[Federal Register Volume 67, Number 74 (Wednesday, April 17, 2002)]
[Rules and Regulations]
[Pages 18818-18821]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-9272]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission.

ACTION: Final rule amendment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``the Commission'') issues a 
final amendment to the Children's Online Privacy Protection Rule (``the 
Rule'') to extend, until April 21, 2005, the time period during which 
website operators may use an e-mail message from the parent, coupled 
with additional steps, to obtain verifiable parental consent for the 
collection of personal information from children for internal use by 
the website operator.

EFFECTIVE DATE: April 21, 2002.

ADDRESSES: Requests for copies of the amended Rule and the Statement of 
Basis and Purpose should be sent to: Public Reference Branch, Federal 
Trade Commission, Room H-130, 600 Pennsylvania Avenue NW, Washington, 
DC 20580.

FOR FURTHER INFORMATION CONTACT: Elizabeth Delaney, (202) 326-2903, 
Rona Kelner, (202) 326-2752, or Mamie Kresses, (202) 326-2070, Division 
of Advertising Practices, Bureau of Consumer Protection, Federal Trade 
Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580.

Statement of Basis and Purpose

I. Introduction

    As part of the effort to protect children's online privacy, 
Congress enacted the Children's Online Privacy Protection Act of 1998, 
15 U.S.C. 6501 et seq. (``COPPA''), to prohibit unfair or

[[Page 18819]]

deceptive acts or practices in connection with the collection, use, or 
disclosure of personally identifiable information from children on the 
Internet. On October 20, 1999, the Commission issued its final Rule 
implementing COPPA, which became effective on April 21, 2000.\1\ The 
Rule imposes certain requirements on operators of websites or online 
services directed to children under 13 years of age, or other websites 
or online services that have actual knowledge that they have collected 
information from a child under 13 years of age. Among other things, the 
Rule requires that website operators obtain verifiable parental consent 
prior to collecting, using, or disclosing personal information from 
children under 13 years of age.
---------------------------------------------------------------------------

    \1\ 64 FR 59888 (1999).
---------------------------------------------------------------------------

    The Rule provides that, ``[a]ny method to obtain verifiable 
parental consent must be reasonably calculated, in light of available 
technology, to ensure that the person providing consent is the child's 
parent.''\2\ In order to allow time for reliable electronic methods of 
verification to become widely available and affordable, the Rule sets 
forth a sliding scale approach to obtaining verifiable parental 
consent.\3\ For uses of personal information that will involve 
disclosing the information to the public or third parties, the Rule 
requires that website operators use the more reliable methods of 
obtaining verifiable parental consent. These methods include: using a 
print-and-send form that can be faxed or mailed back to the website 
operator; requiring a parent to use a credit card in connection with a 
transaction; having a parent call a toll-free telephone number staffed 
by trained personnel; using a digital certificate that uses public key 
technology; and using e-mail accompanied by a PIN or password obtained 
through one of the above methods.\4\
---------------------------------------------------------------------------

    \2\ 16 CFR 312.5(b)(1).
    \3\ In a Notice of Proposed Rulemaking and Request for Public 
Comment published in April 1999, the Commission provided examples of 
methods of obtaining verifiable parental consent that might satisfy 
the standard required by COPPA, and sought public comment on the 
feasibility, costs and benefits of these suggested methods. 64 FR 
22750 (1999). In addition, in July 1999, the Commission held a 
workshop devoted entirely to the verifiable parental consent issue. 
64 FR 34595 (1999) (announcement of the public workshop).
    \4\ 16 CFR 312.5(b)(2).
---------------------------------------------------------------------------

    In contrast, if the website operator is collecting personal 
information for its internal use only, the Rule allows verifiable 
parental consent to be obtained through the use of an e-mail message 
from the parent, coupled with additional steps. Such additional steps 
are designed to provide assurances that the person providing the 
consent is the parent and include: sending a confirmatory e-mail to the 
parent after receiving consent; or obtaining a postal address or 
telephone number from the parent and confirming the parent's consent by 
letter or telephone call.\5\
---------------------------------------------------------------------------

