that most
users of a general audience platform are adults, there may be a greater
likelihood that adults are viewing or interacting with child-directed
content than on traditional child-directed sites. In considering this
issue, the Commission specifically requests comment on the following:
---------------------------------------------------------------------------
\11\ See 78 FR 3972, 3984 (Jan. 17, 2013) (``The Commission
retains its longstanding position that child-directed sites or
services whose primary target audience is children must continue to
presume all users are children and to provide COPPA protections
accordingly.'').
---------------------------------------------------------------------------
a. Would allowing these types of general audience platforms to
treat over and under age 13 users differently encourage them to take
affirmative steps to identify child-directed content generated by third
parties and treat it in accordance with COPPA?
b. Would allowing such a rebuttal of the presumption that all users
are children in this context require a Rule change? If so, would such a
Rule change be consistent with the Act?
c. If the Commission were to allow such a rebuttal of the
presumption that all users of this content are children, what factors
should it consider in determining whether the presumption has been
rebutted? What methods could a general audience platform use to
effectively rebut the presumption that all users of the third-party
child-directed content are children?
d. Could a general audience platform hosting third-party, child-
directed content effectively rebut this presumption by doing the
following:
i. Taking measures reasonably calculated to identify child-directed
content generated by third parties for commercial purposes;
ii. Permitting users that identify themselves through a neutral age
gate to create an account on the platform;
iii. Taking measures reasonably calculated, in light of available
technology, to ensure that if personal information is to be collected
from a user accessing child-directed content, the user is the person
who created an account and identified as being 13 or older, and not a
child in the household, such as through periodic authentication; and
iv. Providing clear and conspicuous notice at the time the user is
interacting with child-directed content of its information collection
practices, and separately communicating those information practices
through out-of-band notices, such as through online contact information
provided as part of the account creation process?
The Commission seeks comment on whether these measures, or any
others, could effectively rebut the presumption that all users of this
child-directed content are children, and also on the ways in which an
operator could implement these measures.
e. What, if any, risk is presented by permitting general audience
sites to rebut the presumption that all users of child-directed content
are children? Would it prove challenging to reliably distinguish
between a parent and a child who accesses content while logged in to a
parent's account? In considering whether to permit general audience
sites to rebut the presumption, should the Commission consider costs
and benefits unrelated to privacy, such as whether children may be
exposed to age-inappropriate content if they are treated as an adult?
F. Right of a Parent To Review or Have Personal Information Deleted
26. Section 312.6(a) of the Rule requires operators to give
parents, upon their request: (1) A description of the specific types of
personal information collected from children; (2) the opportunity to
refuse to permit the further use or collection of personal information
from the child and to direct the deletion of the information; and (3) a
means of reviewing any personal information collected from the child.
In the case of a parent who wishes to review the personal information
collected from the child, Sec. 312.6(a)(3) of the Rule requires
operators to provide a means of review that ensures that the requestor
is a parent of that child (taking into account available technology)
and is not unduly burdensome to the parent.
a. To what extent are parents exercising their rights under Sec.
312.6(a)(1) to obtain from operators a description of the specific
types of personal information collected from children?
b. To what extent are parents exercising their rights under Sec.
312.6(a)(2) to refuse to permit the further use or collection of
personal information from the child and to direct the deletion of the
information?
c. To what extent are parents exercising their rights under Sec.
312.6(a)(3) to review any personal information collected from the
child?
d. Do the costs and burdens to operators or parents differ
depending on whether a parent seeks a description of the information
collected, access to the child's information, or to have the child's
information deleted?
e. Is it difficult for operators to ensure, taking into account
available technology, that a requester seeking to review the personal
information collected from a child is a parent of that child?
f. Do operators use different processes or procedures to respond to
parents who exercise rights under Sec. 312.6(a)? Which processes or
procedures are easiest for parents to use? Which are the most
difficult? Do any mechanisms exist to facilitate the exercise of these
rights with more than one operator at a time?
g. Where operators serve as service providers to schools, should
parents be able to request the operators to delete personal information
collected by them that are education records, such as grades or test
scores?
h. Are the requirements of Sec. 312.6 clear and appropriate? If
not, how can they be improved, consistent with the Act's requirements?
