[Federal Register Volume 64, Number 212 (Wednesday, November 3, 1999)]
[Rules and Regulations]
[Pages 59888-59915]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-27740]



[[Page 59887]]

_______________________________________________________________________

Part III





Federal Trade Commission





_______________________________________________________________________



16 CFR Part 312



Children's Online Privacy Protection Rule; Final Rule

  Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / 
Rules and Regulations  

[[Page 59888]]



FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AA84


Children's Online Privacy Protection Rule 

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission issues its final Rule pursuant to 
the Children's Online Privacy Protection Act of 1998 (``COPPA'' or 
``the Act''). Section 6502 of the Act requires the Commission to enact 
rules governing the online collection of personal information from 
children under 13 within one year of the date of the enactment of the 
COPPA, October 21, 1998.

DATES: The rule will become effective on April 21, 2000.

ADDRESSES: Requests for copies of the Rule and the Statement of Basis 
and Purpose should be sent to Public Reference Branch, Room 130, 
Federal Trade Commission, 6th Street and Pennsylvania Avenue, N.W., 
Washington, D.C. 20580. Copies of these documents are also available at 
the Commission's website, <www.ftc.gov>.

FOR FURTHER INFORMATION CONTACT: Division of Advertising Practices: 
Toby Milgrom Levin (202) 326-3156, Loren G. Thompson (202) 326-2049, or 
Abbe Goldstein (202) 326-3423, Federal Trade Commission, 6th Street and 
Pennsylvania Avenue, N.W., Washington, D.C. 20580.

SUPPLEMENTARY INFORMATION: The Rule implements the requirements of the 
COPPA by requiring operators of websites or online services directed to 
children and operators of websites or online services who have actual 
knowledge that the person from whom they seek information is a child 
(1) to post prominent links on their websites to a notice of how they 
collect, use, and/or disclose personal information from children; (2) 
with certain exceptions, to notify parents that they wish to collect 
information from their children and obtain parental consent prior to 
collecting, using, and/or disclosing such information; (3) not to 
condition a child's participation in online activities on the provision 
of more personal information than is reasonably necessary to 
participate in the activity; (4) to allow parents the opportunity to 
review and/or have their children's information deleted from the 
operator's database and to prohibit further collection from the child; 
and (5) to establish procedures to protect the confidentiality, 
security, and integrity of personal information they collect from 
children. As directed by the COPPA, the Rule also provides a safe 
harbor for operators following Commission-approved self-regulatory 
guidelines.

Statement of Basis and Purpose

I. Introduction

    Congress enacted the COPPA to prohibit unfair or deceptive acts or 
practices in connection with the collection, use, or disclosure of 
personally identifiable information from and about children on the 
Internet.\1\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6501-6505.
---------------------------------------------------------------------------

    Section 6502(b)(1) of the Act sets forth a series of general 
privacy protections to prevent unfair or deceptive online information 
collection from or about children, and directs the Commission to adopt 
regulations to implement those protections. The Act requires operators 
of websites directed to children and operators who knowingly collect 
personal information from children to: (1) Provide parents notice of 
their information practices; (2) obtain prior verifiable parental 
consent for the collection, use, and/or disclosure of personal 
information from children (with certain limited exceptions for the 
collection of ``online contact information,'' e.g., an e-mail address); 
(3) provide a parent, upon request, with the means to review the 
personal information collected from his/her child; (4) provide a parent 
with the opportunity to prevent the further use of personal information 
that has already been collected, or the future collection of personal 
information from that child; (5) limit collection of personal 
information for a child's online participation in a game, prize offer, 
or other activity to information that is reasonably necessary for the 
activity; and (6) establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of the personal 
information collected.\2\
---------------------------------------------------------------------------

    \2\ 15 U.S.C. 6502(b)(1).
---------------------------------------------------------------------------

    The COPPA authorizes the Commission to bring enforcement actions 
for violations of the Rule in the same manner as for other rules 
defining unfair or deceptive acts or practices under section 5 of the 
Federal Trade Commission Act.\3\ In addition, section 6504 of the COPPA 
authorizes state attorneys general to enforce compliance with the final 
Rule by filing actions in federal court after serving prior written 
notice upon the Commission when feasible.\4\
---------------------------------------------------------------------------

    \3\ Section 6502(c) of the Act provides that the Rule shall be 
treated as a rule issued under Sec. 18(a)(1)(B) of the FTC Act (15 
U.S.C. 57a (a)(1)(B)).
    \4\ 15 U.S.C. 6504.
---------------------------------------------------------------------------

    The Commission published a Notice of Proposed Rulemaking and 
Request for Public Comment (``NPR'') in the Federal Register on April 
27, 1999,\5\ and the 45-day comment period closed on June 11, 1999. The 
Commission received 132 comments from a wide array of interested 
parties, all of which were extremely informative and which the 
Commission has considered in crafting the final Rule. The commenters 
included private individuals; companies operating Internet sites or 
businesses; public interest organizations; marketing and advertising 
trade groups; library, school, and other educational organizations; 
Federal government entities; State Attorneys General; publishers and 
publishing trade groups; Internet service providers; and organizations 
sponsoring Internet privacy seal programs.
---------------------------------------------------------------------------

    \5\ 64 FR 22750 (Apr. 27, 1999) (to be codified at 16 CFR pt. 
312).
---------------------------------------------------------------------------

    Because of particular interest among commenters in the issue of how 
to obtain verifiable parental consent under the Rule, Commission staff 
conducted a public workshop on that issue on July 20, 1999, to obtain 
additional information and learn more about the views expressed.\6\ The 
32 panelists at the workshop included representatives from industry 
(including website operators and technology companies), as well as 
privacy advocates, consumer groups, and representatives of other 
government agencies. Approximately 100 other parties also attended the 
workshop. Panelists discussed methods of obtaining verifiable parental 
consent that are currently in use; whether and how e-mail could be used 
to obtain verifiable parental consent; and technologies or methods that 
are under development that could be used in the future to obtain 
verifiable parental consent. Workshop attendees were invited to comment 
during question and answer sessions. The proceeding was transcribed, 
and the transcript was placed on the public record.\7\ In addition, the 
Commission accepted further public comment on issues raised at the 
workshop. The workshop

[[Page 59889]]

comment period, which ended on July 30, 1999, yielded 14 comments.\8\
---------------------------------------------------------------------------

    \6\ 64 FR 34595 (June 28, 1999) (announcement of the public 
workshop).
    \7\ The transcript and all of the comments received in the 
course of this proceeding appear on the FTC's website at 
<www.ftc.gov>. References to the workshop transcript are cited as 
``Speaker/affiliation (Workshop Tr. at ____)'' followed by the 
appropriate page designation. Initial references to the comments are 
cited as ``Name of commenter (Comment or Workshop comment number) at 
(page number).''
    \8\ On July 27, 1999, the Commission also issued an Initial 
Regulatory Flexibility Analysis (``IRFA'') under the Regulatory 
Flexibility Act, 64 FR 40525. The IRFA focused on the impact of the 
proposed Rule on small businesses and sought additional public 
comment on that issue. This final comment period closed on August 6, 
1999. Five comments were received. These comments are cited as 
``Name of commenter (IRFA comment number) at (page number).''
---------------------------------------------------------------------------

    In drafting this final Rule, the Commission has taken very 
seriously the concerns expressed about maintaining children's access to 
the Internet, preserving the interactivity of the medium, and 
minimizing the potential burdens of compliance on companies, parents, 
and children. The Commission believes that the final Rule strikes the 
appropriate balance between these concerns and the Act's goals of 
protecting children's information in the online environment. It looks 
forward to continuing to work with industry, consumer groups, and 
parents to ensure widespread compliance in as efficient a manner as 
possible, to educate the public about online privacy protections, and 
to assess the Rule's effectiveness on a periodic basis.\9\
---------------------------------------------------------------------------

    \9\ Shortly after issuing this final Rule, the Commission plans 
to develop and distribute educational materials to assist businesses 
in complying with the Rule and to inform parents of the protections 
provided by the COPPA.
---------------------------------------------------------------------------

II. The Rule

    As noted above, the Commission published the proposed Rule and 
accompanying analysis in the Federal Register in April 1999. Unless 
specifically modified herein, all of the analysis accompanying the 
proposed Rule in the NPR is adopted and incorporated into this 
Statement of Basis and Purpose for the final Rule.

A. Section 312.2: Definitions

    Section 312.2 of the proposed Rule included definitions of a number 
of key terms.\10\ The Commission sought comment as to whether these 
definitions were clear, comprehensive, flexible, and appropriate.\11\ 
In the Rule, the Commission has modified the definitions of four of 
these terms: ``collects or collection,'' ``disclosure,'' ``personal 
information,'' and ``third party.'' All other definitions have been 
adopted without change.
---------------------------------------------------------------------------

    \10\ 64 FR at 22751-53, 22763-64.
    \11\ 64 FR at 22761.
---------------------------------------------------------------------------

1. Definition of ``Child''
    In the proposed Rule, the Commission adopted the statutory 
definition of ``child'' as ``an individual under the age of 13.'' \12\ 
The Commission received only one comment on this issue, which supported 
the definition.\13\ Thus, the final Rule retains the statutory 
definition.
---------------------------------------------------------------------------

    \12\ COPPA, 15 U.S.C. 6501(1). See 64 FR at 22751, 22763.
    \13\ American Psychological Association (``APA'') (Comment 106) 
at 1.
---------------------------------------------------------------------------

    2. Definition of ``Collects or Collection''
    The proposed Rule defined ``collects or collection'' to include 
``the direct or passive gathering of any personal information from a 
child by any means, including but not limited to: (a) [a]ny online 
request for personal information by the operator regardless of how that 
personal information is transmitted to the operator; (b) [c]ollection 
using a chat room, message board, or other public posting of such 
information on a website or online service; or (c) [p]assive tracking 
or use of any identifying code linked to an individual, such as a 
cookie.'' \14\ The term was meant to encompass the many ways that 
website operators could gather information from children.
---------------------------------------------------------------------------

    \14\ 64 FR at 22751, 22763.
---------------------------------------------------------------------------

    Responsive comments contended that subparagraph (a) swept within 
the proposed Rule information requested online but submitted offline 
that was clearly meant to be excluded under the COPPA.\15\ These 
comments also noted that it would be burdensome to require a business 
that solicits the same information from children in a number of ways, 
including through the Internet, to determine the source of the request 
in order to provide the required parental notice and seek consent for 
information submitted online.
---------------------------------------------------------------------------

    \15\ See generally, Direct Marketing Ass'n (``DMA'') (Comment 
89) at 31-32; Kraft Foods, Inc. (``Kraft'') (Comment 67) at 2-3; 
Council of Better Business Bureaus, Inc. (``CBBB'') (Comment 91) at 
4; Viacom, Inc. (``Viacom'') (Comment 79) at 4-5; Time Warner, Inc. 
(``Time Warner'') (Comment 78) at 6-7; Magazine Publishers of 
America (``MPA'') (Comment 113) at 2. These comments pointed out 
that the COPPA covers the collection of personal information, which 
is defined in the statute as ``individually identifiable information 
about an individual collected online. * * *'' 15 U.S.C. 6501(8). 
Commenters also noted that the Floor Statement accompanying the Act 
states ``[t]his is an online children's privacy bill, and its reach 
is limited to information collected online from a child.'' 144 Cong. 
Rec. S11657 (daily ed. Oct. 7, 1998) (Statement of Sen. Bryan).
---------------------------------------------------------------------------

    The Commission is persuaded that the Congress intended the COPPA to 
apply only to information collected online by an operator. Therefore, 
based on the written comments, subparagraph (a) of the definition of 
collects or collection has been modified to cover any request by the 
operator that children submit information online.\16\
---------------------------------------------------------------------------

    \16\ If, however, an operator combines in one database 
information collected offline with information collected online such 
that the operator cannot determine the source of the information, 
the operator will be required to disclose all of that data in 
response to a parent's request under section 312.6 of the Rule. See 
Section II.E, infra.
---------------------------------------------------------------------------

    Other commenters were concerned that including public postings in 
the definition of ``collects or collection'' would confer liability on 
operators of general audience (i.e., non-child-directed) chat sites for 
unsolicited postings by children.\17\ The Commission believes that 
these concerns are legitimate, and therefore the Rule now provides that 
such sites would only be liable if they (1) have actual knowledge that 
postings are being made by a child under 13, and (2) when they have 
such knowledge, fail to delete any personal information before it is 
made public, and also to delete it from their records.
---------------------------------------------------------------------------

    \17\ ZapMe! Corp. (``ZapMe!'') (Comment 76) at 7; Talk City, 
Inc. (``Talk City'') (Comment 110) at 2. See also Promotion 
Marketing Ass'n. (``PMA'') (Comment 107) at 3.
---------------------------------------------------------------------------

    For general audience sites, the Act explicitly covers operators who 
have actual knowledge that they are collecting personal information 
from children.\18\ Therefore, the operator of a general audience chat 
site who has actual knowledge that a child is posting personal 
information on the site must provide notice and obtain verifiable 
parental consent if the child is to continue to post such information 
in that site's chat room.\19\ In most cases, if the operator does not 
monitor the chat room, the operator likely will not have the requisite 
knowledge under the Act. However, where the operator does monitor the 
chat room, the Commission has amended the Rule so that, if the operator 
strips any posting of individually identifiable information before it 
is made public (and deletes it from the operator's records), that 
operator will not be deemed to have collected the child's personal 
information.\20\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 6502(a)(1). See also Rule section 312.3.
    \19\ Operators of sites directed to children that provide chat 
rooms and bulletin boards and who do not delete personally 
identifiable information from postings before they are made public 
must always provide notice and obtain parental consent as provided 
by the Rule.
    \20\ This amendment applies both to operators of websites 
directed to children and to websites with actual knowledge that 
information is being collected from a child. Because an operator who 
deletes such information will not be deemed to have ``collected'' 
it, that operator also will not have ``disclosed'' that information 
under the Rule.
---------------------------------------------------------------------------

    One group of commenters stated that requiring operators to get 
parental consent in order for a child to participate in a chat room 
would violate the child's First Amendment right to free speech.\21\ 
These commenters also

[[Page 59890]]

asserted that the Commission's proposal went beyond what Congress 
intended with this legislation.\22\ Congress, however, specifically 
included such postings in the COPPA on the grounds that children could 
be placed at risk in such fora, noting that one of the Act's goals was 
``to enhance parental involvement to help protect the safety of 
children in online fora such as chatrooms, home pages, and pen-pal 
services in which children may make public postings of identifying 
information.'' \23\ As noted in the Commission's June 1998 report to 
Congress, children's use of chat rooms and bulletin boards that are 
accessible to all online users present the most serious safety risks, 
because it enables them to communicate freely with strangers.\24\ 
Indeed, an investigation conducted by the FBI and the Justice 
Department revealed that these services are quickly becoming the most 
common resources used by predators for identifying and contacting 
children.\25\ Commenters also generally acknowledged that these are 
among the most sensitive online activities.\26\
---------------------------------------------------------------------------

    \21\ Center for Democracy and Technology, American Civil 
Liberties Union, American Library Association (``CDT, et al.'') 
(Workshop comment 11) at 2-4.
    \22\ Id.
    \23\ 144 Cong. Rec. S11657 (Statement of Sen. Bryan).
    \24\ Privacy Online: A Report to Congress at 5 (June 1998).
    \25\ Id. The concern may be heightened where such services are 
directed to children because potential predators know that the 
majority of the participants are likely to be underage.
    \26\ Center for Media Education, Consumer Federation of America, 
Am. Academy of Child and Adolescent Psychiatry, Am. Academy of 
Pediatrics, Junkbusters Corp., Nat'l Alliance for Non-Violent 
Programming, Nat'l Ass'n of Elementary School Principals, Nat'l 
Consumers League, Nat'l Education Ass'n, Privacy Times and Public 
Advocacy for Kids (``CME/CFA et al.'') (Comment 80) at 30; Viacom 
(Comment 79) at 13-14; DMA (Workshop comment 02) at 1-2; Bagwell/MTV 
Networks Online (Workshop Tr. 32-33); Kraft (Comment 67) at 4-5; 
Children's Advertising Review Unit of the Council of Better Business 
Bureaus (``CARU'') (Workshop comment 08) at 2; Cartoon Network, et 
al. (Comment 77) at 18; Nikolai.com, Inc. (Comment 129) at 2; and 
Consumers Union (Comment 116) at 3.
---------------------------------------------------------------------------

    Several commenters expressed concerns that the proposed Rule would 
similarly require operators to give notice and obtain parental consent 
in order to give a child an e-mail account.\27\ The Commission notes 
that, to the extent that operators who provide e-mail accounts keep 
records of the e-mail addresses they have assigned, along with any 
associated information, those operators can be considered to have 
``collected'' those e-mail addresses under the Act. Operators of sites 
directed to children are therefore required to comply with the Act when 
giving children e-mail accounts. For operators of general audience 
sites, the Rule requires actual knowledge that information is being 
collected from a child. Such operators would only be required to 
provide notice and obtain parental consent if registration or other 
information reveals that the person seeking the e-mail account is a 
child.
---------------------------------------------------------------------------

    \27\ See, e.g., Commercial Internet eXchange Ass'n and PSINet 
Inc. (``CIX et al.'') (Comment 83) at 8; Zeeks.com (Comment 98) at 
1; CDT et al. (Workshop comment 11) at 3 (noting same First 
Amendment concerns as for chat rooms). Similar concerns were 
expressed in connection with the proposed Rule's definition of 
``disclosure,'' which included ``any other means that would enable a 
child to reveal personal information to others online.'' See Section 
II.A.3, infra.
---------------------------------------------------------------------------

    A number of commenters noted that operators might be responsible 
for complying with all of the requirements of the Rule after receiving 
an unsolicited e-mail from a child.\28\ If an operator of a site 
directed to children receives such an e-mail, that contact is covered 
under the Act's (and the Rule's) one-time e-mail exception.\29\ Under 
that exception, an operator may collect a child's name and online 
contact information for the purpose of responding one time in response 
to a direct request from a child. This exception would allow an 
operator to receive an e-mail from a child and provide a response 
without providing parental notice and obtaining consent, as long as the 
name and online contact information collected from the child are 
deleted and not used for any other purpose.\30\ And again, in the case 
of a general audience site, these requirements apply only if the site 
receiving the e-mail has actual knowledge that it was sent by a child.
---------------------------------------------------------------------------

    \28\ See, e.g., ZapMe! (Comment 76) at 7-8. See also Highlights 
for Children, Inc. (``Highlights'') (Comment 124) at 2.
    \29\ 15 U.S.C. 6502(b)(2)(A); section 312.5(c)(2) of the Rule. 
See Section II.D.3, infra.
    \30\ Moreover, this exception would accommodate sites that 
automate their responses to incoming e-mails, as long as the child's 
name and online contact information are deleted and not used for any 
other purpose. MLG Internet (Comment 119) at 2 (asking about 
automated e-mail responses).
---------------------------------------------------------------------------

    One commenter noted that a site could collect non-personally 
identifiable information about a child without parental notice or 
consent as long as that information was only tied to a screen name.\31\ 
An operator who has solicited such information could obtain the child's 
name through a subsequent solicitation, and would thus have evaded the 
Act's requirement of prior parental consent.\32\ This is a valid 
concern, but the Commission believes that the Rule does in fact address 
the issue. Indeed, under the Rule, once such information is linked to 
an identifier (the name), it becomes ``personal information'' and the 
Rule requires the operator to provide notice and obtain consent for the 
collection, use, and/or disclosure of all of the information.\33\
---------------------------------------------------------------------------

    \31\ CDT (Comment 81) at 18.
    \32\ Id.
    \33\ See Section II.A.8, infra. Moreover, under section 312.6 of 
the Rule, the operator must disclose that information to the parent 
upon request and the parent may request that the operator delete 
that information. See Section II.E, infra.
---------------------------------------------------------------------------

3. Definition of ``Disclosure''
    The definition of ``disclosure'' in the proposed Rule covered: (1) 
The release of personal information collected from a child in 
identifiable form by an operator for any purpose, except where the 
operator provides the information to a person who provides support for 
the internal operations of the website and who does not use that 
information for any other purpose; \34\ and (2) making personal 
information collected from a child publicly available in identifiable 
form, including through public postings, posting of personal home 
pages, messages boards, and chat rooms, or any other means that would 
enable a child to reveal personal information to others online.\35\
---------------------------------------------------------------------------

    \34\ The ``release of personal information'' is defined in the 
Rule to mean the ``sharing, selling, renting, or any other means of 
providing personal information to any third party.'' See section 
312.2 of the Rule. For additional guidance as to whether an entity 
is a ``third party'' under the Rule, see discussion, infra, 
regarding definitions of ``operator'' and ``third party.''
    \35\ 64 FR 22752, 22764.
---------------------------------------------------------------------------

    In the NPR, the Commission sought to clarify that entities that 
provide fulfillment services or technical support would be considered 
``support for the internal operations of the website or online 
service,'' and thus disclosures to such entities need not be disclosed 
in the site's notices.\36\ The Commission also noted that such services 
as merely providing the server for the website, or providing chat or e-
mail service would also be considered ``support for the internal 
operations of the website.'' \37\ The Commission cautioned, however, 
that because operators are also required by the Act to establish 
reasonable procedures to maintain the confidentiality, security, and 
integrity of personal information collected from children,\38\ they 
should take appropriate measures to safeguard such information in the 
possession of those who provide support for the internal operations of 
their websites.\39\
---------------------------------------------------------------------------

    \36\ 64 FR at 22752.
    \37\ Id.
    \38\ 15 U.S.C. 6502(b)(1)(D).
    \39\ 64 FR at 22752. Some commenters objected to the notion of 
holding operators liable for the action of contractors because 
operators have no way of ensuring that contractors will follow the 
Rule. See, e.g., DMA (Comment 89) at 35. The Act and the Rule 
require operators to establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children. 15 U.S.C. 6502(b)(1)(D); 
section 312.8 of the Rule. As long as the operator follows 
reasonable procedures to ensure that such contractors protect the 
information (for example, contractual provisions that limit the 
contractors' ability to use the information), operators should not 
be liable for the actions of contractors.