    \5\ Id.
---------------------------------------------------------------------------

    At the time it issued the final Rule, the Commission anticipated 
that the sliding scale was necessary only in the short term because the 
more reliable methods of obtaining verifiable parental consent would 
soon be widely available and affordable.\6\ Accordingly, the sliding 
scale was set to expire on April 21, 2002, at which time website 
operators were to obtain verifiable parental consent using the more 
reliable methods for all uses of personal information.\7\ However, when 
the expected progress in available technology did not occur, the 
Commission published a Notice of Proposed Rulemaking and Request for 
Public Comment (``NPR'') in the Federal Register on October 31, 2001, 
proposing to amend the Rule to extend the sliding scale mechanism for 
an additional two years to April 21, 2004.\8\ The Commission requested 
public comment on the proposed extension of time as well as several 
questions regarding the current and anticipated availability and 
affordability of secure electronic mechanisms and/or infomediaries for 
obtaining parental consent. The 30-day comment period closed on 
November 30, 2001. The Commission received 21 comments from an array of 
interested parties, all of which were extremely informative and which 
the Commission has considered in crafting the final amended Rule. Those 
submitting comments included: the FTC-approved COPPA safe harbor 
programs; companies operating Internet sites or businesses; marketing 
and advertising trade groups; publishing groups; and educational 
organizations.\9\
---------------------------------------------------------------------------

    \6\ 64 FR 59902 (1999).
    \7\ 16 CFR 312.5(b)(2).
    \8\ 66 FR 54963 (2001).
    \9\ The comments are discussed below. In addition, a complete 
list of the commenters and their comments appear on the FTC's 
website at www.ftc.gov>.
---------------------------------------------------------------------------

II. The Amended Rule

    In the October 2001 NPR, the Commission proposed a two-year 
extension of the sliding scale mechanism because it appeared that the 
expected progress in technology had not occurred to the extent 
necessary to phase out the sliding scale mechanism and require the most 
reliable methods of parental consent for all uses of personal 
information collected from children by websites. After careful 
consideration, the Commission has decided to extend the sliding scale 
mechanism for three years, from April 21, 2002 until April 21, 2005.
    The Rule provides that, ``[a]ny method to obtain verifiable 
parental consent must be reasonably calculated, in light of available 
technology, to ensure that the person providing consent is the child's 
parent.''\10\ In making its initial determination to adopt the sliding 
scale mechanism in the final rulemaking in November 1999, the 
Commission balanced the costs imposed by the method of obtaining 
parental consent and the risks associated with the intended uses of 
information.\11\ Because of the limited availability and affordability 
of the more reliable methods of obtaining consent--including electronic 
methods of verification--the Commission found that these methods should 
only be required when obtaining consent for uses of information that 
posed the greatest risks to children.\12\ Accordingly, the Commission 
implemented the sliding scale, noting that it would ``provide[] 
operators with cost-effective options until more reliable electronic 
methods became available and affordable, while providing parents with 
the means to protect their children.''\13\ The Commission anticipated 
that reliable electronic methods of verification would soon become 
widely available and affordable and, accordingly, determined that a 
two-year sliding scale mechanism would be adequate.\14\
---------------------------------------------------------------------------

    \10\ 16 CFR 312.5(b)(1).
    \11\ 64 FR 59901, 59902 (1999).
    \12\ Id.
    \13\ Id. at 59902.
    \14\ Id.
---------------------------------------------------------------------------

    Having reviewed the rulemaking record, the Commission concludes 
that secure electronic mechanisms and/or infomediary services for 
obtaining verifiable parental consent are not yet widely available at a 
reasonable cost.\15\

[[Page 18820]]