G. Prohibition Against Conditioning a Child's Participation on
Collection of Personal Information
27. COPPA and Sec. 312.7 of the Rule prohibit operators from
conditioning a child's participation in an activity on disclosing more
personal information than is reasonably necessary to participate in
such activity.
a. Do operators take this requirement into account when shaping
their online offerings to children?
b. Has the prohibition been effective in protecting children's
online privacy and safety?
c. Is Sec. 312.7 of the Rule clear and appropriate? If not, how
could it be improved, consistent with the Act's requirements?
H. Confidentiality, Security, and Integrity of Personal Information
28. Section 312.8 of the Rule requires operators to establish and
maintain reasonable procedures to protect the confidentiality,
security, and integrity of personal information collected from a child,
and to release children's personal
[[Page 35847]]
information only to service providers and third parties who are capable
of maintaining the confidentiality, security, and integrity of the
personal information, and who provide assurances that they will do so.
a. Have operators implemented sufficient safeguards to protect the
confidentiality, security, and integrity of personal information
collected from a child?
b. Is Sec. 312.8 of the Rule clear and adequate? If not, how could
it be improved, consistent with the Act's requirements? Should the Rule
include more specific information security requirements, for example to
require encryption of certain personal information?
I. Safe Harbors
29. Section 312.11(g) of the Rule provides that an operator will be
deemed in compliance with the Rule's requirements if the operator
complies with Commission-approved self-regulatory guidelines (the
``safe harbor'' process).
a. Has the safe harbor process been effective in enhancing
compliance with the Rule?
b. Should the criteria for Commission approval of a safe harbor
program currently enumerated in Sec. 312.11(b) be modified in any way?
To what extent should the Commission consider the financial structure
and incentives of organizations operating safe harbors? Is there any
evidence that the corporate structure of a safe harbor program impacts
its effectiveness? Should the Commission consider applying any
restrictions on the types of organizations that may operate safe
harbors?
c. Should Sec. 312.11(g) of the Rule, regarding the Commission's
discretion to initiate an investigation or bring an enforcement action
against an operator participating in a safe harbor program, be
clarified or modified in any way?
d. Should any other changes be made to the criteria for approval of
self-regulatory guidelines, consistent with the Act's requirements?
e. Should the Commission consider any changes to the safe harbor
monitoring process, including any changes to promote greater
transparency?
f. Should the Rule include factors for the Commission to consider
in revoking approval for a safe harbor program?
IV. Request for Comment
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before October 23,
2019. Write ``COPPA Rule Review, 16 CFR part 312, Project No.
P195404,'' on the comment. Your comment, including your name and your
state, will be placed on the public record of this proceeding,
including, to the extent practicable, on the https://www.regulations.gov website.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comment online. To make sure that the Commission considers your
online comment, you must file it at https://www.regulations.gov by
following the instructions on the web-based form.
If you file your comment on paper, write ``COPPA Rule Review, 16
CFR part 312, Project No. P195404,'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
B), Washington, DC 20024. If possible, please submit your paper comment
to the Commission by courier or overnight service.
Because your comments will be placed on the publicly accessible
website, https://www.regulations.gov, you are solely responsible for
making sure that your comment does not include any sensitive personal
information, such as your or anyone else's Social Security number, date
of birth, driver's license number or other state identification number
or foreign country equivalent, passport number, financial account
number, or credit or debit card number. You are also solely responsible
for making sure that your comment does not include any sensitive health
information, such as medical records or other individually identifiable
health information. In addition, your comment should not include any
``[t]rade secret or any commercial or financial information which . . .
is privileged or confidential''--as provided in Section 6(f) of the
Federal Trade Commission Act (``FTC Act''), 15 U.S.C. 46(f), and FTC
Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in particular
competitively sensitive information such as costs, sales statistics,
inventories, formulas, patterns, devices, manufacturing processes, or
customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comments to be withheld from
the public record. Your comment will be kept confidential only if the
FTC General Counsel grants your request in accordance with the law and
the public interest. Once your comment has been posted publicly at
www.regulations.gov--as legally required by FTC Rule 4.9(c)--we cannot
redact or remove your comment from the FTC website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule 4.9(c), and the General Counsel grants the request.
Visit the FTC website to read this Notice and the news release
describing it. The FTC Act and other laws that the Commission
administers permit the collection of public comments to consider and
use in this proceeding as appropriate. The Commission will consider all
timely and responsive public comments that it receives on or before
October 23, 2019. For information on the Commission's privacy policy,
including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-15754 Filed 7-24-19; 8:45 am]
BILLING CODE 6750-01-P
