[Federal Register Volume 71, Number 50 (Wednesday, March 15, 2006)]
[Rules and Regulations]
[Pages 13247-13258]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-2356]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission.

ACTION: Retention of rule without modification.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``the Commission'') has 
completed its regulatory review of the Children's Online Privacy 
Protection Rule (``the COPPA Rule'' or ``the Rule''), which implements 
the Children's Online Privacy Protection Act of 1998. The Rule 
regulates how Web site operators and others may collect, use, and 
distribute personal information from children online. The Commission 
requested comment on the costs and benefits of the Rule and whether it 
should be retained without change, modified, or eliminated. The 
Commission also requested comment on the Rule's effect on: information 
practices relating to children; children's ability to obtain online 
access to information of their choice; and the availability of Web 
sites directed to children. Pursuant to this review, the Commission 
concludes that the Rule continues to be valuable to children, their 
parents, and Web site operators, and has determined to retain the Rule 
in its current form. This document discusses the comments received in 
response to the Commission's request for public comment and announces 
the Commission's decision to retain the Rule without modification.

DATES: Effective Date: March 15, 2006.

FOR FURTHER INFORMATION CONTACT: Karen Muoio, (202) 326-2491, Federal 
Trade Commission, 600 Pennsylvania Avenue NW., Mail Drop NJ-3212, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Introduction

    Pursuant to Congressional direction and the Commission's systematic 
program of reviewing its rules and guides, in April 2005 the Commission 
issued a Federal Register Proposed Rule seeking public comment on the 
overall costs and benefits of the COPPA Rule and other issues related 
to the Rule (``April 2005 NPR'').\1\ In response, the Commission 
received 25 comments from various parties, including: trade 
associations, Web site operators, privacy and educational 
organizations, COPPA safe harbor programs, and consumers.\2\ As part of 
its review, the Commission also considered the 91 comments received in 
response to its January 14, 2005 Notice of Proposed Rulemaking 
(``January 2005 NPR'') on the Rule's sliding scale approach to 
obtaining verifiable parental consent.\3\
---------------------------------------------------------------------------

    \1\ 70 FR 21107 (Apr. 22, 2005). The NPR also may be found 
online at http://www.ftc.gov/opa/2005/04/coppacomments.htm.
    \2\ The comments responsive to the April 2005 NPR have been 
filed on the Commission's public record as Document Nos. 516296-
00001, et seq., and may be found online at http://www.ftc.gov/os/comments/COPPArulereview/index.htm. This document cites comments by 
commenter name and page number. If a commenter submitted comments in 
response to the April 2005 NPR and the January 2005 NPR, the comment 
submitted second is delineated with the number ``2.'' All comments 
are available for public inspection at the Public Reference Room, 
Room 130, Federal Trade Commission, 600 Pennsylvania Ave., NW., 
Washington, D.C. 20580.
    \3\ 70 FR 2580 (Jan. 14, 2005). The comments responsive to the 
January 2005 NPR have been filed on the Commission's record as 
Document Nos. 514511-00001, et seq., and may be found online at 
http://www.ftc.gov/os/comments/COPPA%20Rule%20Ammend/Index.htm.

---------------------------------------------------------------------------

[[Page 13248]]

    In the April 2005 NPR, the Commission asked members of the public 
to comment on all aspects of the Rule and additionally posed twenty-one 
specific questions. The Commission requested comment on the general 
costs and benefits of the Rule, each specific provision of the Rule, 
prominent issues that have arisen since the inception of the Rule, and 
particular issues that Congress statutorily directed the Commission to 
evaluate. The April 2005 NPR also restated the questions pertaining to 
the sliding scale approach to obtaining verifiable parental consent 
that were posed in the January 2005 NPR, to give the public further 
opportunity to comment on that issue.
    Commenters generally favored retaining the Rule without 
modification. In addition, although some commenters did not favor 
making the sliding scale approach permanent, they did not provide the 
Commission with sufficient data upon which to base a determination to 
eliminate or revise the sliding scale approach.
    This document first describes the background and requirements of 
the Rule. It then summarizes the comments received regarding the costs 
and benefits of the Rule and whether it should be retained, eliminated, 
or modified. It finally explains the Commission's determination to 
retain the Rule without modification.\4\
---------------------------------------------------------------------------

    \4\ Because the Commission is not modifying the Rule, this 
document does not contain analyses under the Regulatory Flexibility 
Act, 5 U.S.C. 601-612, and the Paperwork Reduction Act, 44 U.S.C. 
3501-3520.
---------------------------------------------------------------------------

