[Federal Register Volume 70, Number 77 (Friday, April 22, 2005)]
[Proposed Rules]
[Pages 21107-21110]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-8160]



  Federal Register / Vol. 70, No. 77 / Friday, April 22, 2005 / 
Proposed Rules  

[[Page 21107]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AB00


Children's Online Privacy Protection Rule: Request for Comments

AGENCY: Federal Trade Commission.

ACTION: Request for public comment.

-----------------------------------------------------------------------

SUMMARY: As required by law, the Federal Trade Commission (the ``FTC'' 
or ``Commission'') requests public comment on its implementation of the 
Children's Online Privacy Protection Act (``COPPA'' or ``the Act''), 15 
U.S.C. 6501-6508, through the Children's Online Privacy Protection Rule 
(``COPPA Rule'' or ``the Rule''). The COPPA Rule imposes certain 
requirements on operators of Web sites or online services directed to 
children under 13 years of age and other Web sites or online services 
that have actual knowledge that they are collecting personal 
information from a child under 13 years of age. The Commission requests 
comment on the costs and benefits of the Rule as well as on whether it 
should be retained, eliminated, or modified. The Commission also 
requests comment concerning the Rule's effect on: practices relating to 
the collection and disclosure of information relating to children; 
children's ability to obtain access to information of their choice 
online; and the availability of Web sites directed to children. At the 
end of the FTC's review, the agency will submit a report to Congress 
assessing the implementation of the Rule. All interested persons are 
hereby given notice of the opportunity to submit written data, views, 
and arguments concerning the Rule. As explained in a separate document 
being published elsewhere in this issue of the Federal Register, the 
Commission is also issuing a final amendment to the Rule to extend the 
sliding scale mechanism, which allows Web site operators to use e-mail 
with additional verification steps to obtain verifiable parental 
consent for the collection of personal information from children for 
internal use by the Web site operator, until the conclusion of this 
broader review.

DATES: Comments must be received by June 27, 2005.

ADDRESSES: Comments should refer to ``COPPA Rule Review 2005, Project 
No. P054505'' to facilitate the organization of comments. A comment 
filed in paper form should include this reference both in the text and 
on the envelope, and should be mailed or delivered to the following 
address: Federal Trade Commission/Office of the Secretary, Room 159-H 
(Annex C), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments 
containing confidential material must be filed in paper form, must be 
clearly labeled ``Confidential,'' and must comply with Commission Rule 
4.9(c).\1\
---------------------------------------------------------------------------

    \1\ The comment must be accompanied by an explicit request for 
confidential treatment, including the factual and legal basis for 
the request, and must identify the specific portions of the comment 
to be withheld from the public record. The request will be granted 
or denied by the Commission's General Counsel, consistent with 
applicable law and the public interest. See Commission Rule 4.9(c), 
16 CFR 4.9(c).
---------------------------------------------------------------------------

    Comments filed in electronic form should be submitted by clicking 
on the following Web link: https://secure.commentworks.com/ftccopparulereview/ and following the instructions on the Web-based 
form. To ensure that the Commission considers an electronic comment, 
you must file it on the Web-based form at the https://secure.commentworks.com/ftccopparulereview/ Web link. You may also 
visit http://www.regulations.gov to read this request for public 
comment and may file an electronic comment through that Web site. The 
Commission will consider all comments that regulations.gov forwards to 
it.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. All timely and responsive public comments, whether filed 
in paper or electronic form, will be considered by the Commission, and 
will be available to the public on the FTC Web site, to the extent 
practicable, at http://www.ftc.gov/privacy/privacyinitiatives/childrens_lr.html. As a matter of discretion, the FTC makes every 
effort to remove home contact information for individuals from the 
public comments it receives before placing those comments on the FTC 
Web site. More information, including routine uses permitted by the 
Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