---------------------------------------------------------------------------

[[Page 59891]]

    Two commenters expressed a concern that the last clause of the 
proposed definition, which covered ``any other means that would enable 
a child to reveal personal information to others online,'' would 
include an Internet Service Provider (``ISP'') or cable company that 
simply provides Internet access without offering any content or 
actively collecting any information from children.\40\ Although the 
Commission notes that this language was not meant to reach such 
entities,\41\ it has decided to eliminate this language as confusing 
and unnecessary.\42\
---------------------------------------------------------------------------

    \40\ See CIX, et al. (Comment 83) at 8-9; National Cable 
Television Association (``NCTA'') (Comment 71) at 6-8.
    \41\ See 64 FR at 22752. To the extent that ISPs do not operate 
websites or online services that are directed to children, or 
knowingly collect information from children, they are not subject to 
the COPPA.
    \42\ One commenter also asked whether the term ``disclosure'' 
covered the inclusion of a child's name on a list of contest 
winners, which is often required under state laws. See PMA (Comment 
107) at 4. If the operator collects only name and online contact 
information, then the exception under section 312.5(c)(5)(iv) would 
apply. However, if the operator collects additional information 
online, then the release of that information would be considered a 
disclosure under the Rule.
---------------------------------------------------------------------------

4. Definition of ``Internet''
    The proposed Rule's definition of ``Internet'' made clear that it 
applied to the Internet in its current form and to any conceivable 
successor.\43\ Given that the technology used to provide access to the 
Internet will evolve over time, it is imperative that the Rule not 
limit itself to current access mechanisms. The Commission received 
three comments regarding this definition.\44\ One commenter suggested 
that the Commission clarify that the definition ``clearly includes 
networks parallel to or supplementary to the Internet such as those 
maintained by the broadband providers * * * [and] intranets maintained 
by online services which are either accessible via the Internet or have 
gateways to the Internet.'' \45\ The Commission believes that the 
proposed definition of ``Internet'' was sufficiently broad to encompass 
such services and adopts that definition in the final Rule.
---------------------------------------------------------------------------

    \43\ 64 FR at 22752, 22764.
    \44\ CME/CFA et al. (Comment 80) at 18; E.A. Bonnett (Comment 
126) at 1; CDT (Comment 81) at 10-11. Two of the comments praised 
the proposed definition as comprehensive. E.A. Bonnett (Comment 126) 
at 1; CDT (Comment 81) at 10-11.
    \45\ CME/CFA et al. (Comment 80) at 18.
---------------------------------------------------------------------------

5. Definition of ``Online Contact Information''
    The Commission received several comments \46\ regarding the 
definition of ``online contact information.'' \47\ One commenter 
suggested that the Commission include in the definition such 
identifiers as instant messaging user identifiers, which are 
increasingly being used for communicating online.\48\ The Commission 
believes that these identifiers already fall within the proposed 
definition, which includes ``any other substantially similar identifier 
that permits direct contact with a person online.'' \49\ After 
reviewing the comments, the Commission has determined that no changes 
to this definition are necessary.
---------------------------------------------------------------------------

    \46\ CyberAngels (Comment 120) at 1; CME/CFA et al. (Comment 80) 
at 6-7; Aftab & Savitt (Comment 118) at 3-4; CDT (Comment 81) at 16-
18.
    \47\ The definition in the proposed Rule was identical to the 
one contained in the Act. See 15 U.S.C. 6501(12); 64 FR at 22752, 
22764.
    \48\ CyberAngels (Comment 120) at 1.
    \49\ Another example of ``online contact information'' could be 
a screen name that also serves as an e-mail address. See Section 
II.A.8, infra.
---------------------------------------------------------------------------

6. Definition of ``Operator''
    The definition of ``operator'' is of central importance because it 
determines who is covered by the Act and the Rule. Consistent with the 
Act, the proposed Rule defined operator (with some limitations) as 
``any person who operates a website located on the Internet or an 
online service and who collects or maintains personal information from 
or about the users or visitors * * * or on whose behalf such 
information is collected or maintained * * *'' \50\ In the NPR, the 
Commission clarified the scope of the definition by listing a number of 
factors to consider, including who owns and/or controls the 
information, who pays for its collection and maintenance, the pre-
existing contractual relationships regarding collection and maintenance 
of the information, and the role of the website or online service in 
collecting and/or maintaining the information (i.e., whether the site 
participates in collection or is merely a conduit through which the 
information flows to another entity).\51\ The Commission also clarified 
that entities that merely provide access to the Internet, without 
providing content or collecting information from children, would not be 
considered operators.\52\ In the NPR, the Commission asked about the 
impact of the proposed definition, and whether it was sufficiently 
clear to provide notice as to who is covered by the Rule.\53\ After 
carefully reviewing the comments received, the Commission has 
determined that no changes to the proposed definition are necessary.
---------------------------------------------------------------------------

    \50\ 15 U.S.C. 6501(2); 64 FR at 22752, 22764.
    \51\ 64 FR at 22752.
    \52\ Thus, ISPs and cable operators that merely offer Internet 
access would not be considered operators under the Rule.
    \53\ 64 FR at 22761.
---------------------------------------------------------------------------

    A number of commenters proposed various tests to determine how 
corporate affiliates should be treated under the Rule.\54\ The 
Commission believes that an entity's status as an operator or third 
party under the Rule should be determined not by its characterization 
as a corporate affiliate, but by its relationship to the information 
collected under the factors described in the NPR. Not all affiliates 
play a role in collecting or maintaining the information from children, 
and making an entity an operator subject to the Act simply because one 
of its affiliates collects or maintains information from children 
online would not serve the goals of the COPPA. If, however, the entity 
has an interest in the data collected under the factors listed in the 
NPR, then it, too, will be covered by the Rule.\55\
---------------------------------------------------------------------------

    \54\ See, e.g., Council of Better Business Bureaus, Inc. 
(``CBBB'') (Comment 91) at 6-7; Attorneys General of the States of 
New York, Alabama, California, Florida, Georgia, Hawaii, Illinois, 
Indiana, Maryland, Nevada, Ohio, Oklahoma, Tennessee, Vermont, and 
Washington (``Attorneys General'') (Comment 114) at 6; PMA (Comment 
107) at 4-5; Am. Ass'n of Advertising Agencies (``AAAA'') (Comment 
134) at 3; Ass'n of Nat'l Advertisers (``ANA'') (Comment 93) at 6-7. 
Some commenters argued in support of automatically including all 
corporate affiliates as operators. Others thought that all 
affiliates with identical privacy policies should be considered 
operators, or, alternatively, that operators should be required to 
disclose that an affiliate has a different privacy policy and 
describe how it differs from the primary operator's. As noted in 
Section II.C.3.c, infra, the notice is required to describe the 
privacy policies of the various operators. One commenter suggested a 
consumer perception standard: that an affiliate would be considered 
an operator if a consumer would reasonably expect that the 
affiliated entities are part of one organization that shares 
information within itself. PMA (Comment 107) at 5. The Commission 
believes that the proposed standard, which places responsibility for 
compliance on the entities that control the information, is the most 
workable test for who is an operator.
    \55\ In the NPR, the Commission stated that operators are 
jointly responsible for implementing the requirements of the Rule. 
64 FR at 22752. In an investigation into a potential Rule violation, 
the Commission will examine all the facts and circumstances in 
determining the appropriate party or parties to pursue. The 
Commission likely will not pursue an entity that is an ``operator,'' 
but has not facilitated or participated in, and has no reason to 
know of, any Rule violations.
---------------------------------------------------------------------------

    One commenter sought clarification of the status of network 
advertising companies, or companies that provide banner ads on websites 
or online

[[Page 59892]]

services.\56\ If such companies collect personal information directly 
from children who click on ads placed on websites or online services 
directed to children, then they will be considered operators who must 
comply with the Act, unless one of the exceptions applies.\57\ 
Moreover, if such companies collect personal information from visitors 
who click on their ads at general audience sites, and that information 
reveals that the visitor is a child, then they will be subject to the 
Act. In addition, if they do not collect information from children 
directly, but have ownership or control over information collected at a 
host children's site, they will be considered operators. If, however, 
no personal information is collected or maintained by such companies, 
either directly or through the host website, then they will not be 
deemed to be operators.
---------------------------------------------------------------------------

    \56\ Media Inc., AdForce, Inc., DoubleClick, Inc., Engage 
Technologies, Inc., Flycast Communications Corp., and Real Media, 
Inc. (Comment 92) at 4-8.
    \57\ It may be appropriate for such companies to provide a joint 
notice with the operator of the host website.
---------------------------------------------------------------------------

    Some commenters sought greater clarity regarding the meaning of 
``actual knowledge'' that a particular visitor is a child and inquired 
whether an operator of a general audience site has any duty to 
investigate the age of its visitors.\58\ Actual knowledge will be 
present, for example, where an operator learns of a child's age or 
grade from the child's registration at the site or from a concerned 
parent who has learned that his child is participating at the site. In 
addition, although the COPPA does not require operators of general 
audience sites to investigate the ages of their site's visitors, the 
Commission notes that it will examine closely sites that do not 
directly ask age or grade, but instead ask ``age identifying'' 
questions, such as ``what type of school do you go to: (a) elementary; 
(b) middle); (c) high school; (d) college.'' Through such questions, 
operators may acquire actual knowledge that they are dealing with 
children under 13.
---------------------------------------------------------------------------

    \58\ See PMA (Comment 107) at 6; Attorneys General (Comment 114) 
at 7. See also MLG Internet (Comment 119) at 1-2.
---------------------------------------------------------------------------

    Finally, one commenter sought assurance that an operator would not 
be liable if his site contained a link to another site that was 
violating the Rule.\59\ If the operator of the linking site is not an 
operator with respect to the second site (that is, if there is no 
ownership or control of the information collected at the second site 
according to the factors laid out in the NPR), then the operator will 
not be liable for the violations occurring at the second site.
---------------------------------------------------------------------------

    \59\ MaMaMedia, Inc. (``MaMaMedia'') (Comment 85) at 7.
---------------------------------------------------------------------------

7. Definition of ``Parent''
    The Act and the proposed Rule defined ``parent'' as ``includ[ing] a 
legal guardian.'' \60\ The Commission received two comments regarding 
this definition, both of which sought additional guidance concerning 
the Rule's application in non-traditional family situations.\61\ The 
Commission believes that the proposed definition is sufficiently 
flexible to account for a variety of family structures and situations, 
including situations where a child is being raised by grandparents, 
foster parents, or other adults who have legal custody. Therefore, the 
Commission retains the definition of parent contained in the proposed 
Rule.
---------------------------------------------------------------------------

    \60\ 15 U.S.C. 6501(7); 64 FR at 22752, 22764.
    \61\ Ass'n of Educational Publishers (``EdPress'') (Comment 130) 
at 2; Highlights (Comment 124) at 1.
---------------------------------------------------------------------------

8. Definition of ``Personal Information''
    The definition of ``personal information'' is another critical part 
of the Rule because it specifies the type of information covered by the 
Rule. The proposed definition included a number of different types of 
individually identifiable information, including name, address, and 
phone number; e-mail address; and other types of information that could 
be used to locate an individual either online or offline.\62\ The 
proposed definition also covered non-individually identifiable 
information (e.g., information about a child's hobbies or toys) that is 
associated with an identifier.\63\
---------------------------------------------------------------------------

    \62\ 64 FR at 22752-22753, 22764.
    \63\ Id.
---------------------------------------------------------------------------

    One commenter asked the Commission to clarify that operators are 
not required to provide parental notice or seek parental consent for 
collection of non-individually identifiable information that is not and 
will not be associated with an identifier.\64\ The Commission believes 
that this is clear in both the Act and the Rule.
---------------------------------------------------------------------------

    \64\ See National Retail Federation (``NRF'') (Comment 95) at 2.
---------------------------------------------------------------------------

    Several commenters sought further guidance on whether the use of 
screen names would trigger the Act's requirements.\65\ If a screen name 
is not associated with any individually identifiable information, it is 
not considered ``personal information'' under this Rule.\66\
---------------------------------------------------------------------------

    \65\ ZapMe! (Comment 76) at 8-9; KidsOnLine.com (Comment 108) at 
1-2; TRUSTe (Comment 97) at 3.
    \66\ One commenter also asked whether operators would be 
required to ensure that a screen name chosen by a child did not 
contain individually identifiable information. TRUSTe (Comment 97) 
at 3. Operators do not have a specific duty to investigate whether a 
screen name contains such information. However, an operator could 
give children warnings about including such information in screen 
names, especially those that will be disclosed in a public forum 
such as a chat room.
---------------------------------------------------------------------------

    Another commenter criticized the proposed Rule on the grounds that 
it encourages operators to set up sites using screen names.\67\ This 
commenter argued that it is important to have accountability online--
i.e., that it is important for operators to be able to identify and 
take action against visitors who post inappropriate information or 
harass other online visitors. The Commission agrees that these are 
important considerations, but notes that the Rule does not foreclose 
operators from taking such precautions. Operators are free to request 
parental consent to collect such information. Moreover, the exception 
to the requirement of prior parental consent under section 
312.5(c)(5)(i) of the Rule allows operators to collect the child's 
online contact information for this very purpose.\68\
---------------------------------------------------------------------------

    \67\ KidsOnLine.com (Comment 108) at 1-2.
    \68\ See also 15 U.S.C. 6502(b)(2)(E)(i). As noted above, an 
operator who wishes to collect name and online contact information 
under this exception may not use or disclose that information for 
any other purpose. An operator, however, who collects other personal 
information and links it with online contact information collected 
under this exception would be in violation of the Rule unless the 
operator provided parental notice and obtained verifiable parental 
consent for the collection of all of that information.
---------------------------------------------------------------------------

    One commenter noted that there are some persistent identifiers that 
are automatically collected by websites and can be considered 
individually identifying information, such as a static IP address or 
processor serial number.\69\ If this type of information were 
considered ``personal information,'' the commenter noted, then nearly 
every child-oriented website would automatically be required to comply 
with the Rule, even if no other personal information were being 
collected. The Commission believes that unless such identifiers are 
associated with other individually identifiable personal information, 
they would not fall within the Rule's definition of ``personal 
information.''
---------------------------------------------------------------------------

    \69\ CDT (Comment 81) at 16. See also E.A. Bonnett (Comment 126) 
at 2-3.
---------------------------------------------------------------------------

    Several commenters asked whether information stored in cookies 
falls within the definition of personal information.\70\ If the 
operator either collects individually identifiable information using 
the cookie or collects non-individually identifiable information using 
the cookie that is

[[Page 59893]]

combined with an identifier, then the information constitutes 
``personal information'' under the Rule, regardless of where it is 
stored.
---------------------------------------------------------------------------

    \70\ See, e.g., Consumers Union (Comment 116) at 4.
---------------------------------------------------------------------------

    After reviewing the comments, the Commission has decided to retain 
the definition of ``personal information'' with slight modifications. 
In response to the suggestion of one commenter, one item was added to 
subparagraph (f) of the definition: a photograph of the individual, 
when associated with other information collected online that would 
enable the physical or online contacting of the individual.\71\ The 
Commission is also making slight modifications to ensure consistency 
within the definition.
---------------------------------------------------------------------------

    \71\ Aftab & Savitt (Comment 118) at 4. This commenter also 
asked the Commission to remove the phrase ``collected online'' from 
this definition in order to cover information that is submitted to 
an operator offline, then posted online by the operator. While we 
are cognizant of the risks posed by such practices, the Commission 
believes that the COPPA does not apply to information submitted to 
an operator offline. See Section II.A.2, supra, concerning the 
definition of ``collection.''
---------------------------------------------------------------------------

9. Definition of ``Third Party''
    The proposed Rule defined the term ``third party'' as ``any person 
who is neither an operator with respect to the collection of personal 
information * * * nor a person who provides support for the internal 
operations of the website or online service.'' \72\ Under the Rule, an 
operator is required to provide notice of its practices with respect to 
the disclosure of information to third parties and to allow parents to 
choose whether the operator may disclose their children's information 
to third parties.\73\ Because third parties are not operators, they are 
not responsible for carrying out the provisions of the Rule.
---------------------------------------------------------------------------

    \72\ 64 FR at 22753, 22764.
    \73\ See Sections II.C.3.d, and II.D.1, infra.
---------------------------------------------------------------------------

    Comments regarding this definition raised issues similar to those 
raised in response to the proposed definition of ``operator''--
specifically, when and whether corporate affiliates would be considered 
``operators'' or ``third parties.'' As noted above, the Commission 
believes that the most appropriate test for determining an entity's 
status as an operator or third party is to look at the entity's 
relationship to the data collected, using the factors listed in the 
NPR.\74\ If an entity does not meet the test for operator, that entity 
will be considered a third party.
---------------------------------------------------------------------------

    \74\ See Section II.A.6, supra; 64 FR at 22752.
---------------------------------------------------------------------------

    One commenter asked that the Commission require third parties to 
comply with the Rule.\75\ However, the statute applies only to the 
practices of the operator, and the Commission does not have the 
authority to extend liability to third parties.
---------------------------------------------------------------------------

    \75\ CME/CFA et al. (Comment 80) at 6, 11.
---------------------------------------------------------------------------

    After reviewing the comments, the Commission has made minor 
revisions to the definition of ``third party'' to maintain consistency 
across the Rule. These revisions consist of adding the words ``and 
maintenance`` following ``collection,'' and clarifying that, in order 
to be excluded from the definition, a person who provides internal 
support for the website may not disclose or use information protected 
under this Rule for any other purpose.
10. The Definition of ``Obtaining Verifiable Parental Consent''
    The proposed Rule included a definition of ``obtaining verifiable 
parental consent'' that was substantially similar to the definition 
contained in the COPPA.\76\ The term was defined to mean ``making any 
reasonable effort (taking into consideration available technology) to 
ensure that before personal information is collected from a child, a 
parent of the child'' receives notice of the operator's information 
practices and consents to those practices. The Commission received no 
comments suggesting modification to this definition, and therefore 
retains the proposed definition.
---------------------------------------------------------------------------

    \76\ See 64 FR 22753, 22764; 15 U.S.C. 6501(9).
---------------------------------------------------------------------------

11. Definition of ``Website or Online Service Directed to Children''
    In the proposed Rule, the Commission listed a number of factors 
that the Commission would consider in determining whether a site would 
be ``directed to children,'' including, among other things, the site's 
``subject matter, visual or audio content, age of models, language or 
other characteristics of the website or online service. * * *''\77\ The 
Commission also stated in the proposed Rule that it would consider 
competent and reliable empirical evidence regarding audience 
composition as well as evidence regarding the intended audience of the 
site.\78\ In addition, under the proposed Rule, a general audience 
website would not be deemed to be directed to children simply because 
it referred or linked to another website or online service that is 
directed to children.\79\ Finally, if a general audience site has a 
distinct children's ``portion'' or ``area,'' then the operator would be 
required to provide the protections of the Rule for visitors to that 
portion of the site.\80\
---------------------------------------------------------------------------

    \77\ 64 FR 22753, 22764.
    \78\ Id.
    \79\ Id.
    \80\ Id.
---------------------------------------------------------------------------

    Several commenters asked for more guidance about the factor 
analysis laid out in this definition.\81\ One commenter asked that the 
Commission clarify that the presence of only one of the listed factors 
would not cause a site to be classified as ``directed to children''; 
rather that all of the factors would be taken into account.\82\ In 
response, the Commission notes that the proposed definition makes it 
clear that the Commission will look at the overall character of the 
site--and not just the presence or absence of one or more factors--in 
determining whether a website is directed to children.
---------------------------------------------------------------------------

    \81\ JuniorNet Corp. (``JuniorNet'') (Comment 100) at 2; Int'l 
Digital Software Ass'n (``IDSA'') (Comment 103) at 2; CDT (Comment 
81) at 20-21; MLG Internet (Comment 119) at 2; Time Warner (Comment 
78) at 4, 5.
    \82\ JuniorNet (Comment 100) at 2.
---------------------------------------------------------------------------

    Another commenter noted that operators should not be able to 
construct a ``veil of ignorance'' where the operator can determine 
through questions whether a visitor is a child without specifically 
asking for the visitor's age.\83\ As discussed above in Section II.A.6 
concerning the definition of ``operator,'' the Commission will closely 
examine such sites to determine whether they have actual knowledge that 
they are collecting information from children. A similar concern was 
raised with respect to sites that ask for age ranges that include both 
children and teens (e.g., a ``15 and under'' category).\84\ Because it 
is simple for operators to craft a ``12 and under'' age range, the 
Commission will look closely at sites that do not offer such a range if 
it appears that their operators are trying to avoid compliance with the 
Rule.
---------------------------------------------------------------------------

    \83\ Consumers Union (Comment 116) at 4-5.
    \84\ CME/CFA et al. (Comment 80) at 7; Attorneys General 
(Comment 114) at 7. See also TRUSTe (Comment 97) at 2.
---------------------------------------------------------------------------

B. Section 312.3: Regulation of Unfair or Deceptive Acts or Practices 
in Connection With the Collection, Use, and/or Disclosure of Personal 
Information From and About Children on the Internet

    Section 312.3 of the proposed Rule set out the Rule's general 
requirements, which were detailed in the later provisions.\85\ The 
Commission received no comments that directly pertained to section 
312.3 of the proposed Rule, which was a restatement of the requirements 
laid out in the Act,\86\ and therefore retains it without change. 
Comments regarding the sections

[[Page 59894]]

implementing its requirements are discussed in the relevant sections 
below.
---------------------------------------------------------------------------

    \85\ 64 FR at 22753, 22764.
    \86\ 15 U.S.C. 6502(b)(1).
---------------------------------------------------------------------------

C. Section 312.4: Notice

1. Section 312.4(a): General Principles of Notice
    The COPPA mandates that an operator provide notice on its website 
and to parents of ``what information is collected from children by the 
operator, how the operator uses such information, and the operator's 
disclosure practices regarding such information.'' \87\ The proposed 
Rule set out general principles of notice, followed by a specific set 
of guidelines for the online placement and content of those notices, to 
ensure that parents receive all the information that they would find 
material when reviewing a site.\88\ As noted in the NPR, the operator's 
notice will form the basis for a parent's decision whether to give the 
operator consent to collect, use, and/or disclose personal information 
from his or her child.\89\ In order to provide informed consent, a 
parent must have a clear idea of what the operator intends to do.\90\ 
Therefore, the proposed Rule required an operator's notice to ``be 
clearly and understandably written,'' \91\ be complete, and * * * 
contain no unrelated, confusing, or contradictory materials.'' \92\ The 
Commission believes that these are the core principles underlying a 
consent-based system and, therefore, retains this section in the final 
Rule.\93\
---------------------------------------------------------------------------

    \87\ 15 U.S.C. 6502(b)(1)(A)(i). One commenter stated that 
Congress included these general guidelines in the Act as a 
performance standard, rather than intending them to be a source of 
detailed regulations. Yahoo! Inc, theglobe.com, inc., DoubleClick, 
Inc. (``Yahoo et al.'') (Comment 73) at 2. Congress, however, 
specifically delegated to the Commission the authority to issue 
regulations to implement the Act.
    \88\ Sections 312.4(a), (b); 64 FR at 22753-56, 22764-65.
    \89\ 64 FR at 22754-55.
    \90\ The Commission notes that it has authority under this 
section, as well as under Section 5 of the Federal Trade Commission 
Act, to take action against operators whose notices are deceptive or 
misleading.
    \91\ CME/CFA et al. (Comment 80) at 9; The McGraw-Hill Companies 
(``McGraw-Hill'') (Comment 104) at 6. One commenter asked whether 
the Commission would apply a particular standard in evaluating how a 
notice is written. Jeff Sovern, St. John's University School of Law 
(``Sovern'') (Comment 33) at 3-4. Traditionally, the Commission has 
applied a ``reasonable consumer'' standard in evaluating whether a 
notice is clearly and understandably written. Because the notices 
required by the Act are intended for parents, the Commission will 
look at whether they are written such that a reasonable parent can 
read and comprehend them.
    \92\ 64 FR at 22754.
    \93\ Two commenters voiced support for these general principles. 
See Attorneys General (Comment 114) at 7; Kraft (Comment 67) at 1.
---------------------------------------------------------------------------

2. Section 312.4(b)(1): Notice on the Website or Online Service--
Placement of the Notice
    Section 312.4(b)(1) of the proposed Rule set forth the requirements 
for online placement of the notice of the operator's information 
practices. It required operators to place a link to the notice on the 
home page of the website or online service such that a typical visitor 
would see the link without having to scroll down from the initial 
viewing screen.\94\ In addition, the proposed Rule required operators 
to post a link to that notice in a similar manner at each place on the 
website or online service where information is collected from 
children.\95\
---------------------------------------------------------------------------

    \94\ 64 FR at 22754.
    \95\ Id. Several commenters supported the use of other 
mechanisms for providing notice, such as pop-up or interstitial 
pages, which typically appear temporarily when visitors move from 
one part of the site to another. America Online, Inc. (``AOL'') 
(Comment 72) at 11; NRF (Comment 95) at 3; iCanBuy.com (Comment 101) 
at 2. The Commission notes that pop-up or interstitial pages will 
only satisfy the notice requirements of the Rule if they are clear, 
prominent, and easily accessible to users, i.e., they do not 
disappear after the initial viewing or users can re-access them 
through a clear and prominent link on the home page.
---------------------------------------------------------------------------

    A large number of commenters noted that with the multitude of Web 
browsers available and the advent of ever-smaller machines that can 
access the Internet, it may not be technically feasible to ensure that 
the link to the notice can be seen without scrolling down from the 
initial viewing screen.\96\ The Commission acknowledges that the 
proposed Rule's requirement regarding the placement of the online 
notices may not be a workable standard. Therefore, the Commission has 
modified section 312.4(b)(1)(ii) to require that a link to the notice 
be placed ``in a clear and prominent place and manner on the home page 
of the website or online service.'' ``Clear and prominent'' means that 
the link must stand out and be noticeable to the site's visitors 
through use, for example, of a larger font size in a different color on 
a contrasting background. The Commission does not consider ``clear and 
prominent'' a link that is in small print at the bottom of the home 
page, or a link that is indistinguishable from a number of other, 
adjacent links.
---------------------------------------------------------------------------

    \96\ See, e.g., Am. Advertising Fed. (``AAF'') (Comment 87) at 
2; ANA (Comment 93) at 5; Dell Computer Corp. (``Dell'') (Comment 
102) at 3-4; McGraw-Hill (Comment 104) at 7; Time Warner (Comment 
78) at 9; Viacom (Comment 79) at 6-7.
---------------------------------------------------------------------------

    Some commenters noted that general audience sites with distinct 
children's areas should be allowed to post the link to the children's 
privacy policy at the home page of the children's area, rather than the 
home page of the overall site.\97\ The Commission believes that this is 
a sensible approach to providing notice. Parents who are reviewing the 
operator's practices with respect to children would likely go directly 
to the children's area; therefore, operators of sites with distinct 
children's areas must post a prominent link at the home page of that 
area.\98\
---------------------------------------------------------------------------

    \97\ ANA (Comment 93) at 5; MPA (Comment 113) at 3-4; DMA 
(Comment 89) at 22-23; McGraw-Hill (Comment 104) at 7.
    \98\ One comment argued that the notice requirements would 
require operators of general audience sites to have two physically 
separate privacy policies--one for adults and one for children. 
Kraft (Comment 67) at 4. Operators are free to combine the privacy 
policies into one document, as long as the link for the children's 
policy takes visitors directly to the point in the document where 
the operator's policies with respect to children are discussed, or 
it is clearly disclosed at the top of the notice that there is a 
specific section discussing the operator's information practices 
with regard to children.
---------------------------------------------------------------------------