II. Description and Background of the Children's Online Privacy 
Protection Rule

    On October 21, 1998, Congress enacted COPPA (15 U.S.C. 6501-6508), 
which prohibits certain unfair or deceptive acts or practices in 
connection with the collection, use, or disclosure of personal 
information from children on the Internet.\5\ Pursuant to COPPA's 
requirements, the Commission issued its final Rule implementing COPPA 
on November 3, 1999.\6\
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 6501-6508.
    \6\ 64 FR 59888 (Nov. 3, 1999).
---------------------------------------------------------------------------

    The Rule imposes requirements on operators of Web sites or online 
services directed to children under 13 years of age or that have actual 
knowledge that they are collecting personal information online from 
children under 13 years of age (collectively, ``operators'').\7\ Among 
other things, the Rule requires operators to provide notice to parents 
and to obtain ``verifiable parental consent'' prior to collecting, 
using, or disclosing personal information from children under 13 years 
of age.\8\ ``Verifiable parental consent'' means that the consent 
method must be reasonably calculated, in light of available technology, 
to ensure that the person providing consent is the child's parent.\9\
---------------------------------------------------------------------------

    \7\ 16 CFR Part 312.
    \8\ 16 CFR 312.4(c) and 312.5.
    \9\ 16 CFR 312.5(b)(1).
---------------------------------------------------------------------------

    When the Commission issued the Rule in 1999, it adopted a sliding 
scale approach to obtaining verifiable parental consent.\10\ Under such 
an approach, more reliable measures are required for parental consent 
if an operator intends to disclose a child's information to third 
parties or the public than if the operator only uses the information 
internally. The Commission adopted the sliding scale approach to 
address concerns that it was not yet feasible to require more 
technologically advanced methods of consent for internal uses of 
information. To reflect the expectation that this assessment could 
change, the sliding scale was scheduled to sunset in 2002. When public 
comment in 2002 indicated that changes in the technology had not 
occurred, the Commission extended the sliding scale approach three more 
years.\11\ In January 2005, the Commission sought public comment on 
whether to make the sliding scale approach permanent.\12\ Based on the 
comments received, the Commission determined that it would be 
appropriate to evaluate the sliding scale approach in the broader 
context of the current Rule review. Pending the outcome of the instant 
review, the Commission amended the Rule to extend the sliding scale 
approach.\13\
---------------------------------------------------------------------------

    \10\ The Commission adopted the sliding scale as part of the 
Rule in 1999 after soliciting public comments, http://www.ftc.gov/privacy/comments/index.html, and conducting a public workshop, 
http://www.ftc.gov/privacy/chonlpritranscript.pdf, on consent 
methods.
    \11\ 67 FR 18818 (Apr. 17, 2002).
    \12\ 70 FR 2580.
    \13\ 70 FR 21107.
---------------------------------------------------------------------------

    In addition to requiring operators to obtain verifiable parental 
consent before collecting, using, or disclosing personal information 
from children, the Rule requires operators to post a notice of their 
information practices online, provide parents with access to their 
children's information, and keep that information confidential and 
secure.\14\ It also prohibits operators from conditioning children's 
participation in an activity on the children providing more personal 
information than is reasonably necessary to participate in that 
activity.\15\ Further, the Rule provides a safe harbor for operators 
following Commission-approved self-regulatory guidelines, and 
instructions on how to get such guidelines approved.\16\
---------------------------------------------------------------------------

    \14\ 16 CFR 312.4(b), 312.6, and 312.8.
    \15\ 16 CFR 312.7.
    \16\ 16 CFR 312.10.
---------------------------------------------------------------------------

    Both the Act and the Rule require that the Commission initiate a 
review of the Rule, including requesting data on certain issues, within 
five years of the Rule's effective date, i.e., April 21, 2005.\17\ The 
Commission initiated its review on that date.\18\ The review also has 
been conducted pursuant to the Commission's systematic program of 
periodically reviewing its rules and guides.
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 6507; 16 CFR 312.11.
    \18\ 70 FR 21107. The NPR also may be found online at http://www.ftc.gov/opa/2005/04/coppacomments.htm.
---------------------------------------------------------------------------

III. Discussion of Comments and the Retention of the Rule Without 
Modification

A. Summary of Comments

    The Commission received 25 comments in response to its April 2005 
NPR on the overall Rule and 91 comments in response to its January 2005 
NPR on the sliding scale approach to obtaining verifiable parental 
consent, for a total of 116 comments.\19\ The commenters included trade 
associations, Web site operators, privacy and educational 
organizations, COPPA safe harbor programs, and consumers.
---------------------------------------------------------------------------

    \19\ The comments are discussed in subsections B and C of this 
Part. In addition, complete lists of the commenters and their 
comments appear at http://www.ftc.gov/os/publiccomments.htm.
---------------------------------------------------------------------------

    Of the 116 comments received, 68 were non-form letter comments from 
various entities and individuals. Approximately two-thirds of these 68 
comments solely addressed the sliding scale approach.\20\ About one-
third of