FOR FURTHER INFORMATION CONTACT: Karen Muoio, (202) 326-2491, or Rona 
Kelner, (202) 326-2752, Federal Trade Commission, 600 Pennsylvania 
Avenue, NW., Mail Drop NJ-3212, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

    On October 21, 1998, Congress issued COPPA, which prohibits certain 
unfair or deceptive acts or practices in connection with the 
collection, use, or disclosure of personal information from children on 
the Internet.\2\ Pursuant to COPPA's requirements, the Commission 
issued its final Rule implementing COPPA on October 20, 1999.\3\ 
Effective as of April 21, 2000, the Rule imposes certain requirements 
on operators of Web sites or online services directed to children under 
13 years of age, and on operators of other Web sites or online services 
that have actual knowledge that they are collecting personal 
information online from a child under 13 years of age (collectively, 
``operators'').\4\
---------------------------------------------------------------------------

    \2\ 15 U.S.C. 6501-6508.
    \3\ 64 FR 59888 (1999).
    \4\ 16 CFR part 312.
---------------------------------------------------------------------------

    Among other things, the Rule requires that operators provide notice 
to parents and obtain verifiable parental consent prior to collecting, 
using, or disclosing personal information from children under 13 years 
of age. The Rule also requires operators to keep secure the information 
they collect from children and prohibits them from conditioning 
children's participation in activities on the collection of more 
personal information than is reasonably necessary to participate in 
such activity. Further, the Rule provides a safe harbor for operators 
following Commission-approved self-regulatory guidelines, and 
instructions on how to get such guidelines approved.
    When the Commission issued the Rule in 1999, it adopted a sliding 
scale approach to parental consent.\5\ Under such an approach, the 
measures required for parental consent depend on how a Web site 
operator uses children's information. The Commission adopted this 
approach because of the concern that it was not feasible to require 
more technologically advanced methods of consent for internal uses of 
information. To reflect that technology may change, this approach was 
scheduled to sunset in 2002. In 2002, after a public comment process, 
the Commission extended it until April 21, 2005.\6\ In January 2005, 
the Commission sought public comment concerning whether to make the 
sliding scale approach permanent.\7\ The Commission has concluded that 
further evaluation of the sliding scale in the broader context of the 
Commission's

[[Page 21108]]

Rule review would be appropriate.\8\ Therefore, in a separate document 
being published elsewhere in this issue of the Federal Register, the 
Commission is also issuing a final amendment to the Rule to extend the 
sliding scale mechanism pending further review.\9\
---------------------------------------------------------------------------

    \5\ The Commission adopted the sliding scale as part of the Rule 
in 1999 after receiving public comments and conducting a July 1999 
public workshop on consent methods. These comments and a transcript 
of the workshop are located at http://www.ftc.gov/privacy/comments/ 
index.html and http://www.ftc.gov/privacy/ chonlpritranscript.pdf, 
respectively.
    \6\ 67 FR 18818 (2002).
    \7\ 70 FR 2580 (2005).
    \8\ All comments received in response to the January 2005 Notice 
of Proposed Rulemaking and Request for Comment are located at http://www.ftc.gov/os/publiccomments.htm.
    \9\ For purposes of this review, the Commission will continue to 
consider all comments submitted in response to its January 2005 
Notice of Proposed Rulemaking and Request for Comment; accordingly, 
previous commenters need not resubmit their comments.
---------------------------------------------------------------------------