    Further, in response to comment, section 312.4(b)(1)(iii) has been 
modified to require that a link to the notice be placed ``at each area 
on the website or online service where children directly provide, or 
are asked to provide, personal information and in close proximity to 
the requests for information in each such area.'' The comment noted--
and the Commission agrees--that it makes sense to require that the link 
be in close proximity to the initial request for information in an area 
so that visitors do not have to scroll up or down the page to find the 
link.\99\ In response to comments, the Commission also changed the 
requirement of notice at each ``place'' where children provide 
information to notice at each such ``area'' in order to make clear that 
there does not need to be a link accompanying each question, but simply 
at each separate area where such information is collected.\100\
---------------------------------------------------------------------------

    \99\ Mars, Inc. (``Mars'') (Comment 86) at 10.
    \100\ See, e.g., AOL (Comment 72) at 8-11.
---------------------------------------------------------------------------

3. Section 312.4 (b)(2) and (c)(1)(i)(B): Content of the Notice
    Section 312.4(b)(2) of the proposed Rule details the information 
that operators must include in their notice on the site. That 
information was also required to be included in the notice to the 
parent under Section 312.4(c)(1)(i)(B).\101\ Under the proposed Rule, 
operators were required to include in their notices, among other 
things: (1) names and contact information for all operators; (2) the 
types of personal information collected through the site and how such 
information is collected; (3) how the personal information would be 
used; (4) whether the personal

[[Page 59895]]

information would be disclosed to third parties, the types of 
businesses in which those third parties are engaged, whether the third 
parties have agreed to take steps to protect the information, and a 
statement that parents have the right to refuse to consent to the 
disclosure of their child's personal information to third parties; (5) 
that the operator may not condition a child's participation in an 
activity on the provision of more personal information than is 
necessary to participate in the activity; and (6) that the parent may 
review, make changes to, or have deleted the child's personal 
information.\102\ Many of the comments addressing these sections 
expressed concern that they required the inclusion of too much 
information in the notices. As discussed below, the Commission believes 
that most of the information required in the proposed Rule would be 
material to parents in deciding whether to consent to their child's 
participation in a site. However, in order to reduce the length of the 
notice, the Commission has eliminated certain information that it has 
determined would be of limited benefit to parents.
---------------------------------------------------------------------------

    \101\ 64 FR at 22754-56, 22765.
    \102\ Id.
---------------------------------------------------------------------------

    a. Section 312.4(b)(2)(i). This section of the proposed Rule 
required operators to include in the notice the name, address, phone 
number, and e-mail address of all operators collecting or maintaining 
personal information from children through the website or online 
service.103 Some commenters objected to including this 
information in the notice because it would make the notice unwieldy. 
Operators can minimize the length of the notice by designating a single 
entity as a central contact point for any inquiries regarding the 
information practices of the site's operators. The Commission, however, 
believes that it is essential that all operators be identified in the 
notice, even if full contact information is not provided, so that 
parents know who will see and use their children's personal 
information. Therefore, the Commission has modified this provision 
accordingly. Operators who do not wish to designate a single contact 
may still minimize the length of the notice by including in the notice 
on the site a hyperlink to a separate page listing the 
information.104
---------------------------------------------------------------------------

    \103\ 64 FR at 22754, 22765.
    \104\ In response to two comments, the Commission notes that 
simply providing a hyperlink to the home pages of the other 
operators, however, would not provide adequate notice for parents. 
DMA (Comment 89) at 23-24; AOL (Comment 72) at 12. It would not only 
be burdensome for parents, but some entities that would be 
categorized as ``operators'' (i.e., those ``on whose behalf'' 
personal information was collected) may not even have websites.
---------------------------------------------------------------------------

    Several comments also noted that data-sharing relationships in the 
online world change quickly, sometimes on a weekly basis,105 
and that it would be burdensome for operators to revise their notices 
with each change, as the proposed Rule required, particularly in the 
case of the notice to the parent.106 While the Commission 
believes that it is reasonable to expect operators to keep the notice 
on the site current, it agrees that it would be burdensome for 
operators to send numerous updated notices to parents. Therefore, as 
discussed in Section II.C.4, below, it has modified the Rule to require 
a new notice to the parent only where there will be a material change 
in the collection, use, and/or disclosure of personal information from 
the child. Thus, for example, if the operator plans to disclose the 
child's personal information to a new operator with different 
information practices than those disclosed in the original notice, then 
a new consent would be required.107
---------------------------------------------------------------------------

    \105\ PMA (Comment 107) at 7-8; DMA (Comment 89) at 23-24. See 
also McGraw-Hill (Comment 104) at 7.
    \106\ 64 FR at 22755. In the NPR, the Commission stated that 
additional notices to the parent would be required if the operator 
wished to disclose the child's personal information to parties not 
covered by the original consent, including parties created by a 
merger or other change in corporate structure.
    \107\ Marketing diet pills, for example, would be a materially 
different line of business than marketing stuffed animals.
---------------------------------------------------------------------------

    b. Section 312.4(b)(2)(ii). Under this section of the proposed 
Rule, operators were required to disclose the types of personal 
information collected from children and whether that information is 
collected directly or passively.108 In the NPR, the 
Commission clarified that this section did not require operators to 
disclose to parents every specific piece of information collected from 
children, but rather the types or categories of personal information 
collected, like name, address, telephone number, social security 
number, hobbies, and investment information.109 The 
Commission cautioned operators to use categories that were descriptive 
enough that parents could make an informed decision about whether to 
consent to the operator's collection and use of the 
information.110
---------------------------------------------------------------------------

    \108\ 64 FR at 22754, 22765.
    \109\ 64 FR at 22754.
    110 Id. For example, stating ``We collect your child's name, e-
mail address, information concerning his favorite sports, hobbies, 
and books'' would be sufficient under the Rule. It would not be 
necessary for the operator to state ``We ask for your child's name 
and e-mail address, and whether he likes to play baseball, soccer, 
football, or badminton. * * *''
---------------------------------------------------------------------------

    Some commenters noted that the proposed Rule required operators to 
provide too much detail in the notice concerning the types of 
information collected from children.111 These commenters 
felt that a more general notice would give the operator more 
flexibility to change its activities without having to return to the 
parent for additional consent.112 The Commission believes 
that a more general notice may not reveal to parents that the operator 
collects information that the parent does not want discussed or 
divulged, like personal financial information. Therefore, the 
Commission is retaining this portion of the Rule. However, as noted 
above, these concerns should be alleviated by the Commission's 
amendment to the Rule regarding ``material changes.'' 113
---------------------------------------------------------------------------

    \111\ McGraw-Hill (Comment 104) at 6-7; AAF (Comment 87) at 2.
    \112\ Id.
    \113\ See Section II.C.4, infra. In addition, as noted in note 
9, supra, the Commission plans to develop educational materials to 
assist operators in complying with the Rule.
---------------------------------------------------------------------------

    c. Section 312.4(b)(2)(iii). Section 312.4(b)(2)(iii) of the 
proposed Rule required operators to notify parents about how their 
child's personal information ``is or may be used by the operator, 
including but not limited to fulfillment of a requested transaction, 
recordkeeping, marketing back to the child, or making it publicly 
available through a chat room or by other means.'' 114 In 
the NPR, the Commission noted that operators must provide enough 
information for parents to make informed decisions, without listing 
every specific or possible use of the information.115 Many 
commenters expressed the view that the proposed Rule would require an 
operator to provide such detail that they would inevitably have to send 
new notices and obtain new consents for every minor change in the 
operator's practices.116 Again, these concerns should be 
alleviated by the Rule amendment regarding ``material changes.'' See 
Section II.C.4, infra.
---------------------------------------------------------------------------

    \114\ 64 FR at 22754-55, 22765.
    \115\ 64 FR at 22754.
    \116\ See supra note 106 and accompanying text.
---------------------------------------------------------------------------

    Because this section of the proposed Rule referred only to ``the 
operator,'' one commenter asked how websites should address situations 
in which there are multiple operators collecting information through 
the site but who use children's personal information in different 
ways.117 Specifically, the commenter asked whether each 
operator was required to post a separate notice, or whether a single 
notice could be used. Where there are multiple operators with different 
information

[[Page 59896]]

practices, there should be one notice summarizing all of the 
information practices that will govern the collection, use, and/or 
disclosure of children's personal information through the site. Thus, 
the Commission has modified the Rule to clarify that a discussion of 
all policies governing the use of children's information collected 
through the site should be included in the notice.
---------------------------------------------------------------------------

    \117\ Attorneys General (Comment 114) at 8.
---------------------------------------------------------------------------

    d. Section 312.4(b)(2)(iv). Under this provision of the proposed 
Rule, an operator was required to disclose whether children's personal 
information was disclosed to third parties, and if so, the types of 
business in which those third parties were engaged, as well as whether 
those third parties had agreed to maintain the confidentiality, 
security, and integrity of the personal information obtained from the 
operator.118 In addition, the operator was required to 
notify the parent that he or she had the option of consenting to the 
operator's collection and use of the child's information without 
consenting to the disclosure of that information to third 
parties.119 After reviewing all the relevant comments, the 
Commission has determined that no changes to this section are 
necessary.
---------------------------------------------------------------------------

    \118\ 64 FR at 22755.
    \119 \Id. For a more detailed discussion of withholding consent 
to the disclosure of personal information to third parties, see 
Section II.D.1, infra.
---------------------------------------------------------------------------

    One commenter noted that the COPPA ``requires only that an operator 
describe its own practices. * * *'' 120 The Commission 
believes that the information required in this section of the proposed 
Rule falls within the rubric of ``the operator's disclosure practices 
for such information.'' 121 Parents need to know the steps 
an operator has taken to ensure that third parties will protect their 
children's data in order to provide meaningful consent.
---------------------------------------------------------------------------

    \120\ DMA (Comment 89) at 24, citing 15 U.S.C. 6502(b)(1)(A)(i).
    \121\ 15 U.S.C. 6502(b)(1)(A)(i).
---------------------------------------------------------------------------

    Some commenters felt that providing information concerning the 
businesses engaged in by third parties would be overly 
burdensome.122 Under this section, however, operators are 
not required to provide detailed information concerning third party 
businesses, but only to describe the ``types of business'' in which 
third parties who will receive children's information are engaged--for 
example, list brokering, advertising, magazine publishing, or 
retailing.123 The Commission believes that it is not unduly 
burdensome to determine the general line of business of the companies 
with whom one does business. Moreover, this information will enable 
parents to provide meaningful consent to third party disclosures.
---------------------------------------------------------------------------

    \122\ See e.g., AAF (Comment 87) at 3; CBBB (Comment 91) at 11; 
PMA (Comment 107) at 8; TRUSTe (Comment 97) at 1.
    \123\ 64 FR at 22755.
---------------------------------------------------------------------------

    Commenters again pointed out that relationships between companies 
in the online environment change rapidly, which would make notices 
difficult to compose and keep current.124 Changes in the 
identities of third parties would necessitate repeated notices to 
parents, burdening both the operator and the parent.125 
Another commenter suggested that rather than give notice of third 
parties' information practices, operators should be allowed simply to 
provide a warning to parents to review those practices.126 
Once again, these concerns should be alleviated by the fact that the 
disclosure is only of the types of businesses engaged in by third 
parties, and new notice and consent are required only if there has been 
a material change in the way that the operator collects, uses, and/or 
discloses personal information. See Section II.C.4, below.
---------------------------------------------------------------------------

    \124\ TRUSTe (Comment 97) at 1-2; McGraw-Hill (Comment 104) at 
7; AAF (Comment 87) at 3; PMA (Comment 107) at 8.
    \125 \Id.
    \126\ CBBB (Comment 91) at 11. The Commission believes that 
requiring parents to search out this information, which may not even 
be available or accessible, would be unduly burdensome.
---------------------------------------------------------------------------

    Still other commenters stated that the Commission should require 
operators to disclose more detailed information regarding third 
parties' information practices than the proposed Rule required, 
including whether a third party has weaker standards than the 
operator.127 The Commission believes that the proposed 
requirement--that operators state whether or not the third parties have 
agreed to maintain the confidentiality,128 security, and 
integrity of children's data B strikes the appropriate balance between 
a parent's need for information and an operator's need for an efficient 
means of complying with the Rule.
---------------------------------------------------------------------------

    \127\ CME/CFA et al. (Comment 80) at 23-24; Electronic Privacy 
Information Center (``EPIC'') (Comment 115) at 8-9; Attorneys 
General (Comment 114) at 8.
    \128\ The Commission expects that third parties who have agreed 
to maintain the confidentiality of information received from 
operators will not disclose that information further.
---------------------------------------------------------------------------

    Alternatively, one of these commenters requested that operators be 
prohibited from disclosing children's personal information to any third 
party unless that party not only complies with the Act, but also has 
the same privacy policy as the operator.129 The Act 
explicitly applies to ``any website or online service directed to 
children that collects personal information from children or the 
operator of a website or online service that has actual knowledge that 
it is collecting personal information from a child.'' 130 
Therefore, the Commission cannot extend liability to third parties.
---------------------------------------------------------------------------

    \129\ CME/CFA et al. (Comment 80) at 23. See also CDT (Comment 
81) at 23.
    \130\ 15 U.S.C. 6502(b)(1)(A).
---------------------------------------------------------------------------

    e. Section 312.4(b)(2)(v). Under Section 312.4(b)(2)(v) of the 
proposed Rule, operators were required to state in their notices that 
the Act prohibits them from conditioning a child's participation in an 
activity on the child's disclosing more personal information than is 
reasonably necessary to participate in that activity.131 One 
commenter objected to including such a statement in the notice, on the 
grounds that it does not provide parents with helpful 
information.132 The Commission believes that this 
information is material to parents and will assist them in evaluating 
the reasonableness of an operator's requests for information. 
Therefore, the Commission has decided to retain this provision.
---------------------------------------------------------------------------

    \131\ 15 U.S.C. 6502(b)(1)(C); 64 FR at 22755, 22765, citing 15 
U.S.C. 6502(b)(1)(C). See also 64 FR at 22758, 22766.
    \132\ Mars (Comment 86) at 4.
---------------------------------------------------------------------------

    f. Section 312.4(b)(2)(vi). This section of the proposed Rule 
required operators to describe in the notice on the site parents' right 
to review personal information provided by their 
children.133 It generally tracked the requirements in 
section 312.6 of the proposed Rule 134 by requiring notice 
of a parent's ability to review, make changes to, or have deleted the 
child's personal information. In the NPR, the Commission sought public 
comment on whether this information was needed in the notice on the 
site, or only in the notice to the parent.135
---------------------------------------------------------------------------

    \133\ 64 FR at 22755, 22765.
    \134\ 64 FR at 22757-58, 22766. For a detailed discussion of 
section 312.6, see Section II.E, infra.
    \135\ See 64 FR at 22762.
---------------------------------------------------------------------------

    Some commenters believed that it was only necessary to include this 
information in the notice to the parent, because it is only relevant 
once parents have consented to the collection of their children's 
information.136 Other commenters, however, felt notice of 
parents' right to review children's information should be included in 
the notice on the site so that parents can evaluate a site while 
surfing with their children.137 The Commission also notes

[[Page 59897]]

that if the parent accidentally deletes or misplaces the notice 
received from the operator, he or she would likely turn to the notice 
on the site for information on reviewing the child's information. If 
that information were not in the notice on the site, the parent may be 
foreclosed from exercising the right to review the child's information. 
Therefore, the Commission has retained this provision.
---------------------------------------------------------------------------

    \136\ DMA (Comment 89) at 19-20; PMA (Comment 107) at 8-9 
(operator should be able to choose whether to include this 
information in the notice).
    \137\ Attorneys General (Comment 114) at 8-9; E.A. Bonnett 
(Comment 126) at 4; CBBB (Comment 91) at 12; CME/CFA et al. (Comment 
80) at 24; TRUSTe (Comment 97) at 1-2.
---------------------------------------------------------------------------

4. Section 312.4(c): Notice to a Parent
    This provision of the proposed Rule required operators to ``make 
reasonable efforts, taking into account available technology, to ensure 
that a parent of a child receives notice of an operator's practices 
with regard to the collection, use, and/or disclosure of the child's 
personal information, including any collection, use, and/or disclosure 
to which the parent has not previously consented.'' 138 
After reviewing the relevant comments, the Commission has amended this 
provision to require new notice to the parent only when there is a 
material change in the way the operator collects, uses, and/or 
discloses personal information from the child.
---------------------------------------------------------------------------

    \138\ 64 FR at 22755, 22765.
---------------------------------------------------------------------------

    In the NPR, the Commission noted that ``reasonable efforts'' to 
provide a parent with notice under this section could include sending 
the notice to the parent by postal mail or e-mail, or having the child 
print out a form to give to the parent. These methods were intended to 
be non-exclusive examples.139 The Commission also noted that 
operators must send the parent an updated notice and request for 
consent ``for any collection, use, or disclosure of his or her child's 
personal information not covered by a previous consent.'' 
140 Examples of situations where new notice and request for 
consent would be needed included if the operator wished to use the 
information in a manner that was not included in the original notice, 
such as disclosing it to parties not covered by the original consent, 
including parties created by a merger or other corporate 
combination.141
---------------------------------------------------------------------------

    \139\ Id. One commenter requested that we include this 
information in the text of the Rule. DMA (Comment 89) at 27. The 
Commission believes that the performance standard enunciated in this 
provision is appropriate in light of the operator's need for 
flexibility and the additional protections that are provided by the 
parental consent requirement. As discussed below, the Rule provides 
more specific guidance as to the appropriate mechanisms for 
obtaining parental consent See Section II.D.2, infra.
    \140\ 64 FR at 22755, 22765
    \141\ Id.
---------------------------------------------------------------------------

    Many commenters argued that the Commission's interpretation 
concerning when a new notice and request for consent would be required 
was burdensome and unnecessary.142 Given the high rate of 
merger activity in this industry, the commenters asserted, operators 
would be required to send many additional notices to 
parents.143 Moreover, commenters noted that many mergers do 
not change the nature of the business the operator engages in or how 
the operator uses personal information collected from children. 
Therefore, many additional notices to parents under the proposed 
interpretation of this provision would not provide parents with 
meaningful information.
---------------------------------------------------------------------------

    \142\ See, e.g., AOL (Comment 72) at 14-15; DMA (Comment 89) at 
26; Kraft (Comment 67) at 2, 5-6. See also CBBB (Comment 91) at 13-
14.
    \143\ Id.
---------------------------------------------------------------------------

    The Commission agrees with these comments. In order to balance an 
operator's need for efficiency and parents' need for relevant 
information, the Commission has amended the Rule to require new notice 
and consent only when there is a material change in how the operator 
collects, uses, or discloses personal information from children. For 
example, if the operator obtained consent from the parent for the child 
to participate in games which required the submission of limited 
personal information but now wishes to offer chat rooms to the child, 
new notice and consent will be required. In addition, if an operator 
(e.g., a toy company) merged with another entity (e.g., a 
pharmaceutical company) and wished to use a child's personal 
information to market materially different products or services than 
those described in the original notice (e.g., diet pills rather than 
stuffed animals), new notice and consent would be required. Likewise, 
new notice and consent would be required to disclose the information to 
third parties engaged in materially different lines of business than 
those disclosed in the original notice (e.g., marketers of diet pills 
rather than marketers of stuffed animals). On the other hand, if the 
operator had parental consent to disclose the child's personal 
information to marketers of stuffed animals, it does not need to obtain 
a new consent to disclose that information to other marketers of 
stuffed animals.
    One commenter suggested that the Rule also requires the operator to 
obtain parental confirmation that the notice was received, either 
through a return e-mail or a business reply postcard.\144\ The 
Commission believes that this proposal would burden parents and 
operators without adding significantly to the protection of children 
online. In most cases, the operator's receipt of parental consent will 
serve as confirmation that the parent received the notice.\145\ 
Likewise, in most instances, if the parent does not receive the notice, 
then the operator simply will not receive consent.
---------------------------------------------------------------------------

    \144\ CME/CFA et al. (Comment 80) at 24-25. Similarly, one 
commenter noted that many parents share an e-mail account with their 
children. A & E Television Networks (``AETN'') (Comment 90) at 17-
18. In these situations, the commenter argued, it would be 
impossible for the operator to determine whether the notice has been 
received by the parent. Id. In many cases, however, the children 
will have the incentive to give the notice to the parent in order to 
obtain parental consent. Further, as noted above, in most cases, the 
operator's receipt of parental consent will confirm that the parent 
has received the notice.
    \145\ See Section II.D.2 infra, for a detailed discussion of the 
requirements for obtaining verifiable parental consent under Section 
312.5 of the Rule.
---------------------------------------------------------------------------

    One commenter suggested that the Commission permit the notice to 
the parent to take the form of an e-mail with an embedded hyperlink to 
the notice on the site.\146\ In response, the Commission notes that the 
notice to the parent must contain additional information that is not 
required in the notice on the site.\147\ However, as long as the 
additional, required information is clearly communicated to parents in 
the e-mail, and the hyperlink to the notice on the site is clear and 
prominent, operators may include the hyperlink to the notice on the 
site in an e-mail to parents.
---------------------------------------------------------------------------

    \146\ Mars (Comment 86) at 12.
    \147\ For example, the notice to the parent must contain 
information concerning how to provide parental consent (section 
312.4(c)(1)(ii)).
---------------------------------------------------------------------------

    a. Section 312.4(c)(1) (i) and (ii): information in the notice to a 
parent. The proposed Rule required an operator's notice to a parent to 
include all the information included in the notice on the site (section 
312.4(c)(1)(i)(B)), as well as additional information. In cases that do 
not implicate one of the exceptions to prior parental consent under 
section 312.5(c), an operator must tell the parent that he or she 
wishes to collect personal information from the child (section 
312.4(c)(1)(i)(A)) and may not do so unless and until the parent 
consents, and the operator must describe the means by which the parent 
can provide that consent (section 312.4(c)(1)(ii)).\148\
---------------------------------------------------------------------------

    \148\ 64 FR at 22755, 22765. One commenter thought that the 
notice should also inform parents that they have the option of 
denying consent. CME/CFA et al. (Comment 80) at 12. The Commission 
believes that a right of refusal is implied in a request for 
consent, and therefore is not modifying this provision.
---------------------------------------------------------------------------

    In the NPR, the Commission requested public comment on whether 
there was additional information that

[[Page 59898]]

should be included in the notice.\149\ One commenter suggested that the 
notice include a statement recommending that parents warn their 
children not to post personal information in chat rooms or other public 
venues.\150\ While the Commission does not believe this information 
should be required in the notice under the COPPA, it strongly 
encourages parents, operators, and educators to teach children about 
the dangers of posting personal information in public fora. After 
reviewing the comments concerning these provisions, the Commission 
believes that no changes are necessary.
---------------------------------------------------------------------------

    \149\ 64 FR at 22762.
    \150\ CBBB (Comment 91) at 13.
---------------------------------------------------------------------------

    b. Section 312.4(c)(1)(iii) and (iv): Notices under the multiple-
contact exception, section 312.5(c)(3), and the child safety exception, 
section 312.5(c)(4). In cases where an operator wishes to collect a 
child's name and online contact information for purposes of responding 
more than once to a specific request of the child under Section 
312.5(c)(3), or for the purpose of protecting the safety of a child 
participating on the website or online service under Section 
312.5(c)(4), the operator was required to provide notice to the parent, 
with an opportunity to opt out of future use or maintenance of the 
child's personal information. Section 312.4(c)(1) (iii) and (iv) 
required the operator to notify the parent of the operator's intended 
use of the information, the parent's right to refuse to permit further 
contact with the child, or further use or maintenance of the 
information, and that ``if the parent fails to respond to the notice, 
the operator may use the information for the purpose(s) stated in the 
notice.'' \151\ The Commission received only one comment regarding this 
provision \152\ and has determined that no changes are necessary.
---------------------------------------------------------------------------

    \151\ 64 FR at 22756, 22765.
    \152\ CME/CFA et al. (Comment 80) at 12 (generally requesting 
more information in the notices).
---------------------------------------------------------------------------

    Because the types of contact with children covered under section 
312.5(c) (3) and (4) do not require a parent's affirmative consent, the 
operator must clearly notify the parent that, in these instances, if 
the parent fails to respond to the notice, the operator may use the 
information for the purpose stated in the notice.\153\ The Commission 
expects operators to process in a timely manner responses from parents 
prohibiting the use of their children's information.
---------------------------------------------------------------------------

    \153\ 64 FR at 22757, 22765-66.
---------------------------------------------------------------------------

D. Section 312.5: Verifiable Parental Consent

1. Section 312.5(a): General Requirements
    Section 312.5(a) of the proposed Rule set forth two requirements: 
(1) That operators obtain verifiable parental consent before any 
collection, use, or disclosure of personal information from children, 
including any collection, use and/or disclosure to which the parent had 
not previously consented; and (2) that the operator give the parent the 
option to consent to collection and use of the child's personal 
information without consenting to its disclosure to third parties.\154\ 
In the NPR, the Commission also stated that, because the Act required 
parental consent prior to any collection, use, and/or disclosure, the 
parental consent requirement applied to the subsequent use or 
disclosure of information already in possession of an operator as of 
the effective date of the proposed Rule.\155\
---------------------------------------------------------------------------