[[Page 13249]]

them addressed other aspects of the Rule, in some cases also addressing 
the sliding scale approach.\21\
---------------------------------------------------------------------------

    \20\ Dori Acampora; ADVO, Inc.; American Association of 
Advertising Agencies, et al. (``AAAA''); Lou Apa; Susan Barrett; 
Belinda Brewer; American Library Association (``ALA''); Center for 
Digital Democracy (``CDD''); Children's Advertising Review Unit 
(``CARU''); Children's Media Policy Coalition (``CMPC''); Consortium 
for School Networking (``CoSN''); Council of American Survey 
Research Organizations, Inc. (``CASRO''); Council for Marketing and 
Opinion Research (``CMOR''); Credit Union National Association 
(``CUNA''); William Demers; Gale DeVoar Sr.; Direct Marketing 
Association, Inc. (``DMA''); Christina Dukes; Electronic Privacy 
Information Center (``EPIC''); Gestweb S.p.a.; Illinois Credit Union 
League (``ICUL''); IT Law Group (``ITLG''); Gary Kelly; Liana 
Laughlin; Masterfoods USA; Mattel, Inc.; Adrieh Mehdikdani et al.; 
Jim Minor; Motion Picture Association of America (``MPAA''); 
National Cable & Telecommunications Association (``NCTA''); Navy 
Federal Credit Union (``NFCU''); Alta Price; Privo, Inc.; Procter & 
Gamble (``P&G''); Schwab Learning; Terri Seleman; Software & 
Information Industry Association (``SIIA''); TRUSTe; John Surr; 
United States Internet Service Provider Association (``US ISPA''); 
John Villamil et al.; Anton Vogel et al.; Scot Wallace-Zeid; Carrie 
Williams.
    \21\ Parry Aftab, et al.; ALA 2; Robert Chapin; CoSN 2; CUNA 2; 
Robert Custer; DMA 2; Edita Domentech, et al.; EPIC 2; Entertainment 
Software Rating Board (``ESRB''); Eileen Fernandez-Parker; Joseph 
Hodges; William Kreps; Mattel 2; Microsoft Corporation; MPAA 2; NFCU 
2; Nickelodeon; Chris O'Neal; Peter Renguin; Scholastic Inc.; Time 
Warner Inc.; TRUSTe 2; Washington Legal Foundation (``WLF'').
---------------------------------------------------------------------------

    Forty-eight commenters submitted a form letter opposing letting 
operators obtain verifiable parental consent through a reply to an e-
mail alone, because this could allow children to forge their parents' 
consent. The form letter states, in pertinent part, that ``Merely 
receiving an email from a parent's email address does not qualify as 
permission since it is possible for parents to not even be aware that 
an exchange has taken place and therefore allows companies to market to 
children without parental permission.'' \22\ In its original COPPA 
rulemaking, the Commission agreed, concluding ``that e-mail alone does 
not satisfy the COPPA because it is easily subject to circumvention by 
children.'' \23\ Therefore, the Commission adopted the requirement in 
the Rule that operators must take an additional step to verify that it 
is, in fact, the parent sending the e-mail, a consent method commonly 
known as ``e-mail plus.''\24\ Specifically, the operator must send the 
parent by e-mail, letter, or telephone call a confirmation of his or 
her consent.\25\
---------------------------------------------------------------------------

    \22\ See, e.g., Barbara Abbate.
    \23\ 64 FR at 59902.
    \24\ Id. Under the sliding scale approach, if an operator wants 
to collect personal information from children and disclose it to 
third parties or the public, the Rule requires the operator to 
obtain verifiable parental consent through one of the more reliable 
means described in Section 312.5(b)(2) of the Rule. 16 CFR 
312.5(b)(2).
    \25\ Id.
---------------------------------------------------------------------------

    No commenter stated that the Rule should be eliminated. To the 
contrary, almost all commenters advocated retaining the Rule in its 
current form \26\ or adding to its requirements.\27\ Two commenters 
suggested excepting certain kinds of Web sites from the Rule's 
requirements,\28\ and one of the Rule's safe harbor programs suggested 
extending the protected status granted to safe harbor program 
participants.\29\ Some commenters requested clarification on particular 
aspects of the Rule.\30\
---------------------------------------------------------------------------

    \26\ E.g., ALA 2; CoSN 2; DMA 2; Mattel 2; MPAA 2; Nickelodeon; 
O'Neal; Scholastic; Time Warner.
    \27\ CUNA 2; EPIC 2; Fernandez-Parker; Domenech; Kreps; NFCU 2; 
Reguin.
    \28\ Aftab; Custer.
    \29\ TRUSTe 2.
    \30\ Chapin; ESRB; EPIC 2; Microsoft; Privo; Reguin.
---------------------------------------------------------------------------