In addition, the Commission finds that support for an extension of the 
sliding scale mechanism is widespread.\16\ The record indicates that 
the sliding scale mechanism to date has been an effective method for 
obtaining parental consent.\17\ At the same time, the Commission finds 
that the safety risk to children of a website collecting personal 
information for its internal use only remains low.\18\ Websites that 
use an e-mail message from the parent, coupled with additional steps, 
to obtain parental consent may only use the personal information 
collected from the child for the internal use of the website, and 
cannot share or disclose this information to third parties or the 
public. If a website wishes to share or disclose personal information 
collected from a child, or allow a child a mechanism to make personal 
information publicly available (for example, through an email account, 
message board or chat room), the website must use the more reliable 
methods of obtaining consent. Indeed, the relatively lower cost of 
seeking permission for internal use of children's information may well 
be part of the reason why more websites do not seek permission to 
disclose information to third parties.
---------------------------------------------------------------------------

    \15\ The overwhelming majority of commenters noted that secure 
electronic mechanisms and/or infomediary services have not yet 
developed to the point where they are widely available and 
affordable. Aftab & Savitt (Comment 1) at 1-2; America Online et al. 
(``AOL'') (Comment 2) at 1-2; Association of American Publishers 
(``AAP'') (Comment 4) at 1-2; Romain Carrere (Comment 6); Children's 
Advertising Review Unit (``CARU'') (Comment 7) at 2; Direct 
Marketing Association et al. (``DMA'') (Comment 9) at 2; 
Entertainment Software Rating Board (``ESRB'') (Comment 10) at 1-2; 
Gardner, Carton & Douglas (``Gardner'') (Comment 11) at 1; Leo 
Burnett Worldwide, Inc. (Comment 12); Magazine Publishers of America 
(``MPA'') (Comment 13); National Cable & Telecommunications 
Association (``NCTA'') (Comment 15) at 1-2; Online Privacy Alliance 
(``OPA'') (Comment 16) at 2; Privo (Comment 17) at 2-3; Promotion 
Marketing Association, Inc. (``PMA'') (Comment 18) at 2; Software & 
Information Industry Association (``SIIA'') (Comment 19) at 2-3; and 
TRUSTe (Comment 21).
    However, one commenter noted that many children's websites had 
made the necessary adjustments and investments within the original 
timeframe provided by the Rule. Circle 1 Network (Comment 8). 
Another commenter said that digital signature technology is 
available from at least one company and should be implemented on a 
mandatory basis in cases where personal information is shared with 
third parties. Jennifer Melendez et al. (Comment 14). Three 
commenters did not address the issue of whether secure electronic 
mechanisms and/or infomediary services are widely available and 
affordable. Aristotle (Comment 3); Association of Educational 
Publishers (``AEP'') (Comment 5); and Office of Attorney General, 
State of Connecticut (Comment 20).
    \16\ Of the 21 comments received by the Commission, 20 addressed 
the issue of whether the sliding scale mechanism should be extended, 
and 19 of those commenters agreed that an extension was warranted. 
Only one commenter favored collapsing the sliding scale as 
originally scheduled. Circle 1 Network (Comment 8). Two other 
commenters supported extending the sliding scale mechanism for 
periods of time less than two years. Romain Carrere (Comment 6) and 
Privo (Comment 17) at 1 & 5. Six commenters supported the two-year 
extension as set out in the NPR. Aftab & Savitt (Comment 1); AAP 
(Comment 4) at 2; CARU (Comment 7) at 2; ESRB (Comment 10); Gardner 
(Comment 11); and Leo Burnett Worldwide, Inc. (Comment 12). An 
additional commenter supported the two-year extension, but only if 
the ``additional steps'' taken with e-mail plus were limited to 