    \154\ 64 FR at 22756, 22765.
    \155\ Id. at 22751.
---------------------------------------------------------------------------

    Commenters generally supported the principle of prior parental 
consent.\156\ However, several argued that, by requiring parental 
consent for future use of information collected before the effective 
date of the Rule, the Commission was attempting to apply the Act 
retroactively.\157\ They also stated that it would be extremely costly 
and burdensome to obtain consent for information collected years ago, 
especially in instances where they were unaware of a child's past or 
current age or had no information on how to contact the parents.\158\ 
The Commission is persuaded that the Act should not be interpreted to 
cover information collected prior to its effective date. While the Act 
clearly gives parents control over the use and disclosure of 
information, and not just its collection,\159\ it also appears to 
contemplate that such control be exercised only with regard to 
information ``collected'' under the Act--i.e., collected after the 
Act's effective date.\160\ Further, the Commission believes that it 
could be difficult and expensive for operators to provide notice and 
consent for information collected prior to the Rule's effective date. 
Therefore, the Commission has eliminated this requirement from the 
Rule.
---------------------------------------------------------------------------

    \156\ See, e.g., Gail Robinson (Comment 132); Tessin J. Ray 
(Comment 131); BAWSELADI (Comment 133); Deb Drellack (Comment 20); 
Valorie Wood (Comment 36); Deanie Billings (Comment 37); Nancy C. 
Zink (Comment 38); Susan R. Robinson (Comment 42); Joyce Patterson 
(Comment 43); Elaine Bumpus (Comment 44); Greg Anderson (Comment 
46); Deanna (Comment 47); Mark E. Clark (Comment 48); Sue Bray 
(Comment 50); Cindy L. Hitchcock (Comment 55); Stephanie Brown 
(Comment 50); Samantha Hart (Comment 59); Tammy Howell (Comment 59); 
Jean Hughes (Comment 60); dinky (Comment 61); PrivaSeek (Comment 
112) at 2; CDT (Comment 81) at 25; Consumers Union (Comment 116) at 
1; EPIC (Comment 115) at 5, 9; FreeZone (IRFA comment 01) at 2; 
Kidsonline.com (IRFA comment 02) at 1; AAF (Comment 87) at 2; CBBB 
(Comment 91) at 1-2; CARU (Workshop comment 08) at 3; AAAA (Comment 
134) at 2, 5; Mars (Comment 86) at 1; Time Warner (Comment 78) at 
10; Viacom (Comment 79) at 9-10; Children's Television Workshop 
(``CTW'') (Comment 84) at 2, 6. See also 144 Cong. Rec. at S11659 
(List of Supporters of Children's Internet Privacy Language).
    \157\ DMA (citing Landgraf v. U.S. Film Products, 511 U.S. 244 
(1994)). See also EdPress (Comment 130) at 2; AAF (Comment 87) at 3-
4; ANA (Comment 93) at 3-4; Grolier Enterprises (Comment 111) at 4; 
IDSA (Comment 103) at 7-8; McGraw-Hill (Comment 104) at 5; MPA 
(Comment 113) at 4; NRF (Comment 95) at 1-2; Time Warner Inc. 
(Comment 78) at 3-4; Walt Disney Company and Infoseek Corp. 
(``Disney, et al.'') (Comment 82) at 12-13.
    \158\ IDSA (Comment 103) at 7; TRUSTe (Comment 97) at 2-3.
    \159\ See, e.g., 15 U.S.C. 6502(b)(1)(B)(ii) (giving parents the 
opportunity at any time to refuse to permit further use, disclosure, 
or maintenance of information collected from their children); 15 
U.S.C. 6502(b)(1)(A)(ii) (requiring operators to obtain verifiable 
parental consent for the collection, use, and/or disclosure of 
personal information from children).
    \160\ See 144 Cong. Rec. at S11658 (Statement of Sen. Bryan) 
(stating that parents can opt out of further collection, use, or 
maintenance of their child's information and that ``[t]he opt out * 
* * operates as a revocation of consent that the parent has 
previously given'').
---------------------------------------------------------------------------

    The Commission notes, however, that notwithstanding any prior 
relationship that an operator has with the child, any collection of 
``personal information'' by the operator after the effective date is 
covered by the Rule. Thus, for example, if an operator collected a 
child's name and e-mail address before the effective date, but sought 
information regarding the child's street address after the effective 
date, the later collection would trigger the Rule's requirements. 
Similarly, if after the effective date, an operator continued to offer 
activities involving the ongoing collection and disclosure of personal 
information from children (e.g., a chatroom or message board), or began 
offering such activities for the first time, notice and consent would 
be required for all participating children regardless of whether they 
had previously registered or participated at the site.
    The Commission also notes that, for information collected prior to 
the effective date of the Rule, it retains the authority to pursue 
unfair or deceptive acts or practices under Section 5 of the Federal 
Trade Commission Act. Thus, the Commission will continue to examine 
information practices in use before the effective date of the COPPA for 
deception and unfairness, and will

[[Page 59899]]

pursue enforcement in appropriate circumstances.\161\
---------------------------------------------------------------------------

    \161\ See GeoCities, Docket No. C-3849 (Final Order Feb. 12, 
1999); Liberty Financial Cos., Inc., Docket No. C-3891 (Final Order 
Aug. 12, 1999). See also Staff Opinion Letter, July 17, 1997, issued 
in response to a petition filed by the Center for Media Education, 
at <www.ftc.gov/os/1997/9707/cenmed.htm>.
---------------------------------------------------------------------------

    Many commenters also objected to the requirement that operators 
obtain a new parental consent for any changes to the collection, use, 
and/or disclosure practices which were the subject of a previous 
consent.\162\ As in the notice section of the Rule,\163\ they argued 
that notification of minor changes would be extremely burdensome, 
especially in light of constant changes taking place in the online 
world, and unnecessary to achieve the purposes of the COPPA.\164\ As 
noted above, the Commission agrees that the proposed requirement is 
unduly broad and would be overly burdensome, and is therefore amending 
the Rule to make clear that a new parental consent is required only if 
there is a material change in the operator's collection, use, and/or 
disclosure practices.
---------------------------------------------------------------------------

    \162\ IDSA (Comment 103) at 5-6; CBBB (Comment 91) at 13-14; DMA 
(Comment 89) at 26; Aftab & Savitt (Comment 118) at 5; ANA (Comment 
93) at 6-7.
    \163\ See Section II.C.4, supra.
    \164\ One commenter supported this provision on the basis that 
not requiring it would render parental consent meaningless. 
Attorneys General (Comment 114) at 10. However, even one commenter 
who supported the requirement still expressed concern that parents 
might be ``badgered'' by too many of these requests. CME/CFA et al. 
(Comment 80) at 13.
---------------------------------------------------------------------------

    Finally, some commenters objected to the proposed Rule's 
requirement that parents be given an opportunity to provide consent for 
the collection and use of information without consenting to its 
disclosure to third parties.\165\ Commenters argued that this 
requirement is not included in the COPPA and that it interferes with an 
operator's right under the COPPA to terminate service to a child whose 
parent refuses to permit further use, maintenance, or collection of the 
data.\166\ Other commenters supported this requirement as important to 
the protection of children's privacy.\167\
---------------------------------------------------------------------------

    \165\ Section 312.5(a)(2). See, e.g., DMA (Comment 89) at 25; 
NRF (Comment 95) at 4; McGraw-Hill (Comment 104) at 7; PMA (Comment 
107) at 11.
    \166\ ANA (Comment 93) at 6; IDSA (Comment 103) at 4-5; DMA 
(Comment 89) at 25; PMA (Comment 107) at 11 (all referring to 
section 312.6(c) of the proposed Rule and 15 U.S.C. 6502(b)(3)). The 
purpose of that provision was to enable operators to offer some 
online activities that require children to provide personal 
information, e.g., chat rooms, which may require the operator to 
collect an e-mail address for security purposes. Under that 
provision, operators may bar children whose parents have revoked 
consent for the operator's use of the necessary information from 
participating in those activities. The Commission does not believe 
that disclosure to outside parties--other than those, such as 
fulfillment services, that provide support for the internal 
operations of the website--is reasonably necessary for an operator 
to provide online activities.
    \167\ EPIC (Comment 115) at 9-10; Junkbusters (Comment 66) at 1. 
See also CDT (Comment 81) at 25; CME/CFA et al. (Comment 80) at 13; 
Sovern (Comment 33) at 4; Mars (Comment 86) at 12-13; TRUSTe 
(Comment 97) at 2.
---------------------------------------------------------------------------

    The Commission believes that giving parents a choice about whether 
information can be disclosed to third parties implements the clear 
goals of the COPPA to give parents more control over their children's 
personal information, limit the unnecessary collection and 
dissemination of that information, and preserve children's access to 
the online medium.\168\ The Act requires consent for the collection, 
use, or disclosure of information,\169\ thus expressing the intent that 
parents be able to control all of these practices. Although the Act 
does not explicitly grant parents a separate right to control 
disclosures to third parties, the Commission believes that this is a 
reasonable and appropriate construction of the Act, particularly in 
light of the rulemaking record and other considerations.
---------------------------------------------------------------------------

    \168\ See, e.g., 144 Cong. Rec. at S11657, S11658 (Statement of 
Sen. Bryan).
    \169\ 15 U.S.C. 6502(b)(1)(A)(ii).
---------------------------------------------------------------------------

    Indeed, the record shows that disclosures to third parties are 
among the most sensitive and potentially risky uses of children's 
personal information.\170\ This is especially true in light of the fact 
that children lose even the protections of the Act once their 
information is disclosed to third parties.\171\ The Commission believes 
that these risks warrant providing parents with the ability to prevent 
disclosures to third parties without foreclosing their children from 
participating in online activities. In addition, the Act prohibits 
collecting more information than is reasonably necessary to participate 
in an activity,\172\ showing Congressional intent to limit information 
practices (such as disclosures to third parties) that do not facilitate 
a child's experience at the site. Finally, the Commission believes that 
allowing parents to limit disclosures to third parties will increase 
the likelihood that they will grant consent for other activities and 
therefore preserve children's access to the medium.\173\
---------------------------------------------------------------------------

    \170\ See CME/CFA et al. (Comment 80) at 26-27; Mars (Comment 
86) at 13; Kraft (Comment 67) at 4-5; Viacom (Comment 79) at 13-14. 
See also Attorneys General (Comment 114) at 4 (citing 1997 survey 
showing that 97% of parents whose children use the Internet believe 
that website operators should not sell or rent children's personal 
information).
    \171\ Thus, for example, parents cannot access information in 
the possession of third parties, or require that it be deleted, as 
they can for operators subject to the Rule. See 15 U.S.C. 
6502(b)(1)(B)(ii),(iii). Nor can they prohibit future use of 
information in the possession of third parties. Compare 15 U.S.C. 
6502(b)(1)(B)(ii). In fact, parents are likely to be unaware of the 
identities and specific information practices of many of the third 
parties that obtain their children's information. See Section 
II.C.3.d, supra (operators need only disclose types of business 
engaged in by third parties and whether those third parties have 
agreed to maintain the confidentiality, security, and integrity of 
personal information received from operator).
    \172\ 15 U.S.C. 6502(b)(1)(C) (prohibiting an operator from 
conditioning participation on the disclosure of more information 
than necessary to participate in an activity).
    \173\ One study found that 97% of parents online did not want 
their children's information disclosed to third parties, suggesting 
that those parents would be more likely to grant consent if they 
could limit such disclosures. Louis Harris & Associates and Dr. Alan 
F. Westin, ``Commerce, Communication, and Privacy Online: A National 
Survey of Computer Users,'' 1997, at 75.
---------------------------------------------------------------------------

    Thus, the Commission believes that providing parents with a choice 
about whether their children's information can be disclosed to third 
parties is within the authority granted by the COPPA, consistent with 
the rulemaking record, and important to the protection of children's 
privacy. The Commission is therefore retaining this provision.
2. Section 312.5(b): Mechanisms
    Section 312.5(b) of the proposed Rule required that operators make 
reasonable efforts to obtain verifiable parental consent, taking into 
consideration available technology.\174\ Consistent with the language 
of the COPPA, the proposed Rule further clarified that the methods used 
to obtain verifiable parental consent must be reasonably calculated, in 
light of available technology, to ensure that the person providing 
consent is the child's parent.\175\ In the NPR, the Commission provided 
examples of methods that might satisfy these standards, and sought 
comment on the feasibility, costs, and benefits of those methods, as 
well as any others that the Commission should consider.\176\ To gather 
additional relevant information, the Commission held a workshop devoted 
solely to this issue.\177\
---------------------------------------------------------------------------

    \174\ 64 FR at 22756, 22765.
    \175\ Id.; 15 U.S.C. 6501(9).
    \176\ 64 FR at 22756.
    \177\ 64 FR at 34595.
---------------------------------------------------------------------------

    While commenters and participants at the workshop generally 
supported the concept of prior parental consent, they differed on what 
would constitute a verifiable mechanism under this provision. In 
particular, there was considerable debate over whether e-mail based 
mechanisms could provide adequate assurance that the person providing 
consent was the child's parent.

[[Page 59900]]

    Because of concerns that a child using e-mail could pretend to be a 
parent and thereby effectively bypass the consent process,\178\ some 
commenters favored methods that would provide additional confirmation 
of the parent's identity.\179\ These include use of a form to be signed 
by the parent and returned to the operator by postal mail or fax 
(``print-and-send''); (2) use of a credit card in connection with a 
transaction; (3) having the parent call a toll-free number staffed with 
trained personnel; (4) use of e-mail accompanied by a valid digital 
signature; and 5) other electronic methods that are currently available 
or under development.
---------------------------------------------------------------------------

    \178\ This is of particular concern where a child shares an e-
mail account with a parent, which is a common practice. See CME/CFA 
et al. (Comment 80) at 28; APA (Comment 106) at 2; Attorneys General 
(Comment 114) at 11; AETN (Comment 90) at 17-18. In fact, one 
workshop participant reported that 40% of its registered parents 
shared an e-mail address with their children. Aledort/Disney 
(Workshop Tr.153). Another participant reported that 10-20% of its 
registered parents shared the same e-mail address as their children. 
Herman/iCanBuy.com (Workshop Tr 153-54).
    \179\ CME/CFA et al. (Comment 80) at 28; APA (Comment 106) at 1-
2; Nat'l Ass'n of Elementary School Principals (``NAESP'') (Comment 
96) at 1; CARU (Workshop comment 08) at 1-2; Consumers Union 
(Comment 116) at 5-6. See also Attorneys General (Comment 114) at 11 
(supporting the traditional offline consent methods). One commenter 
stressed the need for a high standard for parental consent because 
children under the age of 13 do not have the developmental capacity 
to understand the nature of a website's request for information and 
its implications for privacy. APA (Comment 106) at 1-2.
---------------------------------------------------------------------------

    Some commenters took the position that print-and-send was the 
method least subject to falsification;\180\ they also noted that, 
because it is used by schools, most parents are familiar with it.\181\ 
In addition, participants at the workshop noted that industry members 
currently use print-and-send to ensure that they are obtaining parental 
permission in certain circumstances--for example, when obtaining 
consent to publish a child's art work or letter, or to send a contest 
winner a prize.\182\ Commenters also supported the use of credit cards 
in obtaining parental consent on the grounds that few, if any, children 
under the age of 13 have access to credit cards.\183\ With regard to 
the use of a toll-free number, commenters and workshop participants 
noted that, with proper training, employees can easily learn to 
differentiate between children and adult callers, and that parents 
prefer this method.\184\ Commenters also supported use of digital 
signatures to obtain consent, stating that they would effectively 
verify identity and are currently available.\185\ Finally, testimony at 
the workshop showed that there are a number of other electronic 
products and services that are available now, or under development, 
that could be used to confirm a parent's identity and obtain consent. 
These included services that would provide a parent with a digital 
signature, password, PIN number, or other unique identifier after 
determining that the person seeking the identifier is an adult.\186\
---------------------------------------------------------------------------

    \180\ CBBB (Comment 91) at 18; CARU (Workshop comment 08) at 2; 
NAESP (Comment 96) at 1.
    \181\ NAESP (Comment 96) at 1. This commenter noted that young 
children rarely falsify their parents' signatures. Id. See also 
Douglas L. Brown (Comment 21); Don and Annette Huston (Comment 22).
    \182\ Bagwell/MTV Networks Online (Workshop Tr. 30, 35); 
Randall/MaMaMedia (Workshop Tr. 28); Aledort/Disney (Workshop Tr. 
151); FreeZone Network (IRFA comment 01) at 2; Aftab & Savitt 
(Comment 118) at 6. One comment identified four children's websites 
that have implemented offline consent mechanisms pursuant to the 
CARU guidelines. CARU (Workshop comment 08) at 2; see also CBBB 
(Comment 91) at 23.
    \183\ AOL (Comment 72) at 18-19; iCanBuy.com (Comment 101) at 1; 
Mars (Comment 86) at 13. Among other things, credit cards can be 
used to set up a ``master account'' for the parent with an e-mail 
address to be used exclusively by the parent. Curtin/AOL (Workshop 
Tr. 36-7); Aftab (Comment 117) at 3. See also KidsOnLine.com 
(Comment 108) at 3; Talk City (Comment 110) at 3 (supporting the use 
of a credit card as a method of consent).
    \184\ CARU (Workshop comment 08) at 2; CME/CFA et al. (Comment 
80) at 14; Aftab (Workshop Tr. at 52).
    \185\ See Brandt/VeriSign (Workshop Tr. 199-202) and (Comment 
99) at 1-4 (stating that one year to 18 months would be sufficient 
time for testing and adoption of digital technology applications); 
Teicher/CyberSmart! (Workshop Tr. 191-92, 199); Lucas/PrivaSeek 
(Workshop Tr. 244-45, 299-300) and (Comment 112) at 4 (noting that 
the next step is the adoption of digital signatures by online 
businesses so that they can be made widely available to consumers); 
Hill/ZeroKnowledge (Workshop Tr. 269-73); Johnson/Equifax Secure, 
Inc. (Workshop Tr. 250-59).
    \186\ For example, one workshop participant described a service 
now under development which would use schools to assist in issuing a 
digital certificate to a child after obtaining parental consent. 
Teicher/CyberSmart! (Workshop Tr. 190-94; 196-97; 199). Another 
announced that his portal site would soon launch an e-mail 
authentication system that could verify the age or profession of a 
person, and then assign that person an e-mail address associated 
with his age or status, e.g., J[email protected]; 
M[email protected]. Ismach/BizRocket.com (Workshop 
comment 12) at 1-3; (Workshop Tr. 231-232). Still another has 
developed a permission-based infomediary service that will enable 
consumers to set their preferences as to how their information may 
be disclosed online. PrivaSeek (Comment 112) at 1. Under this 
service, which is expected to be launched by the end of the year, a 
parent could be assigned a password or digital signature following 
initial verification. The charge to participating websites is 
anticipated to be $0.10-$0.20 per name. Lucas/PrivaSeek (Workshop 
Tr. 242-49); PrivaSeek (Comment 112) at 1.
    In addition, another company is currently providing digital 
credentials (a certificate, PIN or password) to consumers after 
authenticating their identity. The company estimates that the cost 
for sites to use this service is $3 to $4 per customer. Johnson/
Equifax Secure (Workshop Tr. 249-59). Another company offers a 
service that enables a child to make purchases, with a parent's 
permission, at participating websites. Parents use a credit or debit 
card to establish an account and then authorize the sites to be 
accessed and the amounts to spend. Herman/iCanBuy.com (Workshop Tr. 
185-190). Yet another company is also planning to launch (by spring 
2000) a free verification service that uses both credit and bank 
cards in conjunction with algorithms to verify the validity of the 
card numbers. The card number would be checked at the consumer's 
browser and would not be collected or transferred over the Internet, 
addressing some consumers' concerns about using credit cards online. 
Oscar Batyrbaev (Comment 125) at 1; Batyrbaev/eOneID.com (Workshop 
Tr. 235-39). Parents without online access will be able to obtain 
verification by telephone. Id.
    Finally, another online company will provide parents and 
children with digital pseudonyms that, following initial 
verification using a digital signature, can be used to verify 
identity. Hill/ZeroKnowledge (Workshop Tr. 268-73). See also Brandt/
VeriSign (Workshop Tr. 195-96, 199-202 ).
---------------------------------------------------------------------------

    Many commenters, however, criticized some of these methods for the 
costs and burdens they are likely to impose on operators. Regarding 
print-and-send, one commenter cited a figure of $2.81 per child to 
process mailed or faxed parental consent forms.\187\ Another noted an 
80% decline in online subscriptions to its magazine when it switched 
from an online subscription model to a form that had to be downloaded 
and mailed.\188\ Still others pointed out that there is no way to 
authenticate a signature to be sure that it is actually the parent who 
has signed the form.\189\
---------------------------------------------------------------------------

    \187\ Clarke/KidsCom.com (Workshop Tr. 22). See also Cartoon 
Network et al. (Comment 77) at 8 (estimating that cost to open and 
sort written consent forms is about $0.08 to $0.31 per child). 
Another comment estimated that the cost per consent by fax and mail, 
including overhead, were $0.94 and $0.89, respectively. Zeeks.com 
(IRFA comment 05) at Attachment (``Compliance Cost Estimate'').
    \188\ Time Warner (Comment 78) at 11. Other commenters stated 
that offline methods might be inconvenient or labor-intensive for 
parents. Dell (Comment 102) at 2; Cartoon Network et al. (Comment 
77) at 6; DMA (Comment 89) at 6-8; Grolier (Comment 111) at 1-2.
    \189\ Richard Storey (Comment 02) at 1; PMA (Comment 107) at 3-
4, 10; PrivaSeek Inc. (Comment 112) at 3.
---------------------------------------------------------------------------

    Regarding the use of credit cards, commenters noted that operators 
would be charged a fee for each transaction,\190\ that not every parent 
has a credit card,\191\ and that some parents do not

[[Page 59901]]

like to use credit cards online.\192\ One credit card company opposed 
the use of credit cards in this manner because it could foster 
unauthorized use and undermine systems used to detect fraud.\193\ 
Commenters also noted that the use of a toll-free number would require 
operators to hire personnel just to answer phones, and would therefore 
be costly.\194\ Finally, a number of commenters contended that while 
digital signatures and other electronic methods may be promising 
alternatives, they are not yet widely available, and therefore are 
impracticable as current methods of compliance.\195\
---------------------------------------------------------------------------

    \190\ Disney et al. (Comment 82) at 8; MPA (Comment 113) at 5; 
DMA (Comment 89) at 7. Two comments stated that credit cards cost up 
to $3 per verification to process. Cartoon Network et al. (Comment 
77) at 10-11; DMA (Comment 89) at 7. One company experienced costs 
ranging from $2 to $3 per verification. Aftab (Workshop Tr. 17).
    \191\ McGraw-Hill (Comment 104 ) at 3; Cartoon Network et al. 
(Comment 77) at 9; KidsOnLine.com (Comment 108) at 3; DMA (Comment 
89) at 7. Some commenters also thought consumers might be troubled 
by the privacy implications of divulging personal information for 
the purpose of granting consent. Brian Burke (Comment 05); Disney et 
al. (Comment 82) at 9; PrivaSeek (Comment 112) at 3; Cartoon Network 
et al. (Comment 77) at 9-10; PMA (Comment 107) at 110; EPIC (Comment 
115) at 10; DMA (Comment 89) at 7; Viacom (Comment 79) at 11.
    \192\ Cartoon Network et al. (Comment 77) at 9-11; DMA (Comment 
89) at 7; PMA (Comment 107) at 10; Viacom (Comment 79) at 11.
    \193\ Visa USA, Inc. (Comment 75) at 2. The Commission 
recognizes that there may be risks in using credit cards for this 
purpose, but notes that this method is already being used for 
similar purposes--for example, to verify that a person is over 18 
for purposes of obtaining access to adult materials online. See 
amicus of Senators Oxley and Coates; eOneID.com (Workshop comment 
09) at Appendix A.
    \194\ Alison J. Richards (Comment 105) at 1; MPA (Comment 113) 
at 5; Cartoon Network et al. (Comment 77) at 11-2. One commenter 
estimated that the cost for telephone consents would be $0.97 for an 
automated answering system, the tapes of which would then need to be 
manually swept to weed out children and enter data into the system. 
Zeeks.com (IRFA Comment 05) at Attachment (``Compliance Cost 
Estimate''). Another commenter estimated the cost of a live operator 
to be $55 per hour plus training costs. Cartoon Network et al. 
(Comment 77) at 12.
    \195\ Richard Storey (Comment 02) at 1; Viacom (Comment 79) at 
12; Disney et al. (Comment 82) at 8-9; DMA (Comment 89) at 5; Alison 
J. Richards (Comment 105) at 1; Amazon.com (Comment 109) at 3; 
Cartoon Network et al. (Comment 77) at 13-15; Grolier (Comment 111) 
at 1; CBBB (Comment 91) at 16-17.
---------------------------------------------------------------------------