    On the specific issue of the sliding scale approach, unique 
commenters generally supported retaining it, with 34 unique comments 
submitted in favor of making it permanent \31\ and nine unique comments 
submitted in favor of extending it for some period of time.\32\ Forty-
eight form-letter comments opposed allowing receipt from a parent's e-
mail address to qualify as permission but, as explained above, the Rule 
already requires more. Eleven unique commenters were against making 
permanent or extending the sliding scale approach \33\ and four did not 
take a clear position.\34\
---------------------------------------------------------------------------

    \31\ ADVO; Aftab; AAAA; Apa; Brewer; ALA 1, 2; CARU; CoSN 1, 2; 
CUNA 1, 2; DeVoar; DMA 1, 2; ESRB; ICUL; ITLG; Mattel 1, 2; 
Masterfoods; MPAA 1, 2; NCTA; NFCU 1, 2; Nickelodeon; P&G 
Scholastic; SIIA; Time Warner; TRUSTe; U.S. ISPA; WLF.
    \32\ CDD; CMPC; CASRO; CMOR; EPIC 1, 2; Mehdikdani; Villamil; 
Vogel.
    \33\ Acampora; Barrett; Demers; Dukes; Laughlin; Minor; Price; 
Privo; Schwab Learning; Seleman; Williams.
    \34\ Gestweb; Kelly; Surr; Wallace-Zeid.
---------------------------------------------------------------------------

B. General Comments on the Rule

    The Commission's April 2005 NPR asked several questions about the 
implementation and necessity of the Rule as a whole. The NPR contained 
several standard Commission regulatory review questions about the costs 
and benefits of the Rule. The NPR also sought comments on three 
specific issues that Congress in the Act directed the Commission to 
evaluate.
1. The Costs and Benefits of the Rule
    The Commission asked several general questions in the April 2005 
NPR pertaining to the necessity and effectiveness of the Rule. The 
questions requested comment on how the Rule has affected children's 
online privacy and safety, whether the Rule is still needed, and how 
the Rule has affected consumers and operators. The Commission also 
requested comment on the Rule's effect on small businesses and whether 
the Rule is in conflict with other existing laws.
    Commenters uniformly stated that the Rule has succeeded in 
providing greater protection to children's personal information online, 
that there is a continuing need for the Rule, and that the Rule should 
be retained.\35\ For example, in explaining the Rule's success in 
protecting children's privacy and safety online, one commenter stated 
that ``COPPA has been very successful in improving the data collection 
practices and curtailing unscrupulous interactive marketing practices 
of commercial Web sites,'' \36\ while another said that ``all 
indications are that COPPA and its implementing rules provide an 
important tool in protecting the privacy and safety of children using 
the Internet.'' \37\ Another commenter stated that the Rule has 
increased consumer awareness of privacy issues across the board while 
encouraging operators to respond creatively to the challenge of 
protecting children online.\38\
---------------------------------------------------------------------------

    \35\ E.g., Aftab at 2; ALA 2 at 1; COSN 2 at 1; CUNA 2 at 1-2; 
DMA 2 at 1-2; EPIC 2 at 1, 3; MPAA 2 at 2, 5; NFCU 2 at 1; 
Nickelodeon at 1; O'Neal; Scholastic at 2-3; Time Warner at 1.
    \36\ Aftab at 2.
    \37\ EPIC 2 at 1.
    \38\ Chapin at 1.
---------------------------------------------------------------------------

    As to the continuing need for the COPPA Rule, numerous commenters 
emphasized that the Rule provides operators with a clear set of 
standards to follow and that operators have received few, if any, 
complaints from parents about the standards and how they are 
implemented.\39\ One commenter described how the Rule's definite 
standards have fostered consumer and business confidence in the 
Internet.\40\ Moreover, operators stated that they have no complaints 
about the costs of complying with the Rule's requirements.\41\
---------------------------------------------------------------------------

    \39\ DMA 2 at 2; MPAA 2 at 2, 5; Nickelodeon at 1; Scholastic at 
2-3; Time Warner at 1.
    \40\ MPAA 2 at 3-4.
    \41\ CoSN 2 at 1; NFCU 2 at 1; Nickelodeon at 1; Scholastic at 
2-3; Time Warner at 1. Indeed, one commenter detailed the ways in 
which changing the Rule's sliding scale approach would impose 
substantial costs on operators. MPAA at 4-5. The commenter, a large 
trade association representing numerous Web site operators, stated 
that these costs would include not only up-front labor and other 
quantifiable financial costs, but also unquantifiable costs 
associated with operators becoming unwilling to invest in new 
technology due to an uncertain regulatory climate and consumers 
becoming unwilling to trust an uncertain system. Id.
---------------------------------------------------------------------------