II. Rule Review

    The Children's Online Privacy Protection Act and Section 312.11 of 
the Rule require that the Commission initiate a review no later than 
April 21, 2005, to evaluate the Rule's implementation. The Act and 
Section 312.11 of the Rule mandate that this review specifically 
consider the Rule's effect on: (1) Practices relating to the collection 
and disclosure of information relating to children; (2) children's 
ability to obtain access to information of their choice online; and (3) 
the availability of Web sites directed to children. The Act and Section 
312.11 also require that the Commission report to Congress on the 
results of this review.
    The Commission also reviews each of its rules at least once every 
ten years to determine whether they should be retained, eliminated, or 
modified in light of changes in the marketplace or technology. The FTC 
has not conducted a regulatory review of the Rule since it became 
effective in 2000. The Commission therefore has determined to pose its 
standard regulatory review questions at this time to determine whether 
the Rule should be retained, eliminated, or modified. The Commission 
also has determined that it would be beneficial to seek comments--in 
addition to those already received--on the effectiveness of and need 
for the sliding scale approach to obtaining verifiable parental 
consent.
    The Commission's experience in administering the Rule has raised 
four additional issues on which public comment would be especially 
useful. First, the Commission has been made aware of concerns about the 
factors used to determine whether a Web site is directed at children. 
Currently, such factors include the subject matter of the site, visual 
or audio content, age of models, language used, target audience of 
advertising or promotional materials, and empirical evidence regarding 
audience composition or intended audience. The Commission therefore 
seeks comment on whether the factors should be clarified or 
supplemented.
    Second, the Commission requests comment on an issue that has arisen 
in the context of determining whether a general audience Web site 
operator has actual knowledge of a child's age. Some operators in the 
past have collected age information and refused to allow children to 
participate while informing them that they must be 13 or older to 
participate. The operators then have allowed children to ``back-
button,'' or return to the entry screen, and enter an older age. The 
Final Rule's Statement of Basis and Purpose discusses the meaning of 
``actual knowledge'' and, since the inception of the Rule, the 
Commission has published additional business guidance on the term.\10\ 
The Commission seeks comment on whether the term ``actual knowledge'' 
is sufficiently clear and whether Web site operators are encouraging 
children to back-button and change their age.
---------------------------------------------------------------------------

    \10\ The Children's Online Privacy Protection Rule: Not Just for 
Kids' Sites, available online at http://www.ftc.gov/bcp/conline /
pubs/alerts/coppabizalrt.htm.
---------------------------------------------------------------------------

    Third, the Commission specifically invites comment on the use of 
credit cards as a means of obtaining verifiable parental consent. 
Currently the Rule allows operators to obtain verifiable parental 
consent through the use of a credit card in connection with a 
transaction. It appears that some companies are now marketing debit 
cards to children, who may be able to use these cards to circumvent the 
parental consent requirement. In addition, some operators may be 
failing to conduct an actual transaction with the credit card, which 
provides some extra assurance that the person providing consent is the 
parent. Instead, the operators may be using methods that merely verify 
that a given credit card number is valid.
    Fourth, the Commission seeks comment on the COPPA safe harbor 
program. The Rule's safe harbor provision allows industry groups and 
other entities to seek Commission approval of self-regulatory 
guidelines that implement substantially similar requirements to the 
Rule that provide the same or greater protections for children. 
Operators are deemed to be in compliance with the Rule if they comply 
with a safe harbor program's guidelines. Four safe harbor programs have 
been approved by the Commission--CARU, TRUSTe, ESRB, and Privo--and the 
Commission is interested in feedback on the effectiveness of these 
types of programs.
    The Commission therefore seeks public comments relating to the 
subjects specifically noted in the Act and Section 312.11 of the Rule. 
It also seeks public comments concerning the costs and benefits of the 
Rule, including whether any modifications to the Rule are needed in 
light of changes in technology or in the marketplace. Furthermore, it 
seeks public comment on four practical issues that have arisen in the 
course of Rule enforcement. Public comments will assist the Commission 
in determining whether the Rule needs to be changed and in preparing a 
report to Congress on the effect of the Rule's implementation.