    In response to a request for comment on whether e-mail alone would 
satisfy the Act's requirements, commenters presented a variety of 
views. A number of commenters opposed use of e-mail on the grounds that 
it is easily subject to circumvention by children.\196\ While a 
significant number of commenters advocated the use of e-mail,\197\ most 
of them acknowledged that taking additional steps in conjunction with 
e-mail would increase the likelihood that the consent was submitted by 
the parent and not the child.\198\ Such steps would include: the use of 
PIN numbers or passwords; \199\ sending follow-up e-mails to the parent 
to increase the likelihood that the parent will see the request for 
consent; \200\ or allowing e-mail consent only if the parent and child 
have different e-mail addresses.\201\ Still others recommended 
including in the e-mail questions to which the child would be unlikely 
to know the answer.\202\
---------------------------------------------------------------------------

    \196\ Attorneys General (Comment 114) at 11; Robert F. Reid 
(Comment 06); Joseph C. DeMeo (Comment 08); Patrick O'Heffernan 
(Comment 17); NAESP (Comment 96) at 1; APA (Comment 106) at 2; 
Consumers Union (Comment 116) at 5; CME/CFA et al. (Comment 80) at 
15.
    \197\ Cartoon Network et al. (Comment 77) at 15-18; Disney et 
al. (Comment 82) at 7-9; Time Warner (Comment 78) at 10-11; DMA 
(Comment 89) at 5-6. Several commenters stated that Congress must 
have intended e-mail to be used for consent purposes because the Act 
allows online contact information to be collected for the purpose of 
seeking parental consent. Id. (citing 15 U.S.C. 6502(b)(2)(B)). Some 
commenters stated that, in their experience, parents preferred to 
use e-mail to grant consent. Bagwell/MTV Networks Online (Workshop 
Tr. 33-34); Aftab (Workshop Tr. 31).
    \198\ See Aledort/Disney (Workshop Tr. 149-51); Bruening/TRUSTe 
(Workshop Tr. 39); CARU (Workshop comment 08) at 2; Viacom (Comment 
79) at 13; Cartoon Network et al. (Comment 77) at 17; NRF (Comment 
95) at 4.
    \199\ AAAA (Comment 134) at 2; ANA (Comment 93) at 2; Talk City 
(Comment 110) at 3.
    \200\ Disney et al. (Comment 82) at 9; DMA (Comment 89) at 6.
    \201\ AAAA (Comment 134) at 2; ANA (Comment 93) at 2; NRF 
(Comment 95) at 4; MPA (Comment 113) at 5; DMA (Comment 89) at 6. 
The Commission notes that, because children can easily obtain 
multiple e-mail addresses from free e-mail services, this method may 
not ensure verifiability.
    \202\ NRF (Comment 95) at 4; Cartoon Network et al. (Comment 77) 
at 17; Time Warner (Comment 78) at 11; DMA (Comment 89) at 6. The 
Commission notes that this method could pose problems if it requires 
operators to verify the ``answer'' to the questions, or if the child 
is reasonably sophisticated.
---------------------------------------------------------------------------

    Finally, many commenters urged the Commission to temporarily adopt 
a standard under which the consent mechanism required would depend upon 
how the operator intended to use the information (i.e., a ``sliding 
scale'').\203\ Such an approach would permit operators to obtain 
consent at a reasonable cost until secure electronic mechanisms become 
more widely available and affordable. Generally, these commenters 
advocated use of an e-mail based mechanism for purposes of consenting 
to an operator's internal use of information, such as an operator's 
marketing to a child based on the child's preferences, but a ``higher'' 
method of consent, such as use of a credit card or print-and-send form, 
for purposes of consenting to activities that present greater risks to 
children.\204\ In comments and at the workshop, commenters cited public 
postings by children (e.g., in chat rooms and on bulletin boards), as 
well as disclosures of information to third parties, as activities that 
pose such risks.\205\ Other commenters opposed the ``sliding scale'' on 
the ground that it could permit the use of consent mechanisms that fall 
short of the COPPA's requirements.\206\
---------------------------------------------------------------------------

    \203\ See, e.g., Cartoon Network et al. (Comment 77) at 18 
(suggesting that sliding scale sunset in five years); DMA (Workshop 
comment 02) at 1-3 (suggesting that the Commission reexamine the 
scale after a specific period of time or at a point when technology 
has changed); Viacom (Comment 79) at 9-10, 12-14 (five year sunset 
date); Kraft (Comment 67) at 5; Bagwell/MTV Networks Online 
(Workshop Tr. 32-33); CBBB (Comment 91) at 15-18; CTW (Comment 84) 
at 6-7; CARU (Workshop Comment 08) at 1-2; Mars (Comment 86) at 13-
14; PMA (Comment 107) at 4, 11. See also Herman/iCanBuy.com 
(Workshop Tr. 209) (if adopted, should sunset within 12-18 months); 
Teicher/CyberSmart! (Workshop Tr. 199) (predicting significant 
changes in technology that would permit sunset within 18 months).
    \204\ Bagwell/MTV Networks Online (Workshop Tr. 32-33); Kraft 
(Comment 67) at 5.
    \205\ Kraft (Comment 67) at 4-5; Cartoon Network et al. (Comment 
77) at 18; ANA (Comment 93) at 2; CBBB (Comment 91) at 15-18; PMA 
(Comment 107) at 11; CARU (Workshop Comment 08) at 1; Viacom 
(Comment 79) at 13; and Bagwell/MTV Networks Online (Workshop Tr. 
33). The legislative history also reflects special concern for 
children's safety in such online fora as chat rooms, home pages, and 
pen-pal services in which children may make public postings of 
identifying information. See 144 Cong. Rec. S11657 (Statement of 
Sen. Bryan).
    \206\ See, e.g., CME/CFA et al. (Comment 80) at 7.
---------------------------------------------------------------------------

    In determining whether a particular method of obtaining consent is 
``verifiable'' under the COPPA, the Commission must consider: (1) 
whether the method ensures that it is the parent providing the consent; 
and (2) whether the method is a ``reasonable effort,'' taking into 
consideration available technology. In determining what is a 
``reasonable effort'' under the COPPA, the Commission believes it is 
also appropriate to balance the costs imposed by a method against the 
risks associated with the intended uses of the information collected. 
Weighing all of these factors in light of the record, the Commission is 
persuaded that temporary use of a ``sliding scale'' is an appropriate 
way to implement the requirements of the COPPA until secure electronic 
methods become more available and affordable.
    The record shows that certain methods of consent--print-and-send, 
credit card, toll-free number with trained personnel, and digital 
signature--provide appropriate assurances that the person providing 
consent is the child's parent, and thus satisfy the first part of the 
inquiry.\207\ In addition, testimony at the Commission's workshop shows 
that a number of electronic products and services, which could also be 
used to verify a parent's identity and obtain consent, are currently 
available or under development.\208\ The record also shows, however, 
that some of these methods may be costly and others may not be widely 
available at the present time.

[[Page 59902]]

Therefore, under the second prong of the inquiry, the Commission 
believes that, until reliable electronic methods of verification become 
more available and affordable, these methods should be required only 
when obtaining consent for uses of information that pose the greatest 
risks to children.
---------------------------------------------------------------------------

    \207\ Print-and-send and digital signatures were listed as 
acceptable consent mechanisms in Senator Bryan's Floor Statement. 
See 144 Cong. Rec. S11657.
    \208\ See note 186, supra, describing such services.
---------------------------------------------------------------------------

    Thus, under the ``sliding scale,'' the more reliable methods of 
consent will be required for activities involving chat rooms, message 
boards, disclosures to third parties, and other ``disclosures'' as 
defined in Section 312.2 of the Rule.\209\ As noted above, these 
methods include the methods identified in the NPR (print-and-send, 
credit card, toll-free number, and digital signatures),\210\ as well as 
other reliable verification products and services to the extent that 
they are currently available. To minimize costs, the Rule makes clear 
that such methods also include the use of e-mail, as long as it is 
accompanied by a PIN or password obtained through one of the above 
procedures.\211\
---------------------------------------------------------------------------

    \209\ See also 15 U.S.C. 6501(4).
    \210\ 64 FR at 22756.
    \211\ For example, there may be verifying services available to 
operators that would verify a parent's identity and then provide the 
parent with a PIN or password for use with e-mail. Upon receipt of 
the parent's consent via e-mail, an operator could confirm the 
parent's identity with the verifying service. Similarly, as noted 
above, an operator could use e-mail, as long as it were sent through 
an account set up by an adult using a credit card (a ``master 
account''), and reserved for the adult's use. See note 184, supra.
---------------------------------------------------------------------------

    For internal uses of information, operators will be permitted to 
use e-mail to obtain consent, as long as some additional steps are 
taken to provide assurances that the parent is providing the consent. 
Based on the comments, the Commission is persuaded that e-mail alone 
does not satisfy the COPPA because it is easily subject to 
circumvention by children.\212\ The additional steps include sending a 
delayed confirmatory e-mail to the parent following receipt of consent, 
or obtaining a postal address or telephone number from the parent \213\ 
and confirming the parent's consent by letter or telephone call.\214\ 
If such consent mechanisms are used, the operator must notify parents 
that they can revoke any consent given in response to the earlier e-
mail.
---------------------------------------------------------------------------

    \212\ Attorneys General (Comment 114) at 11; Robert F. Reid 
(Comment 06); Joseph C. DeMeo (Comment 08); Patrick O'Hefferman 
(Comment 17); NAESP (Comment 96) at 1; APA (Comment 106) at 2; 
Consumers Union (Comment 116) at 5; CME/CFA et al. (Comment 80) at 
28. In particular, where a parent and child share the same e-mail 
account, as is often the case, a child may easily pretend to be the 
parent and provide consent for himself. See note 179, supra.
    \213\ The Commission expects that operators will keep 
confidential any information obtained from parents in the course of 
obtaining parental consent or providing for parental review of 
information collected from a child.
    \214\ One variation on this approach would require not only a 
confirmatory e-mail to the parent, but also a response from the 
parent confirming the consent. Aledort/Disney (Workshop Tr. 149-
150). See also Disney (Workshop comment 06) at 12. Using this 
method, one workshop participant reported that 33% of parents 
granted consent; 30% declined consent; and 37% never responded. 
Aledort/Disney (Workshop Tr. 152).
---------------------------------------------------------------------------

    Based on evidence in the record, the Commission believes that use 
of a ``sliding scale'' is necessary only in the short term, and that, 
with advances in technology, companies will soon be able to use more 
reliable verifiable electronic methods in all of their 
transactions.\215\ Indeed, as noted above, the record shows that a 
number of products and services, including digital signatures, will 
soon be more widely available to facilitate verifiable parental consent 
at reasonable cost. The Commission therefore plans to phase out the 
``sliding scale'' two years from the effective date of the Rule (i.e., 
April 2002), unless presented with evidence showing that the expected 
progress in available technology has not occurred.\216\ The Commission 
will conduct a review of this issue, using notice and comment, 
approximately eighteen months from the effective date of the Rule 
(i.e., in October 2001).
---------------------------------------------------------------------------

    \215\ Likewise, with advances in technology, the use of e-mail 
(without the more reliable methods of verification) may no longer be 
regarded as a ``reasonable effort'' under the Rule.
    \216\ Comments and testimony at the workshop showed that digital 
signatures and other reliable electronic methods are likely to be 
widely available and affordable within approximately a year to 
eighteen months from the July 1999 the workshop. See Brandt/VeriSign 
(Workshop Tr. 199-202). See also note 188, supra (other secure 
electronic methods are available now or will be available within a 
year from the date of the workshop). Thus, the proposed Rule's 
longer timetable for implementing the ``sliding scale''--two years 
from the Rule's effective date or almost three years from the date 
of the workshop--should provide ample time for these mechanisms to 
develop and become widely available.
---------------------------------------------------------------------------

    The Commission believes that temporary adoption of this ``sliding 
scale'' fulfills the statutory requirement that efforts to provide 
``verifiable parental consent'' be ``reasonable.'' It provides 
operators with cost-effective options until more reliable electronic 
methods become available and affordable, while providing parents with 
the means to protect their children.
3. Section 312.5(c): Exceptions to Prior Parental Consent
    The COPPA sets forth five exceptions to the general requirement 
that operators obtain verifiable parental consent before collecting 
personal information from children.\217\ These limited exceptions were 
intended to facilitate compliance with the Rule, allow for seamless 
interactivity in a wide variety of circumstances, and enable operators 
to respond to safety concerns.\218\ Indeed, many of the concerns raised 
by the commenters, are, in fact, addressed in these exceptions.\219\
---------------------------------------------------------------------------

    \217\ 15 U.S.C. 6502(b)(2).
    \218\ See 144 Cong. Rec. S11658 (Statement of Sen. Bryan).
    \219\ See, e.g., Section II.A.8, supra, regarding the use of the 
exception to maintain website security.
---------------------------------------------------------------------------

    This subsection of the proposed Rule permitted an operator, without 
prior parental consent, to collect: (1) a parent's or child's name and 
online contact information to seek parental consent or to provide 
parental notice; 220 (2) a child's online contact 
information in order to respond on a one-time basis to a specific 
request of the child (e.g., to provide one-time homework help or to 
send a document); 221 (3) a child's online contact 
information in order to respond directly more than once to a specific 
request of the child (e.g., to provide an online magazine subscription, 
or a contest entry and subsequent award) 222 when such 
information is not used to contact the child beyond the scope of that 
request, and the operator provides the parent with notice and an 
opportunity to opt-out; 223 and (4) the name and online 
contact information of the child to the extent reasonably necessary to 
protect the safety of a child participating on the 
website.224 Furthermore, under the proposed Rule, the 
operator may collect, use, or disseminate such information as necessary 
to protect the security or the integrity of the site or service, to 
take precautions against liability, to respond to judicial process, or, 
to the extent permitted under other provisions of law,

[[Page 59903]]

to provide information to law enforcement agencies or for an 
investigation related to public safety.225 A workshop 
participant noted that these exceptions include some of the most 
popular and common online activities.226
---------------------------------------------------------------------------

    \220\ Section 312.5(c)(1).
    \221\ Section 312.5(c)(2). This exception also requires that the 
operator not use the information to recontact the child and that the 
operator delete the information from its records. If the website 
wishes to retain the child's e-mail address for future homework 
assistance, then it would fall into the scope of the exception in 
section 312.5(c)(3) and require parental notice and opt-out. 
Moreover, if the operator wishes to use the information collected 
under this--or any other--exception for other purposes, then the 
operator must follow the notice and consent requirements of the 
Rule.
    \222\ Section 312.5(c)(3). Sending an electronic postcard where 
the website retains the online contact information until the 
postcard is opened would fall under this exception. However, where 
the operator's postcard system sends the requested postcard without 
maintaining the online contact information, this collection would 
fall under section 312.5(c)(2).
    \223\ Section 312.5(c)(3).
    \224\ Section 312.5(c)(4). For example, operators may collect 
online contact information from children participating in their chat 
rooms in order to report to authorities a child's claim that he is 
being abused.
    \225\ Section 312.5(c)(5). Thus, an operator may collect limited 
information in order to protect the security of its site, for 
example, from hackers.
    \226\ Sehgal-Kolbet/CARU (Workshop Tr. 40-41). See also CARU 
(Workshop comment 08) at 2-3.
---------------------------------------------------------------------------

    A number of commenters had specific suggestions with regard to 
modifying the exceptions.227 However, the Commission 
believes that the exceptions, which closely track the statutory 
language, strike the appropriate balance between an operator's 
legitimate need to collect information without prior parental consent 
and the safety needs of children. It is therefore retaining the 
language of the exceptions as proposed.
---------------------------------------------------------------------------

    \227\ For example, some commenters suggested that the Rule 
define ``a reasonable time'' for obtaining consent and deleting 
information under section 312.5(c)(1). PMA (Comment 107) at 12; Mars 
(Comment 86) at 14; CBBB (Comment 91) at 19; CME/CFA et al. (Comment 
80) at 14. See also CDT (Comment 81) at 27. The Commission believes 
that the time period for obtaining consent may vary depending on the 
mechanism used; however, it expects operators to delete information 
obtained under this exception in a timely manner.
---------------------------------------------------------------------------

4. Response to Comments Requesting an Exception for Information 
Collection in the Educational Setting
    Numerous commenters raised concerns about how the Rule would apply 
to the use of the Internet in schools.228 Some commenters 
expressed concern that requiring parental consent for online 
information collection would interfere with classroom activities, 
especially if parental consent were not received for only one or two 
children.229 In response, the Commission notes that the Rule 
does not preclude schools from acting as intermediaries between 
operators and parents in the notice and consent process, or from 
serving as the parents' agent in the process. For example, many schools 
already seek parental consent for in-school Internet access at the 
beginning of the school year. Thus, where an operator is authorized by 
a school to collect personal information from children, after providing 
notice to the school of the operator's collection, use, and disclosure 
practices, the operator can presume that the school's authorization is 
based on the school's having obtained the parent's consent.
---------------------------------------------------------------------------

    \228\ Association of American Publishers (``AAP'') (Comment 70) 
at 4-5; EdPress (Comment 130) at 1-2; MaMaMedia (Comment 85) at 3-4; 
ZapMe! (Comment 76) at 4-5; ALA (Comment 68) at 2-3.
    \229\ Id.
---------------------------------------------------------------------------

    Operators may wish to work with schools to educate parents about 
online educational activities that require websites to collect personal 
information in the school setting. To ensure effective implementation 
of the Rule, the Commission also intends to provide guidance to the 
educational community regarding the Rule's privacy protections.

E. Section 312.6: Right of Parent To Review Personal Information 
Provided by Child

    Section 312.6 of the proposed Rule set forth the requirements for 
providing parental access to personal information collected from the 
child, including what information must be disclosed and how the parent 
could be properly identified.230 In the NPR, the Commission 
sought comment regarding methods of identification, particularly in 
non-traditional family situations, and technological advances under 
development that might ease the process.231
---------------------------------------------------------------------------

    \230\ 64 FR at 22757-58, 22766.
    \231\ 64 FR at 22762-63.
---------------------------------------------------------------------------

1. Access to Information
    The proposed Rule contemplated a two-step approach to parental 
review under Secs. 312.6(a) (1) and (3). First, upon request of a 
properly identified parent, the operator was required to tell the 
parent what types of personal information have been collected from the 
child (e.g., ``Your child has given us his name, address, e-mail 
address, and a list of his favorite computer games''). Second, if 
requested, the operator was required to provide the specific personal 
information collected from the child.232
---------------------------------------------------------------------------

    \232\ 64 FR at 22757-22758.
---------------------------------------------------------------------------

    One commenter suggested that operators be required to provide 
parents with the option of directly requesting the specific information 
collected.233 As was explained in the NPR, operators, after 
obtaining proper identification, can in fact skip the first step 
relating to disclosure of the types of information collected, and 
simply allow parents to review the specific information.234 
Section 312.6(a) was not intended to mandate unnecessary steps, but 
rather to allow for flexibility for all parties. In some instances, 
parents may be satisfied with learning the types of information 
collected and may not need to see the specific personal information 
provided by the child. Similarly, if a parent asks only for the 
specific information collected from the child, the operator need not 
first provide a general list of the categories of information 
collected.235
---------------------------------------------------------------------------

    \233\ CME/CFA et al. (Comment 80) at 16.
    \234\ 64 FR at 22758 n.11. However, as noted in the discussion 
of parental verification below, the Commission has modified the Rule 
to require proper identification only for access to the child's 
specific personal information, not for the types of information 
collected, as originally proposed.
    \235\ One commenter suggested that parental access be limited in 
cases where the operator has collected minimal personal information, 
such as an e-mail address for the sole purpose of sending a periodic 
newsletter or similar mailing, to a simple confirmation that the 
child is on the mailing list. AOL (Comment 72) at 19. In response, 
the Commission notes that the COPPA requires access to all 
information collected from children, regardless of the 
circumstances. See 15 U.S.C. 6502(b)(1)(B).
---------------------------------------------------------------------------

    Another commenter called for operators to provide information 
within a reasonable time or within a specified number of days, and 
suggested that information should be provided to parents on an ongoing 
basis.236 The Commission declines to prescribe a specific 
time period applicable to all parental requests for information, but 
expects that operators will respond to such requests promptly and 
without imposing undue burdens on parents. In addition, the Commission 
believes that requiring operators to provide information to the parent 
on an ongoing basis would be unduly burdensome for both operators and 
parents, who may not need or want this information from the operator.
---------------------------------------------------------------------------

    \236\ Sovern (Comment 33) at 5.
---------------------------------------------------------------------------

2. Parent's Right To Review Information Provided by the Child
    Sections 312.6(a)(2) and (3) of the proposed Rule allowed parents 
to review, change, and delete personal information collected from their 
children.237 Many commenters objected to granting parents 
the right to change information,238 asserting that it was 
unduly burdensome and went beyond the language of the 
Act.239 Other commenters noted that a right to alter data is 
much broader than the right to correct data,240 and 
expressed concern that parents might use this right to

[[Page 59904]]

change or delete grades or test scores at educational sites in conflict 
with federal education statutes and state policies.241
---------------------------------------------------------------------------

    \237\ 64 FR at 22757-58, 22766.
    \238\ See NRF (Comment 95) at 4; DMA (Comment 89) at 17-19; ANA 
(Comment 93) at 6; MPA (Comment 113) at 5-6. See also McGraw-Hill 
(Comment 104) at 8.
    \239\ Commenters also asserted that allowing parents to change 
the information provided by their children threatens the 
confidentiality, security, and integrity of information in the 
operator's possession, putting the operator in jeopardy of violating 
section 312.8 of the Rule. See NRF (Comment 95) at 4; DMA (Comment 
89) at 17-19; MPA (Comment 113) at 5-6. See also McGraw-Hill 
(Comment 104) at 8; Section II.G, infra. Two commenters also stated 
that this provision was unnecessary in light of the parent's right 
under section 312.6(a)(2) to prohibit further collection, use, and 
maintenance of information and to have information deleted. NRF 
(Comment 95) at 4; MPA (Comment 113) at 5-6.
    \240\ DMA (Comment 89) at 17-18; MPA (Comment 113) at 5-6.
    \241\ AAP (Comment 70) at 4; McGraw-Hill (Comment 104) at 4, 8.
---------------------------------------------------------------------------

    Based on the comments, the Commission is revising the Rule to 
eliminate the proposed Rule's requirement that parents be allowed to 
change information provided by their children. Even in the absence of a 
regulatory requirement, however, the Commission believes that operators 
may choose to permit parents to correct data given operators' strong 
incentives to maintain accurate information.242 The 
Commission also agrees that the opportunity to refuse to permit further 
use or to delete information under section 312.6(a)(2) adequately 
protects the interests of the child and parent in this context.
---------------------------------------------------------------------------

    \242\ One commenter observed that sites should be willing to 
permit changes as a matter of good customer service if any 
information is inaccurate. NRF (Comment 95) at 4. Similarly, another 
commenter noted that it, and many other organizations, already 
permit customers to correct data in some way. McGraw-Hill (Comment 
104) at 8.
---------------------------------------------------------------------------

    One commenter noted that a child may not want a parent to know 
about certain information--for example where the child is seeking 
guidance regarding problems with the parent.243 The Act does 
not give the Commission the authority, however, to exempt certain kinds 
of information from the right of parental review.
---------------------------------------------------------------------------

    \243\ MPA (Comment 113) at 5.
---------------------------------------------------------------------------

    Another commenter asked the Commission to consider whether a 
parent's request to delete data should also extend to third parties who 
have received that information from the operator.244 As 
noted above, the Act covers the actions of ``operators,'' not third 
parties. However, the Commission encourages operators to structure 
their contractual arrangements with third parties to require compliance 
with requests for deletion where practicable.
---------------------------------------------------------------------------

    \244\ Attorneys General (Comment 114) at 9.
---------------------------------------------------------------------------

    One commenter asked whether and how long an operator would be 
required to maintain personal information for review.245 
More specifically, the commenter requested that the Commission revise 
the Rule to include a statement that an operator is not required to 
maintain all personal information collected from the child indefinitely 
in anticipation of a subsequent request for review by a 
parent.246 This is particularly important, noted the 
commenter, where an operator wishes to delete personal information 
quickly--for example when monitoring a chat room or message 
board.247 The Commission does not believe it is necessary to 
so modify the Rule, but reiterates that if a parent seeks to review his 
child's personal information after the operator has deleted it, the 
operator may simply reply that it no longer has any information 
concerning that child.
---------------------------------------------------------------------------

    \245\ AOL (Comment 72) at 19.
    \246\ Such a statement was included in the NPR. 64 FR at 22758 
n.12.
    \247\ AOL (Comment 72) at 19-20.
---------------------------------------------------------------------------