    The Commission did not receive any comments specifically addressing 
the Rule's costs and benefits for small businesses or the Rule's 
overlap with other laws or regulations.
    The Commission concludes that no modifications to the Rule are 
necessary on the basis of general comments submitted on the Rule and 
its costs and benefits.
2. COPPA-Mandated Issues
    When Congress enacted COPPA, it included a provision requiring the 
Commission to evaluate and report on the implementation of the Rule 
five years after its effective date. Congress directed the Commission 
to evaluate three particular issues: (1) How the Rule has affected 
practices relating to the

[[Page 13250]]

collection and disclosure of information relating to children online; 
(2) how the Rule has affected children's access to information of their 
choice online; and (3) how the Rule has affected the availability of 
Web sites or online services directed to children.\42\ Accordingly, the 
Commission specifically included questions about these issues in the 
April 2005 NPR.\43\
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 6507.
    \43\ 70 FR at 21109.
---------------------------------------------------------------------------

    Some commenters submitted views on the three issues, although none 
provided the Commission with related empirical data. Regarding the 
question of whether and, if so, how the Rule has affected practices 
relating to the collection, use, and disclosure of information relating 
to children online, three commenters (two operators of major Web sites 
and their trade association) provided specific and concrete examples of 
how the Rule has affected their own information practices concerning 
children.\44\ These commenters stated that the primary response of 
operators has been to limit the personal information they collect from 
children (by either not collecting any personal information or 
collecting only e-mail addresses) while developing innovative ways to 
offer the interactive online experiences children want. The commenters 
each described a wide variety of activities they offer at their Web 
sites that let children interact with the sites but require little or 
no information collection or disclosure.\45\
---------------------------------------------------------------------------

    \44\ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.
    \45\ Id.
---------------------------------------------------------------------------

    These commenters also stated that the Rule's exceptions to prior 
verifiable parental consent for e-mail addresses are useful for 
providing children with safe online interactivity while preserving 
their Web sites' viability.\46\ The Rule sets forth five exceptions to 
its requirement that operators obtain verifiable parental consent 
before collecting a child's personal information. These exceptions 
allow operators to collect a child's online contact information (i.e., 
an e-mail address) \47\ without obtaining prior parental consent and 
use that information only for certain specified purposes.\48\ In each 
instance, the Rule prohibits the operator from using the information 
for any other purpose.
---------------------------------------------------------------------------

    \46\ Id.
    \47\ Id. Some exceptions also allow the operator to collect the 
child's name, the parent's name, or the parent's online contact 
information.
    \48\ 16 CFR 312.5(c). For example, an operator can collect and 
use a child's e-mail address without prior parental consent to 
obtain verifiable parental consent, to protect the safety of a child 
visitor, or to respond to judicial process. 16 CFR 312.5(c)(1), 
312.5(c)(4), and 312.5(c)(5)(ii).
---------------------------------------------------------------------------

    The commenters highlighted two of the exceptions as particularly 
useful in providing interactive content to children. The first of these 
exceptions lets operators collect a child's e-mail address to respond 
once to a child's specific request, such as to answer a question (e.g., 
homework help) or to provide other information (e.g., when a new 
product will be on sale).\49\ The operator does not need to provide 
notice to the parents or obtain parental consent, so long as it deletes 
the child's e-mail address upon responding. The second noted exception 
lets an operator collect the e-mail addresses of the child and his or 
her parent so that the operator can respond more than once to a child's 
specific request, such as to subscribe the child to an electronic 
newsletter.\50\ Here, the operator must provide notice to the parent 
before contacting the child a second time and give the parent an 
opportunity to opt out of the repeated contact. Commenters stated that 
these two exceptions help them to provide safe, interactive, and fun 
children's content.\51\
    The second statutorily mandated question was whether and, if so, 
how the Rule has affected children's ability to access information 
online. Most commenters stated that the Rule's requirements have struck 
an appropriate balance between protecting children's personal 
information online and preserving their ability to access content.\52\ 
One commenter stated that the Rule has ``unfairly limited student 
access to educational sites.'' \53\ In contrast, another commenter 
noted that, in her experience as a teacher, children have been able to 
access online educational content without revealing their personal 
information and that her students ``have not faced a problem because of 
COPPA.'' \54\ In addition, in the educational context, teachers often 
can act on behalf of parents to provide consent for purposes of 
COPPA.\55\
---------------------------------------------------------------------------