III. Request for Comments

    The Commission invites members of the public to comment on any 
issues or concerns they believe are relevant or appropriate to the 
Commission's review of the COPPA Rule, including written data, views, 
facts, and arguments addressing the Rule. All comments should be filed 
as prescribed in the ADDRESSES section above, and must be received by 
June 27, 2005. The Commission is particularly interested in comments 
addressing the following questions:

A. General Questions for Comment

    (1) Are children's online privacy and safety at greater, lesser, or 
the same risk as existed before COPPA and the Rule? Please explain.
    (2) Is there a continuing need for the Rule as currently 
promulgated? Why or why not?
    (a) Since the Rule was issued, have changes in technology, 
industry, or economic conditions affected the need for or effectiveness 
of the Rule?
    (b) Does the Rule include any provisions, not mandated by the Act, 
that are unnecessary? If so, which ones are unnecessary and why?
    (c) What are the aggregate costs and benefits of the Rule?
    (d) Have the costs or benefits of the Rule dissipated over time?
    (e) Does the Rule contain provisions, not mandated by the Act, 
whose costs outweigh their benefits?
    (3) What effect, if any, has the Rule had on children, parents, or 
other consumers?
    (a) Has the Rule benefitted children, parents, or other consumers? 
If so, how?
    (b) Has the Rule imposed any costs on children, parents, or other 
consumers? If so, what are these costs?
    (c) What changes, if any, should be made to the Rule to increase 
its benefits, consistent with the Act's requirements? What costs would 
these changes impose?

[[Page 21109]]

    (4) What impact, if any, has the Rule had on operators?
    (a) Has the Rule provided benefits to operators? If so, what are 
these benefits?
    (b) Has the Rule imposed costs, including costs of compliance, on 
operators? If so, what are these costs?
    (c) How many hours does it take initially for an operator to come 
into compliance with the Rule? How many hours are spent each year for 
an operator to remain in compliance with the Rule? How much does it 
cost to comply with the Rule?
    (d) What changes, if any, should be made to the Rule to reduce the 
costs imposed on operators, consistent with the Act's requirements? How 
would those changes affect the Rule's benefits?
    (e) Are there regulatory alternatives to the Rule that might impose 
fewer costs yet still meet with the Act's and the Rule's objective of 
protecting children's online privacy and safety?
    (5) How many small businesses are subject to the Rule? What costs 
(types and amounts) do small businesses incur in complying with the 
Rule? How has the Rule otherwise affected operators that are small 
businesses? Have the costs or benefits of the Rule changed over time 
with respect to small businesses? What regulatory alternatives, if any, 
would decrease the Rule's burden on small businesses, consistent with 
the Act's requirements?
    (6) Does the Rule overlap or conflict with other federal, state, or 
local government laws or regulations? If so, what are these laws and 
regulations? How does the Rule overlap or conflict with them? How 
should these overlaps and conflicts be resolved, consistent with the 
Act's requirements?
    (a) To what extent have state attorneys general or other federal 
agencies brought actions under the Rule?
    (b) Are there any unnecessary regulatory burdens created by 
overlapping jurisdiction? If so, what can be done to ease the burdens, 
consistent with the Act's requirements?
    (c) Are there any gaps where no federal, state, or local government 
law or regulation has addressed a problematic practice relating to 
children's online privacy?
    (7) Has the Rule affected practices relating to the collection and 
disclosure of information relating to children online? If so, how?
    (8) Has the Rule affected children's ability to obtain access to 
information of their choice online? If so, how?
    (9) Has the Rule affected the availability of Web sites or online 
services directed to children? If so, how?
    (a) Has the number or type of Web sites or online services directed 
to children changed since the Rule became effective? If so, how? Did 
the Rule cause these changes?
    (b) Approximately how many new Web sites and online services are 
created each year that are directed to children?