    Another commenter asserted that Congress did not intend that an 
operator be required to scour all of its databases for all personal 
information about a child, whether collected online or offline, in 
response to a request from the parent.248 As currently 
amended, the Rule applies only to personal information submitted 
online,249 and, therefore, a parent's access rights under 
the Act do not generally extend to data collected 
offline.250 Nevertheless, if an operator maintains the 
information such that its source (online or offline) cannot be 
determined, the Commission would expect the operator to allow the 
parent to review all of the information. Similarly, if the operator has 
collected information prior to the effective date of the Rule, but 
maintains it in a database with information collected online after the 
effective date in such a way that its source cannot be determined, then 
the operator should allow the parent access to all of the information.
---------------------------------------------------------------------------

    \248\ IDSA (Comment 103) at 6-7.
    \249\ See Section II.A.2, supra.
    \250\ Operators must, however, allow parents to review 
information that was collected online but maintained offline.
---------------------------------------------------------------------------

3. Right To Prohibit Further Use and Collection of the Child's 
Information
    Section 312.6(a)(2) of the proposed Rule allowed parents to refuse 
to permit the operator's further use or collection of the child's 
personal information and to direct the operator to delete the 
information.251 One commenter asserted that, according to 
the legislative history, the parental opt-out serves as a revocation of 
previous consent but does not preclude the operator from seeking 
consent from the parent for the same or different activities in the 
future.252 Therefore, this commenter suggested revising the 
provision to specify that the refusal was limited to activities covered 
``under the consent previously given.'' 253 The Commission 
agrees with the commenter's interpretation of this provision, but 
believes that such a modification is not necessary. The Act requires 
operators to allow parents to refuse to permit further use or future 
collection of personal information from their children.254 
Operators, however, are free to request a new consent from a parent if 
the child seeks to participate at the site in the future.255
---------------------------------------------------------------------------

    \251\ 64 FR at 22757-58, 22766. The Commission expects that 
operators will act upon requests under section 312.6(a)(2) in a 
timely fashion, especially with regard to chat and third party 
disclosures, where safety concerns are often heightened.
    \252\ DMA (Comment 89) at 19-20.
    \253\ Id.
    \254\ 15 U.S.C. 6502(b)(1)(B)(ii).
    \255\ Section 312.6(c) of the Rule retains the Act's proviso 
that an operator may terminate service to a child whose parent has 
refused to permit the operator's further use or collection of 
information from the child, or has directed the operator to delete 
the child's information. 15 U.S.C. 6502(b)(3). As noted in the NPR, 
the operator's right to terminate service to a child is limited by 
section 312.7 of the Rule, which prohibits operators from 
conditioning a child's participation in a game, the offering of a 
prize, or another activity on the child disclosing more personal 
information than is reasonably necessary to participate in the 
activity. 64 FR at 22758, 22766. Section 312.7 tracks the language 
of the statute. See 15 U.S.C. 6502(b)(1)(C). See also CME/CFA et al. 
(Comment 80) at 35-36 (supporting this reading of the Act).
---------------------------------------------------------------------------

4. Parental Verification
    The COPPA requires operators to provide parents with ``a means that 
is reasonable under the circumstances for the parent to obtain any 
personal information collected from [the] child.'' 256 In 
recognition of the danger inherent in requiring an operator to release 
a child's personal information, the Commission, in section 312.6(a) of 
the proposed Rule, required operators to ensure that the person seeking 
to review such information was the child's parent, taking into account 
available technology, without unduly burdening the 
parent.257 In the NPR, the Commission suggested appropriate 
means of complying with this provision, including using a password in 
conjunction with the parental consent process.258
---------------------------------------------------------------------------

    \256\ 15 U.S.C. 6502(b)(1)(B)(iii).
    \257\ 64 FR at 22757, 22766. See also 15 U.S.C. 6502(b)(1)(B) 
(requiring ``proper identification'' of parents).
    \258\ 64 FR at 22758. The other method suggested was using a 
photocopy of the parent's driver's license.
---------------------------------------------------------------------------

    Some commenters contended that parental verification was not 
necessary for access to the types or categories of personal information 
collected from the child under Sec. 312.6(a)(1).\259\ The Commission 
agrees, particularly since the same types or categories of information 
must already be disclosed

[[Page 59905]]

in the operator's notice.\260\ Accordingly, the Rule has been modified 
to eliminate the requirement of parental identification for review of 
the types of information collected from children.\261\ However, under 
Sec. 312.6(a)(3), proper parental identification will be required for 
access to the specific information collected from a child.
---------------------------------------------------------------------------

    \259\ CDT (Comment 81) at 29-30. See also Time Warner (Comment 
78) at 13-14; DMA (Comment 89) at 17 (stringent identification 
requirements not necessary). One commenter stated that assuming an 
operator collects the same categories of information from visitors, 
access requirements could be met with a website form that tells 
parents the data categories maintained. CDT (Comment 81) at 29-30. 
The Commission believes that this method would be appropriate in 
cases where the request for information takes place online.
    \260\ See also 64 FR at 22758 n.13 (stating that it may be 
acceptable for an operator to use a less stringent method of 
parental identification when giving out the types of information 
collected from children).
    \261\ However, operators responding to requests under 
Sec. 312.6(a)(1) may not reveal the names of any children from whom 
they have collected personal information. This change should also 
address the concerns of other commenters who felt the Commission's 
proposed approach to parental review was cumbersome and confusing. 
EPIC (Comment 115) at 5; Highlights (Comment 124) at 2-3.
---------------------------------------------------------------------------

    Another commenter suggested that parents seeking review under this 
section should be required to provide operators with their children's 
identifying information (in the categories that the operator collects) 
in order to prove identity.\262\ The operator would then disclose only 
the non-individually identifiable information (e.g., hobbies) that the 
operator had collected from the child.\263\ The commenter believed that 
this would prevent a non-parent from obtaining information from the 
operator that would enable him to contact the child offline.\264\ 
However, this procedure would not, in fact, prevent access to a child's 
information by someone other than the parent, because many of the 
child's relatives and friends would be able to provide individually 
identifying information such as a telephone number or address. 
Moreover, the Act requires parental access to ``any'' personal 
information collected from the child.\265\ The Commission therefore 
cannot limit the disclosures as suggested.
---------------------------------------------------------------------------

    \262\ CDT (Comment 81) at 29-30.
    \263\ Id.
    \264\ Id.
    \265\ See 15 U.S.C. 6503(b)(1)(B).
---------------------------------------------------------------------------

    A number of commenters addressed the methods of verification that 
could be used to identify parents who seek access to their children's 
specific personal information. Several supported the option of using a 
password-protected e-mail or other secure method, which was 
specifically suggested in the NPR.\266\ Another commenter noted that, 
in order to discourage requests from non-parents, requests for 
information could be made in writing, with confirmation sent to the 
home address.\267\ The Commission recognizes that a number of methods 
might be appropriate for parental verification under this section, and 
allows the operator the flexibility to choose among them. Consistent 
with the verifiable parental consent requirements for ``disclosures'' 
under the Rule, acceptable methods would include print-and-send, use of 
a credit card in connection with a transaction, use of a toll-free 
number staffed by trained personnel, digital signatures, and use of an 
e-mail accompanied by a PIN number or a password obtained through one 
of the verification methods listed above.\268\
---------------------------------------------------------------------------

    \266\ CDT (Comment 81) at 29; CME/CFA et al. (Comment 80) at 34 
(supporting such a system until digital signatures become widely 
available); CBBB (Comment 91) at 22-24. See 64 FR at 22758 and n.14.
    \267\ MPA (Comment 113) at 4-5.
    \268\ As noted in note 213, supra, the Commission expects that 
operators will keep confidential any information obtained from 
parents in the process of obtaining consent or providing for 
parental review of information collected from a child.
---------------------------------------------------------------------------

    One commenter considered photocopies of a driver's license to be 
unnecessarily invasive, viewing a password system as preferable.\269\ 
While the Commission agrees that submission of a driver's license may 
not be preferable to some parents, it should be retained as an option.
---------------------------------------------------------------------------

    \269\ EPIC (Comment 115) at 5-6. Another commenter found 
requiring photocopies of drivers' licenses to be problematic since 
they may reveal additional personal information to the operator 
(such as parents' social security numbers) which parents should not 
be required to disclose. CME/CFA et al. (Comment 80) at 35. One 
commenter identified practicality and feasibility problems in 
connection with requiring a driver's license. CBBB (Comment 91) at 
22.
---------------------------------------------------------------------------

    The Commission did not receive much feedback on technological 
advances under development that might ease the process of parental 
identification. Two commenters referred to digital signatures but noted 
they are not yet generally available.\270\ The World Wide Web 
Consortium's Platform for Privacy Preferences Project (P3P) was also 
cited as a technology under development that might be used by operators 
and parents in the future.\271\ As noted above, the Commission will 
continue to monitor technological advances that might play a useful 
role in identifying parents.\272\
---------------------------------------------------------------------------

    \270\ CME/CFA et al. (Comment 80) at 35; CBBB (Comment 91) at 
16, 23-24.
    \271\ CBBB (Comment 91) at 23-24.
    \272\ See note 186, supra (discussing products and services that 
are available or under development).
---------------------------------------------------------------------------

5. Good Faith and Reasonable Procedures Under Section 312.6(b)
    Section 312.6(b) of the proposed Rule, which tracked the language 
of the Act, stated that disclosures under section 312.6(a)(3) that were 
made in good faith and by following reasonable procedures would not 
give rise to liability under any Federal or State law.\273\ 
Nonetheless, several commenters raised concerns about liability.\274\ 
Two commenters called for specific examples of precautions that 
industry could take to protect itself against liability under other 
laws.\275\ Comments also indicated that verification methods that would 
satisfy section 312.6(a)(3) should be listed in the Rule itself in 
order to provide certainty regarding the reasonableness of an 
operator's action under that provision.\276\ One commenter asserted 
that parental requests for information should be in writing so the 
operator has a record to show good faith compliance with the Rule.\277\
---------------------------------------------------------------------------

    \273\ 64 FR at 22757-58, 22766. See also 15 U.S.C. 6502(a)(2).
    \274\ See generally DMA (Comment 89) at 15-16; Time Warner 
(Comment 78) at 12-13; EdPress (Comment 130) at 2.
    \275\ DMA (Comment 89) at 16; Time Warner (Comment 78) at 13.
    \276\ DMA (Comment 89) at 17; Time Warner (Comment 78) at 13.
    \277\ DMA (Comment 89) at 17.
---------------------------------------------------------------------------

    The Commission recognizes the potential risks associated with the 
access provision and the related concerns about liability. The 
Commission believes, however, that the language of the Rule, which is 
identical to the language set forth in the Act,\278\ strikes the proper 
balance in protecting the interests of the child, operator, and parent. 
An operator can assume that if it employs reasonable procedures to 
implement section 312.6(a)(3), including those listed above and in the 
NPR,\279\ an inadvertent, good faith disclosure of a child's 
information to someone who purports to be a parent will not give rise 
to liability under any Federal or State laws.
---------------------------------------------------------------------------

    \278\ See 15 U.S.C. 6502(a)(2).
    \279\ 64 FR at 22757-58.
---------------------------------------------------------------------------

    Finally, one commenter stated that reasonable procedures for 
disclosure should account for situations where the consenting parent is 
unavailable as a result of death, divorce, or desertion.\280\ The 
Commission understands that family situations can change and that 
circumstances may arise where it will be necessary to provide access to 
a party other than the consenting parent.\281\ The Rule is not intended 
to preclude disclosures in such circumstances as long as they satisfy 
the ``good faith'' and ``reasonable procedures'' standards.
---------------------------------------------------------------------------

    \280\ CME/CFA et al. (Comment 80) at 16.
    \281\ It should be noted that the Rule's definition of 
``parent'' in section 312.2 provides some flexibility in addressing 
changing family situations. See Section II.A.7, supra.

---------------------------------------------------------------------------

[[Page 59906]]

F. Section 312.7: Prohibition Against Conditioning a Child's 
Participation on Collection of Personal Information

    Section 312.7 of the proposed Rule, which tracks the language of 
the Act and is retained in the final Rule, prohibited operators from 
conditioning a child's participation in a game, the offering of a 
prize, or another activity on the child's disclosing more personal 
information than is reasonably necessary to participate in such 
activity.\282\ This section prohibits operators from tying the 
provision of personal information to such popular and persuasive 
incentives as prizes or games, while preserving children's access to 
such activities.
---------------------------------------------------------------------------

    \282\ 64 FR at 22758, 22766; 15 U.S.C. 6502(b)(1)(C). One 
commenter supporting this provision stated that children should not 
be enticed to turn over personal information. CDT (Comment 81) at 
30.
---------------------------------------------------------------------------

G. Section 312.8: Confidentiality, Security, and Integrity of Personal 
Information Collected From Children

    Under section 312.8 of the proposed Rule, operators were required 
to establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of personal information 
collected from children.\283\ More specifically, operators must have 
adequate policies and procedures for protecting children's personal 
information from loss, misuse, unauthorized access, or disclosure. In 
the NPR, the Commission offered a number of options that operators 
could use to implement this provision,\284\ and sought comment 
regarding practices that are commonly used, practices that provide the 
strongest protection, and the costs of implementation.\285\ After 
reviewing the comments, the Commission has decided to retain this 
provision, which tracks the requirements of the Act.\286\
---------------------------------------------------------------------------

    \283\ 64 FR at 22758-59, 22766.
    \284\ Protections identified in the NPR included: designating an 
individual in the organization to be responsible for maintaining and 
monitoring the security of the information; requiring passwords for 
access to the personal information; creating firewalls; utilizing 
encryption; implementing access control procedures in addition to 
passwords; implementing devices and procedures to protect the 
physical security of the data processing equipment; storing the 
personal information collected online on a secure server that is not 
accessible from the Internet; installing security cameras and 
intrusion-detection software to monitor who is accessing the 
personal information; or installing authentication software to 
determine whether a user is authorized to enter through a firewall. 
64 FR at 22758.
    \285\ 64 FR at 22763.
    \286\ See 15 U.S.C. 6502(b)(1)(D).
---------------------------------------------------------------------------

    Commenters suggested procedures for complying with this provision, 
including: using secure web servers and firewalls; \287\ deleting 
personal information once it is no longer being used; \288\ limiting 
employee access to data \289\ and providing those employees with data-
handling training; \290\ and carefully screening the third parties to 
whom such information is disclosed.\291\ The Commission agrees that 
these are appropriate measures to take under this provision.
---------------------------------------------------------------------------

    \287\ Attorneys General (Comment 114) at 12; CME/CFA et al. 
(Comment 80) at 36.
    \288\ Attorneys General (Comment 114) at 12; CME/CFA et al. 
(Comment 80) at 36; CDT (Comment 81) at 30.
    \289\ Attorneys General (Comment 114) at 12; CME/CFA et al. 
(Comment 80) at 36.
    \290\ CME/CFA et al. (Comment 80) at 36.
    \291\ Id. at 17.
---------------------------------------------------------------------------

    One commenter noted that security procedures requiring special 
hardware, software, and/or encryption are costly.\292\ The Commission 
is mindful of the potential costs of complying with the Rule, and thus, 
allows operators to choose from a number of appropriate methods of 
implementing this provision.
---------------------------------------------------------------------------

    \292\ iCanBuy.com (Comment 101) at 4.
---------------------------------------------------------------------------

H. Section 312.9: Enforcement

    This section of the proposed Rule stated that a violation of the 
Commission's rules implementing the COPPA would be treated as a 
violation of a rule defining an unfair or deceptive act or practice 
prescribed under section 18(a)(1)(B) of the Federal Trade Commission 
Act, 15 U.S.C. 57a(a)(1)(B). The Commission has modified this provision 
to incorporate the final citation form for relevant provisions of the 
Act.\293\
---------------------------------------------------------------------------

    \293\ See 15 U.S.C. 6502(c).
---------------------------------------------------------------------------

I. Section 312.10: Safe Harbors

1. In General
    This section of the Rule provides that an operator's compliance 
with Commission-approved self-regulatory guidelines serves as a safe 
harbor in any enforcement action for violations of this Rule.\294\ As 
the Commission noted in the NPR, this section serves as an incentive 
for industry self-regulation; by allowing flexibility in the 
development of self-regulatory guidelines, it ensures that the 
protections afforded children under this Rule are implemented in a 
manner that takes into account industry-specific concerns and 
technological developments.\295\ To receive safe harbor treatment, an 
operator can comply with any Commission-approved guidelines. The 
operator need not independently apply for approval if in fact the 
operator is fully complying with guidelines already approved by the 
Commission that are applicable to the operator's business.\296\
---------------------------------------------------------------------------

    \294\ Seventeen commenters addressed this provision of the 
proposed Rule. MaMaMedia (Comment 85) at 3-4; IDSA (Comment 103) at 
7; ANA (Comment 93) at 2-3; MLG Internet (Comment 119) at 2; AAAA 
(Comment 134) at 4; Consumers Union (Comment 116) at 6; SNAP/
CollegeEdge (Comment 123) at 1; Mars (Comment 86) at 15-16; CBBB 
(Comment 91) at 27-37; TRUSTe (Comment 97) at 2; Bonnett (Comment 
126) at 6; DMA (Comment 89) at 27-29; CME/CFA, et al. (Comment 80) 
at 37; McGraw-Hill (Comment 104) at 8-9; PrivacyBot.com (Comment 32) 
(unpaginated); Disney (Comment 82) at 10; EPIC (Comment 115) at 6-7.
    \295\ 64 FR at 22759.
    \296\ Id.
---------------------------------------------------------------------------

    In an enforcement action, the Commission has the burden of proving 
non-compliance with the Rule's requirements. The standards enunciated 
in the Rule thus remain the benchmark against which industry's conduct 
will ultimately be judged. Compliance with approved guidelines, 
however, will serve as a safe harbor in any enforcement action under 
the Rule. That is, if an operator can show full compliance with 
approved guidelines, the operator will be deemed in compliance with the 
Rule. The Commission retains discretion to pursue enforcement under the 
Rule if approval of the guidelines was obtained based upon incomplete 
or inaccurate factual representations, or if there has been a 
substantial change in circumstances, such as the failure of an industry 
group to obtain approval for a material modification to its 
guidelines.\297\
---------------------------------------------------------------------------

    \297\ Id.
---------------------------------------------------------------------------

2. Criteria for Approval of Self-Regulatory Guidelines
    Section 312.10(b)(1) of the proposed Rule stated that, in order to 
be approved by the Commission, self-regulatory guidelines must require 
subject operators to implement the protections afforded children under 
the proposed Rule.\298\ Two commenters were concerned that this 
provision was not sufficiently flexible to serve as an incentive for 
self-regulation. They expressed the view that the Rule should not 
dictate the content of self-regulatory guidelines.\299\ Another 
commenter stated that the Commission should allow a wide range of self-
regulation.\300\ The Commission believes that the language of the 
proposed Rule conveyed less flexibility in this regard than was 
originally intended. The Rule therefore clarifies that promulgators of 
self-

[[Page 59907]]

regulatory guidelines may comply with this section by requiring subject 
operators to implement ``substantially similar requirements that 
provide the same or greater protections for children as those contained 
in sections 312.2-312.8 of the Rule.'' \301\ Under section 312.10(c) of 
the Rule, the burden remains with persons seeking Commission approval 
of guidelines to demonstrate that the guidelines in fact meet this 
standard.
---------------------------------------------------------------------------

    \298\ Id.
    \299\ DMA (Comment 89) at 27 (stating that, rather than 
prescribe the content of self-regulatory guidelines, the Commission 
should approve guidelines based upon their ``overall merits''); MLG 
Internet (Comment 119) at 2 (stating that the Commission should 
allow self-regulatory groups to create rules that meet the COPPA's 
goals).
    \300\ Mars (Comment 86) at 16.
    \301\ Of course, promulgators of guidelines may also require 
subject operators to implement the precise information practices set 
forth in the Rule.
---------------------------------------------------------------------------

    In a similar vein, some commenters believed that the particular 
assessment mechanisms and compliance incentives listed as options in 
sections 312.10(b)(2) and 312.10(b)(3), respectively, of the proposed 
Rule were, in fact, mandatory practices.\302\ In the NPR, the 
Commission sought to clarify that these sections set out performance 
standards and that the listed methods were only suggested means for 
meeting these standards.\303\ In light of the confusion evidenced by 
the comments, the Commission has amended these sections to make this 
express.\304\
---------------------------------------------------------------------------

    \302\ DMA (Comment 89) at 28; PrivacyBot.com (Comment 32) 
(unpaginated). One commenter expressed the view that by requiring 
self-regulatory groups affirmatively to monitor their members' 
compliance, rather than take action only in response to consumer 
complaints, the proposed Rule in effect deputizes industry 
organizations to police their members on the Commission's behalf. 
DMA (Comment 89) at 28. However, the Commission believes that, to 
the contrary, the Rule's safe harbor provisions allow industry to 
craft effective alternatives to Commission enforcement.
    \303\ 64 FR at 22759.
    \304\ One commenter was concerned that section 312.10(b)(2) 
could be read to require ``manual,'' but not ``automated'' means of 
independently assessing subject operators' compliance with self-
regulatory guidelines. PrivacyBot.com (Comment 32) (unpaginated) and 
(IRFA comment 03) at 2.
---------------------------------------------------------------------------

    Thus, section 312.10(b)(2) of the Rule makes explicit that its 
requirement that guidelines include an effective, mandatory mechanism 
for the independent assessment of subject operators' compliance is a 
performance standard. Similarly, section 312.10(b)(3) of the Rule 
states that its requirement that guidelines include effective 
incentives for subject operators' compliance is a performance standard. 
Both section 312.10(b)(2) and 312.10(b)(3) of the Rule include 
suggested means of meeting their respective performance standards and 
provide that those performance standards may be satisfied by other 
means if their effectiveness equals that of the listed alternatives. 
The Commission believes that the Rule therefore provides the 
flexibility sought by the commenters.
    In the NPR, the Commission stated that operators could not rely 
solely on self-assessment mechanisms to comply with section 
312.10(b)(2).\305\ Commenters were divided on the issue of whether the 
Commission should permit self-assessment as a means of measuring 
operators' compliance with self-regulatory guidelines. Some believed 
that self-assessment, without more, is not an adequate means of 
measuring compliance.\306\ Others believed that the Commission should 
not impose an independent assessment requirement on operators that 
choose not to join third-party compliance programs, as long as their 
information practices satisfy the COPPA.\307\
---------------------------------------------------------------------------

    \305\ 64 FR at 22759.
    \306\ CME/CFA et al. (Comment 80) at 37; CBBB (Comment 91) at 
31.
    \307\ McGraw-Hill (Comment 104) at 9. See also Mars (Comment 86) 
at 15 (stating that the Commission should permit self-assessment).
---------------------------------------------------------------------------

    On balance, the Commission believes that a performance standard 
that incorporates independent assessment is appropriate and necessary. 
Under the safe harbor provision, the Commission looks to the 
promulgators of guidelines, in the first instance, to ensure that those 
guidelines are effectively implemented. The Commission believes that 
independent assessment is the best way to ensure that operators are 
complying with the guidelines.\308\ The Commission notes, however, that 
the Rule does not prohibit the use of self-assessment as one part of an 
organization's efforts under section 312.10(b)(2) to measure subject 
operators' compliance with the Rule, nor does it preclude individual 
operators who have not joined third-party programs from assessing their 
own compliance. The Rule does, however, prohibit the use of self-
assessment as the only means of measuring compliance with self-
regulatory guidelines.
---------------------------------------------------------------------------

    \308\ One commenter suggested that the Commission award safe 
harbor status only to non-profit self-regulatory programs or for-
profit groups whose self-regulatory decisions are insulated from 
owner or investor control. CBBB (Comment 91) at 33-34. The 
Commission believes it is unnecessary to so limit eligibility for 
safe harbor status and further believes that the test for 
eligibility should be the substance of self-regulatory guidelines, 
rather than the corporate structure of their promulgators.
---------------------------------------------------------------------------

    Several commenters suggested that the Commission require that self-
regulatory guidelines include an array of specific practices not listed 
in the proposed Rule. Such practices include, for example: 
comprehensive information practice reviews as a condition of membership 
in self-regulatory programs,\309\ annual compliance affidavits to be 
submitted by subject operators to self-regulatory organizations,\310\ 
quarterly monitoring of operators' information practices by self-
regulatory groups,\311\ public reporting of disciplinary actions taken 
by trade groups against subject operators in publications other than 
trade publications,\312\ and referral to the Commission of all 
violations of approved guidelines \313\ or all failures to comply with 
a self-regulatory group's disciplinary dictates.\314\ Many of these 
ideas have merit, and self-regulatory groups may wish to include some 
or all of them in their proposed guidelines. The Commission does not, 
however, believe that it should require adoption of any specific 
practice or practices as a prerequisite to certification under the 
Rule. Self-regulatory groups or other promulgators of guidelines are 
best suited to determine the appropriateness of such measures, in light 
of the Rule's requirements. The Commission will review the adequacy of 
the proposed enforcement programs in considering specific safe harbor 
requests.
---------------------------------------------------------------------------