    \49\ 16 CFR 312.5(c)(2).
    \50\ 16 CFR 312.5(c)(3).
    \51\ DMA 2 at 2; Nickelodeon at 3-4; Time Warner at 2.
    \52\ DMA 2 at 1-2; Fernandez-Parker; Nickelodeon at1; Time 
Warner at 3.
    \53\ Custer. The commenter suggested that the Commission exempt 
educational sites from the Rule. The Commission notes that the Rule 
already exempts certain nonprofit entities, which would include many 
educational sites. 16 CFR 312.2 (``Operator means any person who 
operates a website * * * where such website or online service is 
operated for commercial purposes[.] * * * This definition does not 
include any nonprofit entity that would otherwise be exempt from 
coverage under Section 5 of the Federal Trade Commission Act (15 
U.S.C. 45).'').
    \54\ Fernandez-Parker.
    \55\ Most schools require parents to agree to the school's 
Internet ``Acceptable Use Policy'' (``AUP'') before a child can 
visit the Internet at school. Such AUPs can and often do authorize 
teachers to act on behalf of parents to provide verifiable parental 
consent for purposes of COPPA. In this way, if children must provide 
personal information to access certain content, the teacher can 
provide the requisite consent. The Commission has posted COPPA 
guidance for teachers and parents at http://www.ftc.gov/bcp/conline/pubs/online/teachers.htm.
---------------------------------------------------------------------------

    The final statutorily mandated question concerned the Rule's effect 
on the availability of Web sites directed to children. Many commenters 
indicated that they have been successful in operating popular and 
viable children's Web sites in the five years since the Rule's 
effective date.\56\ One commenter, however, suggested that the Rule's 
requirements could have caused at least a few smaller children's Web 
sites to fail.\57\ However, this commenter also acknowledged that, 
given the failure of innumerable Web sites for multiple reasons during 
the dot-com bust of 2000, it would be difficult to single out the Rule 
as the cause. No commenters submitted empirical data showing the Rule's 
direct impact on the availability of Web sites directed to children. 
Accordingly, the record does not indicate that the cost of complying 
with COPPA has decreased the number of children's Web sites.\58\
---------------------------------------------------------------------------

    \56\ DMA 2 at 2; MPAA 2 at 8; Nickelodeon at 11; Scholastic at 
2.
    \57\ Aftab at 1.
    \58\ One commenter suggested that the Commission regularly 
evaluate the status of children's privacy online to ensure that the 
Rule continues to provide children with the best protection. EPIC 2 
at 3. Under the FTC's systematic program of periodically reviewing 
its rules and guides, the Rule will be evaluated comprehensively, 
approximately every ten years.
---------------------------------------------------------------------------

    The Commission concludes that no modifications to the Rule are 
necessary on the basis of the comments submitted in response to the 
three COPPA-mandated questions.

C. Comments Pertaining to Specific Rule Provisions \59\
---------------------------------------------------------------------------

    \59\ The Commission received no comments on certain provisions 
of the Rule, including Section 312.1 (describing the Rule's scope); 
Section 312.3 (generally describing the Rule's requirements); 
Section 312.9 (providing that a violation of the Rule shall be 
treated as a violation of a rule prohibiting an unfair or deceptive 
act or practice prescribed under Section 18(a)(1)(B) of the FTC Act, 
15 U.S.C. 57(a)(1)(B)); Section 312.11 (mandating the instant 
regulatory review); and Section 312.12 (providing that each Rule 
provision is separate and severable from the others). The Commission 
has determined that no modifications to these provisions are 
necessary.
---------------------------------------------------------------------------

1. Section 312.2: Definitions
    Section 312.2 defines various terms used in the Rule.\60\ The 
Commission

[[Page 13251]]

requested comment on whether the definitions contained in this section 
are effective, clear, and appropriate, and whether any improvements or 
additions should be made. In particular, the Commission asked whether 
the Rule correctly articulates the factors to consider in determining 
whether a Web site is directed to children and whether the term 
``actual knowledge'' is sufficiently clear.\61\
---------------------------------------------------------------------------

    \60\ 16 CFR 312.2.
    \61\ 70 FR at 21109.
---------------------------------------------------------------------------

    No comments were submitted on the general effectiveness of the 
Rule's definitions section, but the Commission received some comments 
concerning the terms ``website or online service directed to children'' 
and ``actual knowledge.'' The term ``website or online service directed 
to children'' is defined specifically in COPPA and the Rule itself,\62\ 
while ``actual knowledge'' is discussed in the Rule's Statement of 
Basis and Purpose and later Commission guidance.\63\ Overall, most 
commenters stated that the terms are sufficiently clear,\64\ although 
two suggested that the Commission continue to refine the terms through 
enforcement actions or other guidance.\65\
---------------------------------------------------------------------------