B. Definitions

    (10) Do the definitions set forth in Section 312.2 of the Rule 
accomplish COPPA's goal of protecting children's online privacy and 
safety?
    (11) Are the definitions in Section 312.2 clear and appropriate? If 
not, how can they be improved, consistent with the Act's requirements?
    (12) Does Section 312.2 correctly articulate the factors to 
consider in determining whether a Web site or online service is 
directed to children? If not, what additional factors should be 
considered? Do any of the current factors need to be clarified? If so, 
how? Please note that any suggested modifications to this Section must 
be consistent with the Act's requirements.
    (13) The Final Rule's Statement of Basis and Purpose, 64 FR 59888 
(Nov. 3, 1999), and subsequent business guidance by the Commission have 
discussed when an operator or online service will be deemed to have 
``actual knowledge'' that it has collected information from a child. Is 
the term ``actual knowledge'' sufficiently clear? If not, how can the 
term be clarified further, consistent with the Act's requirements? In 
addition, does the situation where children intentionally submit an 
incorrect age older than 12 on general audience Web sites continue to 
raise Rule enforcement issues? If so, how can this situation be 
addressed, consistent with the Act's requirements?
    (14) Are there additional definitions that should be added to the 
Rule? If so, what terms should be defined and how should they be 
defined, consistent with the Act's requirements?

C. Notice

    (15) Section 312.4 of the Rule requires operators to provide notice 
of their information practices both online and directly to parents. 
These notices must inform parents about what information operators 
collect from children, how operators use such information, and their 
disclosure practices for such information.
    (a) Has the notice requirement been effective in protecting 
children's online privacy and safety? If so, how?
    (b) Do the benefits of the notice requirement outweigh its costs? 
Please explain.
    (c) What changes, if any, should be made to the notice requirement, 
including modifying the information required to be disclosed, 
consistent with the Act's requirements? What are the costs and benefits 
of these changes?

D. Verifiable Parental Consent

    (16) Section 312.5 of the Rule requires operators to obtain 
verifiable parental consent before any collection, use, and/or 
disclosure of personal information from children, including any 
material change to practices to which the parent previously consented.
    (a) Has the consent requirement been effective in protecting 
children's online privacy and safety? If so, how?
    (b) Do the benefits of the consent requirements outweigh their 
costs to operators? Please explain.
    (c) What changes, if any, should be made to the consent 
requirement, consistent with the Act's requirements? What are the costs 
and benefits of these changes?
    (d) Is the use of a credit card in combination with a transaction a 
reasonable means of verifying whether the person providing consent is 
the child's parent? Is the use of a credit card without a transaction a 
reasonable means of verifying whether the person providing consent is 
the child's parent? What about the use of a credit card without a 
transaction but with an additional step, such as verification of a 
mailing address or the use of a PIN number, to verify that a parent is 
providing consent? Please explain. Does the availability of credit or 
debit cards to children under 13 years of age affect your analysis? If 
so, how?
    (e) Section 312.5(c) sets forth five exceptions to the verifiable 
parental consent requirement. Do the benefits of the Rule's exceptions 
to prior parental consent outweigh their costs?
    (17) Section 312.5 of the Rule currently permits operators that 
collect children's personal information online for only internal uses 
to obtain verifiable parental consent via an e-mail plus additional 
steps to ensure that the person providing consent is, in fact, the 
child's parent (the so-called ``sliding scale'' approach).\11\
---------------------------------------------------------------------------

    \11\ The questions posed in this subpart duplicate the questions 
asked in the January 2005 Notice of Proposed Rulemaking and Request 
for Comment, 70 FR 2580. The Commission will reconsider all comments 
previously submitted in response to that request, so no resubmission 
is necessary.
---------------------------------------------------------------------------

    (a) Are secure electronic mechanisms now widely available to 
facilitate verifiable parental consent at a reasonable cost? Please 
include comments on the following:
    (i) Digital signature technology;

[[Page 21110]]