    \309\ CBBB (Comment 91) at 29-30.
    \310\ Id. at 32.
    \311\ E.A. Bonnett (Comment 126) at 6.
    \312\ CME/CFA et al. (Comment 80) at 37.
    \313\ Id. 
    \314\ CBBB (Comment 91) at 32.
---------------------------------------------------------------------------

3. Request for Commission Approval of Self-Regulatory Guidelines
    Section 312.10(c)(1)(iii) of the proposed Rule required that 
persons seeking approval of guidelines submit a statement to the 
Commission demonstrating that their proposed guidelines, including 
assessment mechanisms and compliance incentives, comply with the 
proposed Rule.\315\ One commenter suggested that the Commission 
eliminate this requirement.\316\ The Commission believes that the 
burden of demonstrating compliance properly rests on proponents of 
Commission approval and that the guideline approval process will 
benefit from proponents' explanations of their rationale for approval. 
Therefore, the Commission has retained this requirement in the Rule.
---------------------------------------------------------------------------

    \315\ 64 FR at 22759-60. One commenter requested that the 
Commission clarify the status under the Freedom of Information Act 
of proprietary information submitted to the Commission under this 
section. CBBB (Comment 91) at 37. The Commission believes this is 
unnecessary, as such information would be protected from disclosure 
under section 6(f) of the Federal Trade Commission Act and Exemption 
4 of the Freedom of Information Act, to the extent that it 
constitutes ``trade secrets and commercial or financial information 
obtained from a person [that is] privileged or confidential.'' FTCA 
Section 6(f), 15 U.S.C. 46(f); FOIA Exemption 4, 5 U.S.C. 552(b)(4).
    \316\ CBBB (Comment 91) at 36.
---------------------------------------------------------------------------

    Section 312.10 of the proposed Rule did not include a provision 
governing

[[Page 59908]]

approval of changes in previously approved self-regulatory guidelines. 
Several commenters suggested that the Commission amend the proposed 
Rule to include such a provision.\317\ Therefore, section 312.10(c)(3) 
of the Rule now provides that promulgators of approved self-regulatory 
guidelines must submit proposed changes and all supporting 
documentation for review and approval by the Commission. The Commission 
recognizes, however, the need for efficiency in reviewing proposed 
changes to approved guidelines. Only changes in approved guidelines 
will be subject to public notice and comment, not the unaffected 
portions of the guidelines.\318\ Section 312.10(c)(3) of the Rule also 
requires that proponents of changes in approved guidelines submit a 
statement describing how the proposed changes comply with the Rule and 
how they affect existing guideline provisions.
---------------------------------------------------------------------------

    \317\ ANA (Comment 93) at 3; Mars (Comment 86) at 17; and MLG 
Internet (Comment 119) at 2.
    \318\ 64 FR at 22760.
---------------------------------------------------------------------------

    Other comments suggested that the Commission should shorten the 
180-day period for Commission action on submissions,\319\ specify a 
time period for public comment (e.g., 30-45 days),\320\ ``toll'' 
(rather than restart, as proposed in the NPR) the 180-day period for 
Commission action in the event of an incomplete submission of 
supporting documents,\321\ and make guidelines effective upon 
publication of the Commission's decision, rather than 45 days from 
publication in the Federal Register as stated in the NPR.\322\ After 
considering the comments, the Commission agrees that the guidelines 
should become effective upon publication of Commission approval.\323\ 
However, it declines to adopt a single, specific time period for public 
comment, as the appropriate period may well vary with the complexity 
and novelty of the guidelines submitted. Further, the Commission does 
not believe the 180-day time period should be shortened or tolled 
during the comment period, but notes that it intends to complete its 
review within the statutory period.
---------------------------------------------------------------------------

    \319\ CBBB (Comment 91) at 36. This commenter suggested a 90-day 
review period.
    \320\ Id.
    \321\ Id.; Mars (Comment 86) at 17.
    \322\ CBBB (Comment 91) at 36.
    \323\ One commenter requested that the Commission maintain a 
list of parties interested in being contacted by the Commission when 
proposed guidelines are published in the Federal Register and on the 
Commission's website. EPIC (Comment 115) at 7. The Commission 
believes that publication of proposed guidelines is, as a general 
matter, sufficient notice of their submission for approval.
---------------------------------------------------------------------------

4. Records
    Section 312.10(d)(1) of the proposed Rule required that industry 
groups or other persons seeking safe harbor treatment maintain consumer 
complaints for a period not to exceed three years.\324\ As one 
commenter noted, however, the proposed Rule did not specify the length 
of time required for maintaining the other documents specified in this 
section, e.g., records of disciplinary actions against subject 
operators and records of independent assessments of subject operators' 
compliance.\325\ The Commission agrees that this inconsistency is 
unnecessarily confusing. Therefore, the Rule now clarifies that 
industry groups or other persons seeking safe harbor treatment must 
maintain all documents required by this section for a period of three 
years.
---------------------------------------------------------------------------

    \324\ 64 FR at 22760.
    \325\ CBBB (Comment 91) at 37.
---------------------------------------------------------------------------

J. Section 312.11: Rulemaking Review

    Section 312.11 of the proposed Rule retained the Act's requirement 
that the Commission initiate a review proceeding to evaluate the Rule's 
implementation no later than five years after the effective date of the 
Rule and report its results to Congress.\326\ The Commission stated in 
the NPR that the review will address the Rule's effect on: practices 
relating to the collection and disclosure of children's information; 
children's ability to access information of their choice online; and 
the availability of websites directed to children. In addition, 
eighteen months after the effective date of the Rule, the Commission 
will conduct a review of available mechanisms for obtaining verifiable 
parental consent, as discussed above in Section II.D.
---------------------------------------------------------------------------

    \326\ 15 U.S.C. 6506. Two commenters called for conducting the 
review in three years rather than five. CME/CFA et al. (Comment 80) 
at 17; CDT (Comment 81) at 31. The Commission believes that the 
COPPA's five year requirement is appropriate, but will consider 
undertaking a review sooner if warranted.
---------------------------------------------------------------------------

K. Paperwork Reduction Act

    Pursuant to the Paperwork Reduction Act (as amended 44 U.S.C. 
3507(d)), the Commission submitted the proposed Rule to the Office of 
Management and Budget (OMB) for review.\327\ The OMB has approved the 
Rule's information collection requirements.\328\ The Commission did not 
receive any comments that necessitate modifying its cost estimates for 
the Rule's notice requirements.\329\
---------------------------------------------------------------------------

    \327\ The Commission's Supporting Statement submitted to OMB as 
part of the clearance process has been made available on the public 
record of this rulemaking. See Supporting Statement for Information 
Collection Provisions at <http://www.ftc.gov/os/1999/9906/
childprivsup.htm>.
    \328\ The assigned OMB clearance number is 3084-0117.
    \329\ See 64 FR at 22761 (estimating total burden of 18,000 
hours for first year, and 1800 hours for subsequent years).
---------------------------------------------------------------------------

L. Final Regulatory Flexibility Analysis

    The NPR did not include an initial regulatory flexibility analysis 
(IRFA) under the Regulatory Flexibility Act \330\ based on a 
certification that the proposed Rule would not have a significant 
economic impact on a substantial number of small entities. Nonetheless, 
the Commission invited public comment on the proposed Rule's effect on 
small entities to ensure that no significant impact would be 
overlooked.\331\ The Commission received two responsive comments 
suggesting that it publish an IRFA.\332\ While the Commission believed 
that such an analysis was not technically required, it issued an IRFA 
to provide further information and opportunity for public comment on 
the small business impact, if any, of the Rule.\333\
---------------------------------------------------------------------------

    \330\ 5 U.S.C. 603.
    \331\ See 64 FR at 22761.
    \332\ Hons. George Gekas and James Talent, U.S. House of 
Representatives (Comment 74) at 4; U.S. Small Business 
Administration (Comment 128) at 4-5.
    \333\ 64 FR 40525.
---------------------------------------------------------------------------

    This final regulatory flexibility analysis (FRFA) incorporates the 
Commission's initial findings, as set forth in the NPR; addresses the 
comments submitted in response to the IRFA notice; and describes the 
steps the agency has taken in the final Rule to minimize the impact on 
small entities consistent with the objectives of the COPPA.

Succinct Statement of the Need for, and Objectives of, the Rule

    The Rule prohibits unfair or deceptive acts or practices in 
connection with commercial websites' and online services' collection 
and use of personal information from and about children by: (1) 
Enhancing parental involvement in a child's online activities in order 
to protect the privacy of children in the online environment; (2) 
helping to protect the safety of children in online fora such as chat 
rooms, home pages, and pen-pal services in which children may make 
public postings of identifying information; (3) maintaining the 
security of children's personal information collected online; and (4) 
limiting the collection and disclosures of personal information without 
parental consent. The Commission was

[[Page 59909]]

required by the COPPA to issue implementing regulations.\334\
---------------------------------------------------------------------------

    \334\ 15 U.S.C. 6502.
---------------------------------------------------------------------------

Summary of the Significant Issues Raised by the Public Comments in 
Response to the IRFA; Summary of the Assessment of the Agency of 
Such Issues; and Statement of Any Changes Made in the Rule as a 
Result of Such Comments

    In the IRFA, the Commission sought comment regarding the impact of 
the proposed Rule and any alternatives the Commission should consider, 
with a specific focus on the effect of the Rule on small entities.\335\ 
The Commission received five comments, which discussed issues also 
addressed in the Statement of Basis and Purpose, above, including 
notice, verifiable parental consent, security, and safe harbors.
---------------------------------------------------------------------------

    \335\ 64 FR at 40527-28.
---------------------------------------------------------------------------

1. New Notice and Request for Consent

    One commenter contended that the requirement for new notice and 
consent for different uses of a child's personal information under the 
notice and consent sections of the proposed Rule threatened smaller 
operators that rely on mergers and marketing alliances to help build 
their business.\336\ The commenter recommended that new notice and 
consent should be required only when there is a material change in 
intended uses or practices.\337\ As explained in Section II.C.4 and 
II.D.1, above, the Commission has modified its position to require new 
notice and consent only if there is a material change in the 
collection, use, or disclosure of personal information from children.
---------------------------------------------------------------------------

    \336\ KidsOnLine.com (IRFA Comment 02) at 1.
    \337\ Id.
---------------------------------------------------------------------------

2. Verifiable Parental Consent

    Another commenter expressed concern that the proposed Rule's 
consent requirement would result in high compliance costs and a 
substantial reduction in traffic to small sites.\338\ According to the 
commenter, a child's use of collaborative educational tools on the 
Internet should be treated differently from the collection and use of 
personal contact information by marketers. The commenter, who called 
for parental notification and opt-out for such collaborative uses, was 
especially concerned about the loss of business from schools.
---------------------------------------------------------------------------

    \338\ Zeeks.com (IRFA Comment 05) at 2.
---------------------------------------------------------------------------

    The Commission does not have discretion under the statute to waive 
the requirement of verifiable parental consent.\339\ As noted above in 
Section II.D.4, the Rule does not preclude schools from acting as 
intermediaries between operators and parents in the notice and consent 
process, or from serving as the parent's agent in the process. Thus, 
the Rule should not hinder businesses that provide services to schools.
---------------------------------------------------------------------------

    \339\ See 15 U.S.C. 6502; section 312.3 of the Rule. Another 
commenter suggested that operators be permitted to collect some 
personal information to establish a relationship with the child in 
exchange for limited access to the site (such as games) without 
obtaining consent. KidsOnLine.com (IRFA Comment 02 ) at 2.
---------------------------------------------------------------------------

    The Commission is sensitive to commenters' concerns about increased 
costs and reduced traffic to sites. Accordingly, the Commission has 
temporarily adopted a sliding scale approach to verifiable parental 
consent to minimize burdens and costs for operators while still 
providing for parental control of children's personal information. As 
more fully described in Section II.D, inexpensive e-mail mechanisms may 
be used to obtain parental consent for the collection of information 
for internal uses, such as an operator's marketing to a child based on 
information collected about the child's preferences. Only where 
information is subject to ``disclosure'' under section 312.2 of the 
Rule will the other methods of consent be required and, even then, 
operators will have a range of mechanisms from which to choose. 
Further, even after the sliding scale is phased out two years from the 
Rule's effective date, operators will be able to choose from a number 
of consent methods, many of which are expected to be less costly and 
more widely available at that time.\340\ Finally, for certain uses of 
children's personal information, no consent will be required at all 
under the exceptions to prior parental consent set forth in section 
312.5(c) of the Rule.
---------------------------------------------------------------------------

    \340\ See supra note 1868. As described more fully above, the 
Commission will undertake a review eighteen months after the 
effective date of the Rule to determine through public comment 
whether technology has progressed as expected. The impact on small 
businesses will again be carefully considered.
---------------------------------------------------------------------------

3. Confidentiality, Security, and Integrity of Information

    One commenter found the security methods identified in section 
312.8 of the proposed Rule to be effective, but suggested that small 
entities should not be held to the same standards as larger entities 
when evaluating adequate protection under the Rule.\341\ As noted 
earlier, the Rule allows operators flexibility in selecting security 
procedures in accordance with their particular needs.
---------------------------------------------------------------------------

    \341\ KidsOnLine.com (IRFA Comment 02) at 1.
---------------------------------------------------------------------------

4. Safe Harbors

    A commenter suggested that section 312.10 of the proposed Rule 
should more clearly recognize the role automation can play in assessing 
an operator's compliance with privacy seal programs.\342\ As explained 
above in Section II.I.2, section 312.10(b)(2) includes a performance 
standard requiring only that assessment mechanisms be effective, 
mandatory, and independent. In addition to the examples listed in the 
Rule, that performance standard may be satisfied by other equally 
effective means. Thus, the Rule does not preclude the use of automated 
assessment tools that meet the performance standard.
---------------------------------------------------------------------------

    \342\ PrivacyBot.com (IRFA Comment 03) at 2. This commenter 
noted that the examples listed the NPR appeared to call for manual 
assessment mechanisms.
---------------------------------------------------------------------------

Description and Estimate of the Number of Small Entities to Which 
the Rule Will Apply or an Explanation of Why No Such Estimate Is 
Available

    The Rule applies to any commercial operator of an online service or 
website directed to children or any commercial operator that has actual 
knowledge that it is collecting personal information from a child.\343\ 
A precise estimate of the number of small entities that fall within the 
Rule is not currently feasible, in part, because the definition of a 
website directed to children turns on a number of factors that will 
require a factual analysis on a case-by-case basis.\344\ In connection 
with the NPR, IRFA, and the public workshop on verifiable parental 
consent, the Commission has not received any comments providing an 
estimate of the number of small entities to which the Rule will apply.
---------------------------------------------------------------------------

    \343\ Section 312.3. The Rule does not apply to nonprofit 
entities. Section 312.2 (definition of ``operator'').
    \344\ Under section 312.2, in determining whether a commercial 
website or online service is directed to children, the Commission 
will consider its subject matter, visual or audio content, age of 
models, language or other characteristics of the website or online 
service, as well as whether advertising promoting or appearing on 
the website or online service is directed to children.
---------------------------------------------------------------------------

Description of the Projected Reporting, Recordkeeping and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities That Will Be Subject to the Requirement 
and the Type of Professional Skills Necessary for Preparation of 
the Report or Record

    The Commission incorporates by reference its description of the 
projected reporting, recordkeeping and other compliance requirements of 
the Rule, as

[[Page 59910]]

set forth in the IRFA.\345\ The Office of Management and Budget has 
approved the information collection of the Rule \346\ based on the 
Commission's earlier submission for clearance, which has been made 
available on the public record of this rulemaking.\347\ The Commission 
has not received any comments that necessitate modifying its previous 
description of projected compliance requirements.
---------------------------------------------------------------------------

    \345\ See 64 FR at 40526-27.
    \346\ The OMB clearance number is 3084-0117.
    \347\ See Supporting Statement for Information Collection 
Provisions at <http://www.ftc.gov/os/1999/9906/childprivsup.htm>.
---------------------------------------------------------------------------

Description of the Steps the Agency Has Taken To Minimize the 
Significant Economic Impact on Small Entities, Consistent With the 
Stated Objectives of Applicable Statutes, Including a Statement of 
the Factual, Policy, and Legal Reasons for Selecting the 
Alternative Adopted in the Final Rule and Why Each of the Other 
Significant Alternatives to the Rule Considered by the Agency Which 
Affect the Impact on Small Entities Was Rejected

    The Rule incorporates the many performance standards set forth in 
the statute.\348\ Thus, operators are free to choose among a number of 
compliance methods based upon their individual business models and 
needs. Although the Rule's provisions impose some costs, the 
requirements of notice, verifiable parental consent, access, and 
security are mandated by the COPPA itself. The Commission has sought to 
minimize the burden on all businesses, including small entities, by 
adopting flexible standards; \349\ however, it does not have the 
discretion to create exemptions from the Act based on an operator's 
size. Likewise, while the Rule attempts to clarify, consolidate, and 
simplify the statutory requirements for all entities, \350\ the 
Commission has little discretion, if any, to mandate different methods 
or schedules for small entities that would undermine compliance with 
the Act.\351\
---------------------------------------------------------------------------

    \348\ See, e.g., sections 312.4(c), 312.5.
    \349\ See 5 U.S.C. 603(c)(3). The notice requirements, for 
example, have been designed to minimize the burdens on operators in 
a variety of ways. Section 312.4(b) of the Rule permits operators to 
post ``links'' to the required notices, rather than state the 
complete text. Similarly, in response to industry concerns about 
technical feasibility, the Commission has eliminated the requirement 
that the link must be seen without having to scroll down from the 
initial viewing screen. See Section II.C.2, supra.
    \350\ See 5 U.S.C. 603(c)(2).
    \351\ For example, the COPPA requires the online posting of 
privacy policies by websites and online services. A waiver for small 
entities of that prior notice requirement (e.g., by permitting 
notice after the fact) would be inconsistent with the statutory 
mandate. See 15 U.S.C. 6502(b)(1)(A)(i).
---------------------------------------------------------------------------

    Nevertheless, throughout the rulemaking proceeding, the Commission 
has sought to gather information regarding the economic impact of the 
COPPA's requirements on all operators, including small entities. The 
NPR, for example, included a number of questions for public comment 
regarding the costs and benefits associated with notice and 
consent.\352\ Similarly, the subsequent IRFA notice invited public 
comment specifically on the issue of small business impact.\353\ In 
addition, the agenda for the public workshop on verifiable parental 
consent included topics designed to elicit economic impact information. 
In connection with the workshop, the Commission invited additional 
public comment.
---------------------------------------------------------------------------

    \352\ 64 FR at 22761-63.
    \353\ 64 FR 40525.
---------------------------------------------------------------------------

    The Commission has carefully considered responsive comments that 
suggested a variety of alternatives in developing the final Rule. The 
discussion below reviews some of the significant alternatives 
considered and the basis for the Commission's decisions with regard to 
certain notice, parental consent, access, security, and safe harbor 
requirements.

1. New Notice and Request for Consent

    Many commenters contended that requiring operators to undertake new 
notice and consent under sections 312.4(c) and 312.5 for any use not 
covered by a parent's previous consent was burdensome and 
unnecessary.\354\ The Commission is sensitive to the objections raised, 
particularly with respect to mergers, which occur often in this 
industry and which would trigger new notice and consent requirements 
even where there was no significant change in the operator's 
information practices. Eliminating this requirement altogether, 
however, would prevent parents from receiving material information that 
could affect their decisions regarding their child's online 
activities.\355\
---------------------------------------------------------------------------

    \354\ See supra note 143.
    \355\ For example, an operator might initially use a child's 
information only for internal marketing purposes and then later 
undertake a new use involving disclosures to third parties. Such a 
change would likely be important to the parent's consent decision.
---------------------------------------------------------------------------

    In response to comments, including those of small businesses,\356\ 
the Commission has modified the Rule to require new notice and consent 
only if there will be a material change in how the operator collects, 
uses, or discloses personal information from children.\357\ This 
modification should substantially reduce the costs of compliance.
---------------------------------------------------------------------------

    \356\ See KidsOnLine.com (IRFA Comment 02) at 1.
    \357\ See also Section II.C.3.a, supra (discussing section 
312.4(b)(2)(i) (content of notice)).
---------------------------------------------------------------------------

2. Verifiable Parental Consent

    Throughout the rulemaking, the Commission has sought input on what 
mechanisms may be used to satisfy the COPPA's verifiable parental 
consent requirement. As described more fully in Section II.D. above, 
the Commission has temporarily adopted a ``sliding scale'' approach 
that depends upon the use of the child's personal information. This 
approach was recommended by many industry members seeking to preserve 
flexibility for operators while achieving the objectives of the 
Act.\358\ To minimize burdens until more reliable electronic methods 
become more available and affordable, it allows use of e-mail for 
internal uses of personal information, as long as additional steps are 
taken to verify a parent's identity.
---------------------------------------------------------------------------

    \358\ See supra note 203 and accompanying text.
---------------------------------------------------------------------------

    Some commenters had contended that use of e-mail alone should be an 
acceptable method of consent under section 312.5 of the Rule.\359\ 
Commenters also criticized methods such as print-and-send, credit card, 
toll-free numbers, and digital signatures for the costs and burdens 
they might impose.\360\ Based on the comments and workshop discussion, 
the Commission does not believe that use of e-mail alone adequately 
satisfies the statutory requirement that operators make reasonable 
efforts to obtain verifiable parental consent, taking into 
consideration available technology.\361\ According to many commenters, 
e-mail is easily subject to circumvention by children.\362\ In 
particular, where a child and parent share the same e-mail account, as 
is often the case, a child may easily pretend to be a parent and 
provide consent for himself.\363\
---------------------------------------------------------------------------

    \359\ See supra note 197 and accompanying text.
    \360\ See supra notes 187-195 and accompanying text.
    \361\ See 15 U.S.C. 6501(9).
    \362\ See supra note 196 and accompanying text.
    \363\ See supra note 178 and accompanying text.
---------------------------------------------------------------------------

    The Commission does not expect that declining to permit use of e-
mail alone will impose significant costs in terms of foregone 
activities. Websites will be able to engage in many activities that do 
not trigger any prior consent requirements pursuant to the exceptions 
to parental consent set forth in section 312.5(c).\364\ According to a 
workshop participant, these exceptions cover some of the most popular 
and common online activities,

[[Page 59911]]

including newsletters, contests, and online magazine 
subscriptions.\365\
---------------------------------------------------------------------------

    \364\ See Section II.D.3, supra. Prior parental consent is not 
required pursuant to these exceptions. However, in some instances, 
operators must provide parents with notice and an opportunity to opt 
out. See section 312.5(c)(3).
    \365\ See supra note 226.
---------------------------------------------------------------------------

    Moreover, where e-mail mechanisms are employed for internal uses 
under the sliding scale, the additional steps required under section 
312.5 (such as sending a confirmatory e-mail to the parent following 
receipt of consent) should not be especially onerous given the 
availability and ease of automated technology.\366\ Thus, the 
additional steps required should have no deterrent effect on operators 
(or parents).
---------------------------------------------------------------------------

    \366\ A number of commenters recognized that taking additional 
steps would increase the likelihood that it is the parent who is 
providing consent, and some websites already undertake such 
measures. See supra notes 198-203 and accompanying text.
---------------------------------------------------------------------------

    Only for activities that entail ``disclosure'' of a child's 
personal information, as defined in the Rule, such as chat rooms, 
message boards, pen-pal services, and personal home pages, will the 
higher method of consent be triggered.\367\ The comments and public 
workshop discussion provide considerable support for the principle that 
such activities warrant a higher level of protection, given the 
heightened safety concerns.\368\ In order to ensure maximum flexibility 
within this upper tier of the sliding scale, a range of mechanisms will 
be acceptable under the Rule, including postal mail, facsimile, credit 
card in connection with a transaction, toll-free numbers, and digital 
signatures.\369\ To minimize costs, once a parent has provided consent 
through one of these methods and obtained a PIN or password, an 
operator may subsequently obtain consent through an e-mail accompanied 
by such PIN or password.
---------------------------------------------------------------------------

    \367\ To minimize burdens on general audience sites, the 
Commission has revised the Rule so that if a chat room monitor 
strips any posting of individually identifiable information before 
it is made public, the operator will not be deemed to have 
``collected'' the child's personal information for purposes of the 
Rule. See Section II.A.2, supra (discussing section 312.2's 
definition of ``collects or collection''). Moreover, because the 
individually identifiable information has been deleted, the operator 
will not have ``disclosed'' that information under the Rule.
    \368\ See supra note 205 and accompanying text.
    \369\ See section 312.5(b).
---------------------------------------------------------------------------

    In adopting the sliding scale for a two-year period following the 
Rule's effective date, the Commission has sought to minimize any 
burdens of compliance until advancements in technology provide more 
reliable electronic methods at low cost. Based on reports from industry 
members, the Commission expects that this will occur soon.\370\ To 
assess whether such developments have in fact occurred as expected, the 
Commission will undertake a review, using notice and comment, 
approximately eighteen months after the Rule's effective date. All 
businesses, including small entities, will be given the opportunity to 
comment on economic impact issues at that time.
---------------------------------------------------------------------------

    \370\ See Section II.D.2 and note 186, supra.
---------------------------------------------------------------------------

    If technology progresses as expected, operators should have a wide 
variety of reasonable and effective options for providing verifiable 
parental consent. Therefore, phasing out the sliding scale should not 
impose undue burdens on operators seeking to comply with the Rule. 
Moreover, the Commission's amendment to the Rule requiring new notice 
and consent only in the case of Amaterial changes' to an operator's 
information practices should further reduce operators' burdens.