    \62\ 15 U.S.C. 6502; 16 CFR 312.2. See also discussion of 
factors to be considered in determining whether a Web site is 
directed to children at 64 FR 59893.
    \63\ 64 FR 59892; Frequently Asked Questions about the 
Children's Online Privacy Protection Rule: Volume One (``COPPA 
FAQs''), questions 38 and 39, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen; and The Children's Online Privacy 
Protection Rule: Not Just for Kids' Sites, available at http://www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.
    \64\ DMA 2 at 2-4; EPIC 2 at 3-5; Nickelodeon at 9-10; Time 
Warner at 4, 6.
    \65\ EPIC 2 at 5; ESRB at 2-3.
---------------------------------------------------------------------------

a. ``Website or Online Service Directed to Children''
    The Rule specifically defines the term ``website or online service 
directed to children'' as ``a commercial website or online service, or 
portion thereof, that is targeted to children.'' \66\ The Rule further 
provides that, in determining whether a Web site or online service is 
``targeted to children,'' the Commission will consider several factors. 
These factors include subject matter; visual and audio content; age of 
models; language or other characteristics; advertising appearing on or 
promoting the site or service; competent and reliable empirical 
evidence of audience composition; evidence regarding the intended 
audience; and whether the site uses animated characters or child-
oriented activities or incentives.\67\ The Rule's Statement of Basis 
and Purpose states that the Commission, in making its determination, 
will consider ``the overall character of the site--and not just the 
presence or absence of one or more factors.'' \68\ Commenters 
representing numerous Web site operators stated that the language of 
the Rule and discussion in the Rule's Statement of Basis and Purpose 
provide effective and clear guidance for determining whether a Web site 
is directed to children.\69\
---------------------------------------------------------------------------

    \66\ 16 CFR 312.2.
    \67\ 64 FR 59912-13.
    \68\ 64 FR 59893.
    \69\ DMA 2 at 2; Nickelodeon at 9; Time Warner at 4-5.
---------------------------------------------------------------------------

    Two commenters suggested that the Commission clarify, through 
additional guidance, when a Web site is considered to be directed to 
children under the Rule. The first commenter suggested adding several 
design elements to the Rule's list of factors the Commission will 
consider, including color, non-textual content, interactivity, 
navigational tools, and advertisements.\70\ The Commission believes 
that the existing factors set forth in the Rule already encompass these 
suggested additions. For example, the Rule's definition expressly 
provides that the Commission will consider advertising appearing on or 
promoting the Web site or service.\71\ The Rule also provides that the 
Commission will consider a site's visual and audio content, language 
and other characteristics of the site, and any child-oriented 
activities or incentives.\72\ The Commission therefore concludes it is 
unnecessary to modify the Rule's definition of a Web site or online 
service directed to children.
---------------------------------------------------------------------------

    \70\ EPIC 2 at 4.
    \71\ 16 CFR 312.2.
    \72\ Id.
---------------------------------------------------------------------------

    A second commenter suggested it might be instructive to incorporate 
into the Rule the analysis that Commission staff set forth in a recent 
letter denying a petition for law enforcement action filed concerning 
the Amazon Web site, http://www.amazon.com.\73\ The letter, published 
on the petitioner's Web site,\74\ analyzes the Amazon Web site using 
the factors set forth in the Rule for determining whether a Web site is 
directed to children. The commenter suggested that incorporating the 
analysis into the Rule would clarify how the Commission determines 
whether other Web sites are directed to children. The letter does 
provide one example of how the Commission staff has applied the Rule's 
factors in analyzing whether a particular Web site was directed to 
children. However, the Commission does not believe that the general 
factors in the Rule need to be modified in light of the FTC staff's 
application of these factors in that specific instance.
---------------------------------------------------------------------------

    \73\ ESRB at 2.
    \74\ See http://www.epic.org/privacy/amazon/ftc_amazon.pdf 
(last accessed 10/12/05).
---------------------------------------------------------------------------

b. ``Actual Knowledge''
    The Commission also asked whether the term ``actual knowledge'' is 
sufficiently clear. The Rule's requirements apply to operators of Web 
sites other than those directed to children (sometimes referred to as 
``general audience Web sites'') if such operators have ``actual 
knowledge'' that they are collecting or maintaining personal 
information from children.\75\ The Rule's Statement of Basis and 
Purpose explains that a general audience Web site operator has the 
requisite actual knowledge if it ``learns of a child's age or grade 
from the child's registration or a concerned parent * * * .'' \76\ It 
may have the requisite knowledge if it asks age, grade, or other age-
identifying questions.\77\ Subsequent to the Rule's issuance, the 
Commission staff posted guidance on the FTC Web site clarifying that a 
general audience Web site operator does not obtain actual knowledge of 
a child's age ``[i]f a child posts personal information on a general 
audience site, but doesn't reveal his or her age * * *'' \78\ In 
addition, the guidance provides that the operator would not have actual 
knowledge if a child posts his or her age in a chat room on the site, 
but no one at the operator sees or is alerted to the post.\79\
---------------------------------------------------------------------------