telephone and postal mail follow-up, rather than a confirmatory e-
mail. TRUSTe (Comment 21). One commenter suggested a 10-year 
extension, DMA (Comment 9) at 3, while eight commenters supported an 
indefinite or permanent extension. AOL et al. (Comment 2) at 1; AEP 
(Comment 5); MPA (Comment 13); Melendez et al. (Comment 14); NCTA 
(Comment 15) at 1-2; OPA (Comment 16) at 2; PMA (Comment 18) at 2; 
and SIIA (Comment 19) at 3. One commenter argued specifically 
against extending the sliding scale indefinitely, Office of Attorney 
General, State of Connecticut (Comment 20), while five other 
commenters noted the value of a finite extension. Aftab & Savitt 
(Comment 1) at 2; CARU (Comment 7) at 2; Gardner (Comment 11) at 1; 
Privo (Comment 17) at 5; and TRUSTe (Comment 21).
    \17\ AOL (Comment 2) at 2-3 (no ``complaints or other record 
evidence that the sliding scale mechanism is inadequate''); DMA 
(Comment 9) at 3 (``not aware of any harm from the use of e-mail 
plus consent''); Leo Burnett Worldwide, Inc. (Comment 12) (``sliding 
scale mechanism has been very effective''); NCTA (Comment 15) at 2 
(``not aware of any complaints against member companies for 
infringement of children's on-line privacy''); and SIIA (Comment 19) 
at 3 (``present approach has worked well'').
    Although none of the commenters articulated specific examples of 
misuse of the sliding scale mechanism, three commenters found the 
email plus method of obtaining parental consent to be ineffective 
and unreliable. Romain Carrere (Comment 6) (children can impersonate 
their parents); Privo (Comment 17) at 2-3 (``e-mail plus may not and 
often does not result in reliable verification'' and ``[i]t is 
commonplace for children to have the requisite knowledge to falsify 
their age or fabricate a spurious e-mail message that is allegedly 
from the parent or guardian''); and TRUSTe (Comment 21) (``it would 
be unwise to extend the lessened protection of `email plus' rule two 
additional years, unless the rule is modified, so that a delayed 
email to the parent's email address is not considered sufficient 
verifiable parental consent'').
    \18\ Aftab & Savitt (Comment 1) at 1 (``Parents appreciate the 
convenience of the e-mail plus consent process, particularly as it 
is coupled with low-risk privacy concerns where information will not 
be disclosed.''); AEP (Comment 5) (``We believe the current `sliding 
scale' approach--allowing Web operators who collect information for 
internal use only to pursue this less stringent form of consent--has 
proved an effective way to balance parental involvement with 
children's freedom to pursue educational experiences online.''); 
CARU (Comment 7) at 1 (``In adopting the sliding scale the 
Commission wisely acknowledged that the risks involved where an 
operator uses a child's personal information solely for its internal 
use, with no disclosure, were minimal.''); DMA (Comment 9) at 2-3 
(``the e-mail plus consent mechanism for internal uses of 
information is successfully protecting children's privacy as 
intended by the Act.''); Gardner (Comment 11) at 2 (noting that 
sites that collect parental consent by e-mail plus may not share 
that information with third parties); MPA (Comment 13) (``e-mail 
based consent mechanism...effectively protects children's personal 
information''); NCTA (Comment 15) at 2 (noting that companies using 
e-mail plus can only use the data collected for internal purposes); 
PMA (Comment 18) at 1-2 (risk of harm to children from improper 
disclosure of their information is ``significantly lower when the 
child's information will not be released to any third parties''); 
and SIIA (Comment 19) at 3 (``sliding scale that provides for 
different methods between data gathered only for internal use and 
that which will be disclosed to third parties is `appropriate to the 
circumstances''').
---------------------------------------------------------------------------