3. Parental Access to Information

    In implementing the COPPA's parental access requirement,\371\ the 
Commission has adopted flexible standards and sought to eliminate any 
unnecessary provisions in the Rule. For example, section 312.6(a)(3) 
requires that operators provide a means of review that ensures that the 
requestor is a parent, taking into account available technology, and 
that is not unduly burdensome to the parent. In response to comments 
that the proposed Rule's right to change information went beyond the 
statute and was onerous, the Commission has omitted that provision from 
the Rule. To eliminate unnecessary costs, the Rule also no longer 
requires parental verification for access to the types or categories of 
personal information collected from the child under section 
312.6(a)(1). However, consistent with the COPPA, which recognized the 
safety concerns inherent in granting access to the child's specific 
information, proper parental verification will be required for access 
to that information under section 312.6(a)(3). As with verifiable 
parental consent, operators may choose from among a variety of 
verification methods, including both online and offline methods.\372\
---------------------------------------------------------------------------

    \371\ See 15 U.S.C. 6502(b)(1)(B)(iii).
    \372\ The Commission will continue to monitor technological 
advances that might play a useful role in identifying parents for 
purposes of granting access. The Commission agrees with comments 
that it is currently premature to mandate the use of certain 
mechanisms still under development or not yet widely available. See 
CBBB (Comment 91) at 24.
---------------------------------------------------------------------------

4. Confidentiality, Security, and Integrity of Information

    As required under the Act, the Rule seeks to ensure a baseline 
level of protection for children's personal information.\373\ The 
Commission recognizes that certain security procedures may be more 
costly for smaller entities than larger entities.\374\ Accordingly, 
section 312.8 allows operators flexibility in selecting reasonable 
procedures in accordance with their business models.\375\
---------------------------------------------------------------------------

    \373\ See 15 U.S.C. 6502(b)(1)(D).
    \374\ See KidsOnLine.com (IRFA Comment 02) at 1.
    \375\ See note 284, supra.
---------------------------------------------------------------------------

5. Safe Harbors

    The safe harbor provisions also utilize performance standards in 
order to minimize burdens and provide incentives for industry self-
regulation, as required by the COPPA.\376\ In response to concerns that 
the proposed Rule appeared inflexible, the Commission has clarified in 
section 312.10(b)(1) that promulgators of self-regulatory guidelines 
may comply with the safe harbor provisions by requiring subject 
operators to implement ``substantially similar requirements that 
provide the same or greater protections for children'' as those 
contained in the Rule. The Commission also has adopted performance 
standards for the assessment mechanisms and compliance incentives in 
sections 312.10(b)(2) and (b)(3). In addition to the examples listed in 
the Rule, these performance standards may be satisfied by other equally 
effective means. In order to maximize efficiency, the Rule further 
provides that only material changes in approved guidelines will be 
subject to the public notice and comment required under this section.
---------------------------------------------------------------------------

    \376\ See 15 U.S.C. 6503.
---------------------------------------------------------------------------

Final Rule

List of Subjects in 16 CFR Part 312

    Children, Children's online privacy protection, Communications, 
Computer technology, Consumer protection, Data protection, Electronic 
mail, E-mail, Information practices, Internet, Online service, Privacy, 
Record retention, Safety, Trade practices, Website, Youth.
    Accordingly, the Federal Trade Commission amends 16 CFR chapter I 
by adding a new Part 312 to read as follows:

PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE

Sec.
312.1  Scope of regulations in this part.
312.2  Definitions.
312.3  Regulation of unfair or deceptive acts or practices in 
connection with the collection, use, and/or disclosure of personal 
information from and about children on the Internet.
312.4  Notice.

[[Page 59912]]

312.5  Parental consent.
312.6  Right of parent to review personal information provided by a 
child.
312.7  Prohibition against conditioning a child's participation on 
collection of personal information.
312.8  Confidentiality, security, and integrity of personal 
information collected from children.
312.9  Enforcement.
312.10  Safe harbors.
312.11  Rulemaking review.

312.12  Severability.
    Authority: Secs. 15 U.S.C. 6501 et seq.


Sec. 312.1  Scope of regulations in this part.

    This part implements the Children's Online Privacy Protection Act 
of 1998, (15 U.S.C. 6501, et seq.,) which prohibits unfair or deceptive 
acts or practices in connection with the collection, use, and/or 
disclosure of personal information from and about children on the 
Internet. The effective date of this part is April 21, 2000.


Sec. 312.2  Definitions.

    Child means an individual under the age of 13.
    Collects or collection means the gathering of any personal 
information from a child by any means, including but not limited to:
    (a) Requesting that children submit personal information online;
    (b) Enabling children to make personal information publicly 
available through a chat room, message board, or other means, except 
where the operator deletes all individually identifiable information 
from postings by children before they are made public, and also deletes 
such information from the operator's records; or
    (c) The passive tracking or use of any identifying code linked to 
an individual, such as a cookie.
    Commission means the Federal Trade Commission.
    Delete means to remove personal information such that it is not 
maintained in retrievable form and cannot be retrieved in the normal 
course of business.
    Disclosure means, with respect to personal information:
    (a) The release of personal information collected from a child in 
identifiable form by an operator for any purpose, except where an 
operator provides such information to a person who provides support for 
the internal operations of the website or online service and who does 
not disclose or use that information for any other purpose. For 
purposes of this definition:
    (1) Release of personal information means the sharing, selling, 
renting, or any other means of providing personal information to any 
third party, and
    (2) Support for the internal operations of the website or online 
service means those activities necessary to maintain the technical 
functioning of the website or online service, or to fulfill a request 
of a child as permitted by Sec. 312.5(c)(2) and (3); or
    (b) Making personal information collected from a child by an 
operator publicly available in identifiable form, by any means, 
including by a public posting through the Internet, or through a 
personal home page posted on a website or online service; a pen pal 
service; an electronic mail service; a message board; or a chat room.
    Federal agency means an agency, as that term is defined in Section 
551(1) of title 5, United States Code.
    Internet means collectively the myriad of computer and 
telecommunications facilities, including equipment and operating 
software, which comprise the interconnected world-wide network of 
networks that employ the Transmission Control Protocol/Internet 
Protocol, or any predecessor or successor protocols to such protocol, 
to communicate information of all kinds by wire, radio, or other 
methods of transmission.
    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct contact with a 
person online.
    Operator means any person who operates a website located on the 
Internet or an online service and who collects or maintains personal 
information from or about the users of or visitors to such website or 
online service, or on whose behalf such information is collected or 
maintained, where such website or online service is operated for 
commercial purposes, including any person offering products or services 
for sale through that website or online service, involving commerce:
    (a) Among the several States or with 1 or more foreign nations;
    (b) In any territory of the United States or in the District of 
Columbia, or between any such territory and
    (1) Another such territory, or
    (2) Any State or foreign nation; or
    (c) Between the District of Columbia and any State, territory, or 
foreign nation. This definition does not include any nonprofit entity 
that would otherwise be exempt from coverage under Section 5 of the 
Federal Trade Commission Act (15 U.S.C. 45).
    Parent includes a legal guardian.
    Person means any individual, partnership, corporation, trust, 
estate, cooperative, association, or other entity.
    Personal information means individually identifiable information 
about an individual collected online, including:
    (a) A first and last name;
    (b) A home or other physical address including street name and name 
of a city or town;
    (c) An e-mail address or other online contact information, 
including but not limited to an instant messaging user identifier, or a 
screen name that reveals an individual's e-mail address;
    (d) A telephone number;
    (e) A Social Security number;
    (f) A persistent identifier, such as a customer number held in a 
cookie or a processor serial number, where such identifier is 
associated with individually identifiable information; or a combination 
of a last name or photograph of the individual with other information 
such that the combination permits physical or online contacting; or
    (g) Information concerning the child or the parents of that child 
that the operator collects online from the child and combines with an 
identifier described in this definition.
    Third party means any person who is not:
    (a) An operator with respect to the collection or maintenance of 
personal information on the website or online service; or
    (b) A person who provides support for the internal operations of 
the website or online service and who does not use or disclose 
information protected under this part for any other purpose.
    Obtaining verifiable consent means making any reasonable effort 
(taking into consideration available technology) to ensure that before 
personal information is collected from a child, a parent of the child:
    (a) Receives notice of the operator's personal information 
collection, use, and disclosure practices; and
    (b) Authorizes any collection, use, and/or disclosure of the 
personal information.
    Website or online service directed to children means a commercial 
website or online service, or portion thereof, that is targeted to 
children. Provided, however, that a commercial website or online 
service, or a portion thereof, shall not be deemed directed to children 
solely because it refers or links to a commercial website or online 
service directed to children by using information location tools, 
including a directory, index, reference, pointer, or hypertext link. In 
determining whether a commercial website or online service, or a 
portion thereof, is targeted to children, the Commission will consider 
its subject matter, visual or audio content, age of models, language or 
other characteristics of the website or

[[Page 59913]]

online service, as well as whether advertising promoting or appearing 
on the website or online service is directed to children. The 
Commission will also consider competent and reliable empirical evidence 
regarding audience composition; evidence regarding the intended 
audience; and whether a site uses animated characters and/or child-
oriented activities and incentives.


Sec. 312.3  Regulation of unfair or deceptive acts or practices in 
connection with the collection, use, and/or disclosure of personal 
information from and about children on the Internet.

    General requirements. It shall be unlawful for any operator of a 
website or online service directed to children, or any operator that 
has actual knowledge that it is collecting or maintaining personal 
information from a child, to collect personal information from a child 
in a manner that violates the regulations prescribed under this part. 
Generally, under this part, an operator must:
    (a) Provide notice on the website or online service of what 
information it collects from children, how it uses such information, 
and its disclosure practices for such information (Sec. 312.4(b));
    (b) Obtain verifiable parental consent prior to any collection, 
use, and/or disclosure of personal information from children 
(Sec. 312.5);
    (c) Provide a reasonable means for a parent to review the personal 
information collected from a child and to refuse to permit its further 
use or maintenance (Sec. 312.6);
    (d) Not condition a child's participation in a game, the offering 
of a prize, or another activity on the child disclosing more personal 
information than is reasonably necessary to participate in such 
activity (Sec. 312.7); and
    (e) Establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of personal information 
collected from children (Sec. 312.8).


Sec. 312.4  Notice.

    (a) General principles of notice. All notices under Secs. 312.3(a) 
and 312.5 must be clearly and understandably written, be complete, and 
must contain no unrelated, confusing, or contradictory materials.
    (b) Notice on the website or online service. Under Sec. 312.3(a), 
an operator of a website or online service directed to children must 
post a link to a notice of its information practices with regard to 
children on the home page of its website or online service and at each 
area on the website or online service where personal information is 
collected from children. An operator of a general audience website or 
online service that has a separate children's area or site must post a 
link to a notice of its information practices with regard to children 
on the home page of the children's area.
    (1) Placement of the notice. (i) The link to the notice must be 
clearly labeled as a notice of the website or online service's 
information practices with regard to children;
    (ii) The link to the notice must be placed in a clear and prominent 
place and manner on the home page of the website or online service; and
    (iii) The link to the notice must be placed in a clear and 
prominent place and manner at each area on the website or online 
service where children directly provide, or are asked to provide, 
personal information, and in close proximity to the requests for 
information in each such area.
    (2) Content of the notice. To be complete, the notice of the 
website or online service's information practices must state the 
following:
    (i) The name, address, telephone number, and e-mail address of all 
operators collecting or maintaining personal information from children 
through the website or online service. Provided that: the operators of 
a website or online service may list the name, address, phone number, 
and e-mail address of one operator who will respond to all inquiries 
from parents concerning the operators' privacy policies and use of 
children's information, as long as the names of all the operators 
collecting or maintaining personal information from children through 
the website or online service are also listed in the notice;
    (ii) The types of personal information collected from children and 
whether the personal information is collected directly or passively;
    (iii) How such personal information is or may be used by the 
operator(s), including but not limited to fulfillment of a requested 
transaction, recordkeeping, marketing back to the child, or making it 
publicly available through a chat room or by other means;
    (iv) Whether personal information is disclosed to third parties, 
and if so, the types of business in which such third parties are 
engaged, and the general purposes for which such information is used; 
whether those third parties have agreed to maintain the 
confidentiality, security, and integrity of the personal information 
they obtain from the operator; and that the parent has the option to 
consent to the collection and use of their child's personal information 
without consenting to the disclosure of that information to third 
parties;
    (v) That the operator is prohibited from conditioning a child's 
participation in an activity on the child's disclosing more personal 
information than is reasonably necessary to participate in such 
activity; and
    (vi) That the parent can review and have deleted the child's 
personal information, and refuse to permit further collection or use of 
the child's information, and state the procedures for doing so.
    (c) Notice to a parent. Under Sec. 312.5, an operator must make 
reasonable efforts, taking into account available technology, to ensure 
that a parent of a child receives notice of the operator's practices 
with regard to the collection, use, and/or disclosure of the child's 
personal information, including notice of any material change in the 
collection, use, and/or disclosure practices to which the parent has 
previously consented.
    (1) Content of the notice to the parent. (i) All notices must state 
the following:
    (A) That the operator wishes to collect personal information from 
the child;
    (B) The information set forth in paragraph (b) of this section.
    (ii) In the case of a notice to obtain verifiable parental consent 
under Sec. 312.5(a), the notice must also state that the parent's 
consent is required for the collection, use, and/or disclosure of such 
information, and state the means by which the parent can provide 
verifiable consent to the collection of information.
    (iii) In the case of a notice under the exception in 
Sec. 312.5(c)(3), the notice must also state the following:
    (A) That the operator has collected the child's e-mail address or 
other online contact information to respond to the child's request for 
information and that the requested information will require more than 
one contact with the child;
    (B) That the parent may refuse to permit further contact with the 
child and require the deletion of the information, and how the parent 
can do so; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose(s) stated in the notice.
    (iv) In the case of a notice under the exception in 
Sec. 312.5(c)(4), the notice must also state the following:
    (A) That the operator has collected the child's name and e-mail 
address or other online contact information to protect the safety of 
the child participating on the website or online service;

[[Page 59914]]

    (B) That the parent may refuse to permit the use of the information 
and require the deletion of the information, and how the parent can do 
so; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose stated in the notice.


Sec. 312.5  Parental consent.

    (a) General requirements. (1) An operator is required to obtain 
verifiable parental consent before any collection, use, and/or 
disclosure of personal information from children, including consent to 
any material change in the collection, use, and/or disclosure practices 
to which the parent has previously consented.
    (2) An operator must give the parent the option to consent to the 
collection and use of the child's personal information without 
consenting to disclosure of his or her personal information to third 
parties.
    (b) Mechanisms for verifiable parental consent. (1) An operator 
must make reasonable efforts to obtain verifiable parental consent, 
taking into consideration available technology. Any method to obtain 
verifiable parental consent must be reasonably calculated, in light of 
available technology, to ensure that the person providing consent is 
the child's parent.
    (2) Methods to obtain verifiable parental consent that satisfy the 
requirements of this paragraph include: providing a consent form to be 
signed by the parent and returned to the operator by postal mail or 
facsimile; requiring a parent to use a credit card in connection with a 
transaction; having a parent call a toll-free telephone number staffed 
by trained personnel; using a digital certificate that uses public key 
technology; and using e-mail accompanied by a PIN or password obtained 
through one of the verification methods listed in this paragraph. 
Provided that: For the period until April 21, 2002, methods to obtain 
verifiable parental consent for uses of information other than the 
``disclosures'' defined by Sec. 312.2 may also include use of e-mail 
coupled with additional steps to provide assurances that the person 
providing the consent is the parent. Such additional steps include: 
sending a confirmatory e-mail to the parent following receipt of 
consent; or obtaining a postal address or telephone number from the 
parent and confirming the parent's consent by letter or telephone call. 
Operators who use such methods must provide notice that the parent can 
revoke any consent given in response to the earlier e-mail.
    (c) Exceptions to prior parental consent. Verifiable parental 
consent is required prior to any collection, use and/or disclosure of 
personal information from a child except as set forth in this 
paragraph. The exceptions to prior parental consent are as follows:
    (1) Where the operator collects the name or online contact 
information of a parent or child to be used for the sole purpose of 
obtaining parental consent or providing notice under Sec. 312.4. If the 
operator has not obtained parental consent after a reasonable time from 
the date of the information collection, the operator must delete such 
information from its records;
    (2) Where the operator collects online contact information from a 
child for the sole purpose of responding directly on a one-time basis 
to a specific request from the child, and where such information is not 
used to recontact the child and is deleted by the operator from its 
records;
    (3) Where the operator collects online contact information from a 
child to be used to respond directly more than once to a specific 
request from the child, and where such information is not used for any 
other purpose. In such cases, the operator must make reasonable 
efforts, taking into consideration available technology, to ensure that 
a parent receives notice and has the opportunity to request that the 
operator make no further use of the information, as described in 
Sec. 312.4(c), immediately after the initial response and before making 
any additional response to the child. Mechanisms to provide such notice 
include, but are not limited to, sending the notice by postal mail or 
sending the notice to the parent's e-mail address, but do not include 
asking a child to print a notice form or sending an e-mail to the 
child;
    (4) Where the operator collects a child's name and online contact 
information to the extent reasonably necessary to protect the safety of 
a child participant on the website or online service, and the operator 
usesd reasonable efforts to provide a parent notice as described in 
Sec. 312.4(c), where such information is:
    (i) Used for the sole purpose of protecting the child's safety;
    (ii) Not used to recontact the child or for any other purpose;
    (iii) Not disclosed on the website or online service; and
    (5) Where the operator collects a child's name and online contact 
information and such information is not used for any other purpose, to 
the extent reasonably necessary:
    (i) To protect the security or integrity of its website or online 
service;
    (ii) To take precautions against liability;
    (iii) To respond to judicial process; or
    (iv) To the extent permitted under other provisions of law, to 
provide information to law enforcement agencies or for an investigation 
on a matter related to public safety.


Sec. 312.6  Right of parent to review personal information provided by 
a child.

    (a) Upon request of a parent whose child has provided personal 
information to a website or online service, the operator of that 
website or online service is required to provide to that parent the 
following:
    (1) A description of the specific types or categories of personal 
information collected from children by the operator, such as name, 
address, telephone number, e-mail address, hobbies, and extracurricular 
activities;
    (2) The opportunity at any time to refuse to permit the operator's 
further use or future online collection of personal information from 
that child, and to direct the operator to delete the child's personal 
information; and
    (3) Notwithstanding any other provision of law, a means of 
reviewing any personal information collected from the child. The means 
employed by the operator to carry out this provision must:
    (i) Ensure that the requestor is a parent of that child, taking 
into account available technology; and
    (ii) Not be unduly burdensome to the parent.
    (b) Neither an operator nor the operator's agent shall be held 
liable under any Federal or State law for any disclosure made in good 
faith and following reasonable procedures in responding to a request 
for disclosure of personal information under this section.
    (c) Subject to the limitations set forth in Sec. 312.7, an operator 
may terminate any service provided to a child whose parent has refused, 
under paragraph (a)(2) of this section, to permit the operator's 
further use or collection of personal information from his or her child 
or has directed the operator to delete the child's personal 
information.


Sec. 312.7  Prohibition against conditioning a child's participation on 
collection of personal information.

    An operator is prohibited from conditioning a child's participation 
in a game, the offering of a prize, or another activity on the child's 
disclosing more personal information than is reasonably necessary to 
participate in such activity.

[[Page 59915]]

Sec. 312.8  Confidentiality, security, and integrity of personal 
information collected from children.

    The operator must establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children.


Sec. 312.9  Enforcement.

    Subject to sections 6503 and 6505 of the Children's Online Privacy 
Protection Act of 1998, a violation of a regulation prescribed under 
section 6502 (a) of this Act shall be treated as a violation of a rule 
defining an unfair or deceptive act or practice prescribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).


Sec. 312.10  Safe harbors.

    (a) In general. An operator will be deemed to be in compliance with 
the requirements of this part if that operator complies with self-
regulatory guidelines, issued by representatives of the marketing or 
online industries, or by other persons, that, after notice and comment, 
are approved by the Commission.
    (b) Criteria for approval of self-regulatory guidelines. To be 
approved by the Commission, guidelines must include the following:
    (1) A requirement that operators subject to the guidelines 
(``subject operators'') implement substantially similar requirements 
that provide the same or greater protections for children as those 
contained in Secs. 312.2 through 312.9;
    (2) An effective, mandatory mechanism for the independent 
assessment of subject operators' compliance with the guidelines. This 
performance standard may be satisfied by:
    (i) Periodic reviews of subject operators' information practices 
conducted on a random basis either by the industry group promulgating 
the guidelines or by an independent entity;
    (ii) Periodic reviews of all subject operators' information 
practices, conducted either by the industry group promulgating the 
guidelines or by an independent entity;
    (iii) Seeding of subject operators' databases, if accompanied by 
either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; or
    (iv) Any other equally effective independent assessment mechanism; 
and
    (3) Effective incentives for subject operators' compliance with the 
guidelines. This performance standard may be satisfied by:
    (i) Mandatory, public reporting of disciplinary action taken 
against subject operators by the industry group promulgating the 
guidelines;
    (ii) Consumer redress;
    (iii) Voluntary payments to the United States Treasury in 
connection with an industry-directed program for violators of the 
guidelines;
    (iv) Referral to the Commission of operators who engage in a 
pattern or practice of violating the guidelines; or
    (v) Any other equally effective incentive.
    (4) The assessment mechanism required under paragraph (b)(2) of 
this section can be provided by an independent enforcement program, 
such as a seal program. In considering whether to initiate an 
investigation or to bring an enforcement action for violations of this 
part, and in considering appropriate remedies for such violations, the 
Commission will take into account whether an operator has been subject 
to self-regulatory guidelines approved under this section and whether 
the operator has taken remedial action pursuant to such guidelines, 
including but not limited to actions set forth in paragraphs (b)(3)(i) 
through (iii) of this section.
    (c) Request for Commission approval of self-regulatory guidelines.
    (1) To obtain Commission approval of self-regulatory guidelines, 
industry groups or other persons must file a request for such approval. 
A request shall be accompanied by the following:
    (i) A copy of the full text of the guidelines for which approval is 
sought and any accompanying commentary;
    (ii) A comparison of each provision of Secs. 312.3 through 312.8 
with the corresponding provisions of the guidelines; and
    (iii) A statement explaining:
    (A) How the guidelines, including the applicable assessment 
mechanism, meet the requirements of this part; and
    (B) How the assessment mechanism and compliance incentives required 
under paragraphs (b)(2) and (3) of this section provide effective 
enforcement of the requirements of this part.
    (2) The Commission shall act upon a request under this section 
within 180 days of the filing of such request and shall set forth its 
conclusions in writing.
    (3) Industry groups or other persons whose guidelines have been 
approved by the Commission must submit proposed changes in those 
guidelines for review and approval by the Commission in the manner 
required for initial approval of guidelines under paragraph (c)(1). The 
statement required under paragraph (c)(1)(iii) must describe how the 
proposed changes affect existing provisions of the guidelines.
    (d) Records. Industry groups or other persons who seek safe harbor 
treatment by compliance with guidelines that have been approved under 
this part shall maintain for a period not less than three years and 
upon request make available to the Commission for inspection and 
copying:
    (1) Consumer complaints alleging violations of the guidelines by 
subject operators;
    (2) Records of disciplinary actions taken against subject 
operators; and
    (3) Results of the independent assessments of subject operators' 
compliance required under paragraph (b)(2) of this section.
    (e) Revocation of approval. The Commission reserves the right to 
revoke any approval granted under this section if at any time it 
determines that the approved self-regulatory guidelines and their 
implementation do not, in fact, meet the requirements of this part.


Sec. 312.11  Rulemaking review.

    No later than April 21, 2005, the Commission shall initiate a 
rulemaking review proceeding to evaluate the implementation of this 
part, including the effect of the implementation of this part on 
practices relating to the collection and disclosure of information 
relating to children, children's ability to obtain access to 
information of their choice online, and on the availability of websites 
directed to children; and report to Congress on the results of this 
review.


Sec. 312.12  Severability.

    The provisions of this part are separate and severable from one 
another. If any provision is stayed or determined to be invalid, it is 
the Commission's intention that the remaining provisions shall continue 
in effect.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 99-27740 Filed 11-2-99; 8:45 am]
BILLING CODE 6750-01-P