    (ii) Digital certificate technology;
    (iii) Other digital credentialing technology;
    (iv) P3P technology; and
    (v) Other secure electronic technologies.
    (b) Are infomediary services now widely available to facilitate 
verifiable parental consent at a reasonable cost?
    (c) When are secure electronic mechanisms and/or infomediary 
services for obtaining verifiable parental consent anticipated to 
become available at a reasonable cost? To what extent would the 
Commission's decision to eliminate, make permanent, or extend the 
sliding scale mechanism affect the incentive to develop and deploy 
these means of obtaining verifiable parental consent?
    (d) What effect would eliminating the sliding scale have on the 
information collection and use practices of Web site operators? For 
example, would the elimination of the sliding scale mechanism encourage 
Web site operators to collect children's personal information for uses 
other than the operators' own internal use because the cost of 
obtaining parental consent would be the same for internal as well as 
external uses?
    (e) Is there any evidence that the sliding scale mechanism is being 
misused, or is not working effectively?
    (f) Should the sliding scale mechanism be extended? If so, why and 
for how long?
    (g) Should the sliding scale mechanism be eliminated? If so, why?
    (h) Should the sliding scale mechanism be made permanent? If so, 
why?

E. Right of Parent To Review Personal Information Provided by a Child

    (18) Section 312.6 of the Rule requires operators to give parents, 
upon their request: (1) A description of the specific types of personal 
information collected from children; (2) the opportunity for the parent 
to refuse to permit the further use or collection of personal 
information from the child and direct the deletion of the information; 
and (3) a means of reviewing any personal information collected from 
the child.
    (a) Have these requirements been effective in protecting children's 
online privacy and safety? If so, how?
    (b) Do the benefits of these requirements outweigh their costs?
    (c) What changes, if any, should be made to these requirements, 
consistent with the Act's requirements? What are the costs and benefits 
of these changes?

F. Prohibition Against Conditioning a Child's Participation on 
Collection of Personal Information

    (19) Section 312.7 of the Rule prohibits operators from 
conditioning a child's participation in an activity on disclosing more 
personal information than is reasonably necessary to participate in 
such activity.
    (a) Has the prohibition been effective in protecting children's 
online privacy and safety? If so, how?
    (b) Do the benefits of the prohibition outweigh its costs? Please 
explain.
    (c) What changes, if any, should be made to the prohibition, 
consistent with the Act's requirements? What are the costs and benefits 
of these changes?

G. Confidentiality, Security, and Integrity of Personal Information 
Collected From a Child

    (20) Section 312.8 of the Rule requires operators to establish and 
maintain reasonable procedures to protect the confidentiality, 
security, and integrity of personal information collected from a child.
    (a) Has this requirement been effective in protecting children's 
online privacy and safety? If so, how?
    (b) Do the benefits to consumers of this requirement outweigh its 
costs?
    (c) What changes, if any, should be made to this requirement, 
consistent with the Act's requirements? What are the costs and benefits 
of these changes?
    (d) Is the requirement that operators establish and maintain 
``reasonable procedures'' to protect children's information 
sufficiently clear? If not, how could it be clarified, consistent with 
the Act's requirements?

H. Safe Harbors

    (21) Section 312.10 of the Rule provides that an operator will be 
deemed in compliance with the Rule's requirements if the operator 
complies with Commission-approved self-regulatory guidelines.
    (a) Has the safe harbor approach been effective in protecting 
children's online privacy and safety? If so, how?
    (b) Do the benefits of the safe harbor approach outweigh its costs?
    (c) What changes, if any, should be made to the safe harbor 
approach, consistent with the Act's requirements? What are the costs 
and benefits of these changes?

IV. Communications by Outside Parties to Commissioners or Their 
Advisors

    Written communications and summaries of transcripts of oral 
communications respecting the merits of this proceeding from any 
outside party to any Commissioner or Commissioner's advisor will be 
placed on the public record.\12\
---------------------------------------------------------------------------

    \12\ See 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------

List of Subjects in 16 CFR Part 312

    Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety, 
Science and technology, Trade practices, Web site, Youth.

    Authority: 15 U.S.C. 6501-6508.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 05-8160 Filed 4-21-05; 8:45 am]
BILLING CODE 6750-01-P