    The Commission finds that the record also shows that the 
anticipated date for the development and deployment of secure 
electronic mechanisms and/or infomediary services on a widespread and 
affordable basis does not appear to be able to be predicted with any 
reasonable certainty at this point in time.\19\ In light of the delayed 
development and deployment of secure electronic mechanisms and/or 
infomediary services for obtaining verifiable parental consent, the 
unpredictability of estimating when such technology will be widely 
available and affordable, and the effectiveness of the present sliding 
scale mechanism, the Commission has determined that an extension of the 
sliding scale mechanism is appropriate. Accordingly, the Commission 
will re-examine this issue when it conducts its statutorily mandated 
review of the Rule, no later than April 21, 2005.\20\
---------------------------------------------------------------------------

    \19\ MPA (Comment13) at 2 (``New technologies have not yet 
developed to facilitate verifiable parental consent at a reasonable 
cost, and no widely and economically feasible verification 
technology even appears to be on the near horizon.''); OPA (Comment 
16) at 2 (``no clear signals that the anticipated verification 
technology is likely to be economically and widely available in the 
consumer market in the forseeable future''); PMA (Comment 18) at 2 
(``it is difficult, if not impossible, to predict accurately when 
such technologies will be both available and adopted by a 
significant percentage of consumers''); and SIIA (Comment 19) at 3 
(``In reviewing developments over the last two years, there are no 
clear signals that the anticipated verification technology--
technology that must be low-cost, widely deployed and acceptable to 
consumer end users--is likely to be economically and widely 
available in the consumer market in the foreseeable future.'').
    \20\ 16 CFR 312.11.
---------------------------------------------------------------------------

III. Regulatory Flexibility Act

    The Regulatory Flexibility Act, 5 U.S.C. 601-612, requires agencies 
to prepare and make available to the public regulatory flexibility 
analyses at the proposed and final stages of a rulemaking proceeding, 
except in cases where the agency certifies that the Rule will not have 
a significant economic impact on a substantial number of small 
entities. 5 U.S.C. 605. In its notice of proposed rulemaking, the 
Commission certified that its proposed rule amendment to extend by two 
years the time period during which Web site operators could continue to 
obtain verifiable parental consent under a ``sliding scale'' of 
compliance options would not have a significant economic impact on a 
substantial number of small entities. 66 FR at 54964. Nonetheless, to 
ensure that no significant economic impact on a substantial number of 
small entities is overlooked, the Commission requested public comment 
on the effect of the proposed amendment to the Rule on the costs, 
profitability, and competitiveness of, and employment in, small 
entities. Id.
    The Commission did not receive any comments directly addressing the

[[Page 18821]]

impact of the proposed amendment on small entities. To the extent, 
however, that any small entities are affected by the Rule, the 
Commission believes the public comments support its determination that 
the adoption of the rule amendment will not impose more significant or 
costly compliance methods on Web site operators than the Rule would 
otherwise impose if it were not amended. By adopting a final rule 
amendment that leaves currently effective compliance options in place 
for an additional three years, the Commission is preserving the status 
quo for all Web site operators, including any small entities. Thus, the 
change, if any, in the economic impact of the Rule resulting from the 
final rule amendment, will be less than if the Commission did not amend 
the Rule and the more burdensome requirements of the Rule as originally 
promulgated were allowed to take effect. Accordingly, for these 
reasons, the Commission certifies under the Regulatory Flexibility Act 
that the final rule amendment will not have a significant economic 
impact on a substantial number of small entities. 5 U.S.C. 605. This 
notice also serves as the required certification and statement of the 
Commission's determination to the Small Business Administration.

IV. Paperwork Reduction Act

    This amendment does not amend any information collection 
requirements that have previously been reviewed and approved by the 
Office of Management and Budget pursuant to the Paperwork Reduction 
Act, as amended, 44 U.S.C. 3501 et seq.

Final Rule

List of Subjects in 16 CFR Part 312

    Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety, 
Science and technology, Trade practices, Website, Youth.


    Accordingly, the Federal Trade Commission amends 16 CFR Part 312 as 
follows:

PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE

    1. The authority citation for this part continues to read as 
follows:

    Authority: 15 U.S.C. 6501 et seq.
    2. Amend Sec. 312.5 by revising the second sentence of paragraph 
(b)(2) to read as follows:


Sec. 312.5  Parental consent.

* * * * *
    (b) * * *
    (2) * * * Provided that: For the period until April 21, 2005, 
methods to obtain verifiable parental consent for uses of information 
other than the ``disclosures'' defined by Sec. 312.2 may also include 
use of e-mail coupled with additional steps to provide assurances that 
the person providing the consent is the parent. * * *
* * * * *

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 02-9272 Filed 4-16-02; 8:45 am]
BILLING CODE 6750-01-P