    \75\ 16 CFR 312.3.
    \76\ 64 FR 59892.
    \77\ Id.
    \78\ COPPA FAQs, question 38, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen.
    \79\ Id. The Commission also released a business alert in 2004 
reiterating its guidance on actual knowledge, in conjunction with 
filing complaints and consent decrees against two general audience 
Web site operators that allegedly had actual knowledge that they 
were collecting personal information from children. See February 18, 
2004 FTC news release at http://www.ftc.gov/opa/2004/02/bonziumg.htm 
and FTC Business Alert entitled The Children's Online Privacy 
Protection Rule: Not Just for Kids Sites at http://www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.
---------------------------------------------------------------------------

    Most commenters stated that the Rule's Statement of Basis and 
Purpose and subsequent guidance have made the term ``actual knowledge'' 
sufficiently clear and no modification to the Rule is necessary.\80\ 
For example, one commenter states ``the Commission's guidance 
clarifying that asking for age or date of birth information or similar 
questions through which the Web site would learn the ages of specific 
visitors[] provides clear criteria for Web

[[Page 13252]]

sites to determine their obligations.'' \81\ One commenter did suggest, 
however, that the Commission continue to clarify the term in the 
context of additional enforcement actions.\82\ The Commission concludes 
that no modifications to the Rule are necessary on the basis of these 
comments.
---------------------------------------------------------------------------

    \80\ E.g., DMA 2 at 3-4; Nickelodeon at 9-10; Time Warner at 6-
7.
    \81\ Nickelodeon at 10.
    \82\ EPIC 2 at 5.
---------------------------------------------------------------------------

c. Age Screening and Age Falsification
    General audience Web sites or those directed to teenagers may 
attract a substantial number of children under the age of 13. Although 
such Web sites are not directed at children under 13, operators of such 
sites must comply with the Rule to the extent that they have ``actual 
knowledge'' that visitors are under 13.
    Some operators of such Web sites choose to screen visitors to 
determine whether they are under 13. This practice, popularly referred 
to as ``age-screening,'' started with Web sites directed to teenagers 
and is now used by many general audience Web sites that may appeal to 
children. Some general audience Web sites appear to use age-screening 
to reject children's registration requests, thus providing children 
with an incentive to falsify their age to gain access. The FTC staff 
has issued guidance regarding how operators of teen-directed Web sites 
can obtain age information from their visitors without encouraging age 
falsification.\83\
---------------------------------------------------------------------------

    \83\ COPPA FAQs, question 39, available at http://www.ftc.gov/privacy/coppafaqs.htm#teen.
---------------------------------------------------------------------------

    The Commission asked if there was evidence that a substantial 
number of children were falsifying age information in response to age-
screening on general audience Web sites and, if so, whether the Rule 
should be modified to address this problem. The Commission received 
five comments concerning age-screening. Two commenters stated that some 
children falsify their age to register on Web sites that screen for 
age, but provided no empirical information as to how frequently this 
occurs.\84\ Other commenters stated that age falsification is not a 
problem in practice, especially when Web sites follow Commission staff 
guidance and request age information in a neutral manner, then set 
session cookies to prevent children from later changing their age.\85\ 
One commenter suggested that attempting to regulate online age 
falsification would be unrealistic, because there is no way to prevent 
certain children from falsifying their age.\86\ Instead, commenters 
stressed that following Commission staff guidance on age-screening 
remains a reasonable practice for teen or general audience site 
operators seeking to comply with the Rule.\87\ The Commission has 
concluded that no changes to the Rule are needed in response to 
operators' age-screening practices.
---------------------------------------------------------------------------

    \84\ Aftab at 5; WLF at 5.
    \85\ DMA 2 at 4; Time Warner at 6.
    \86\ WLF at 5.
    \87\ DMA 2 at 4; Time Warner at 6. One commenter reported that 
age-screening in the shopping area of its general audience Web site 
was preventing adults who enter an age under 13 from completing 
their purchase. Mattel at 2-3. As discussed in the text, age-
screening is designed for general audience Web sites or portions of 
Web sites that may appeal to children. The shopping areas of Web 
sites are unlikely to attract children because making a purchase 
online generally requires a credit card, which most children do not 
have. The Commission therefore has not advocated that operators of 
general audience Web sites, like the commenter, ask age-screening 
questions on the shopping areas of their sites.
---------------------------------------------------------------------------

d. Other Definitions
    Few comments were submitted about the definitions of other terms 
used in the Rule. Two commenters suggested that the term ``internal 
use'' is not adequately defined.\88\ The Rule does not define the term 
``internal use,'' but it does define ``disclosure'' to include 
releasing personal information collected from a child, except to a 
person providing internal support for the operations of the Web 
site.\89\ The Rule also explicitly provides that persons providing 
internal support cannot use the information for any other purpose.\90\ 
The Rule's Statement of Basis and Purpose further explains that 
``support for the internal operations of the Web site'' can include 
providing technical support, servers, or services such as chat and e-
mail.\91\
---------------------------------------------------------------------------

    \88\ Privo at 5; EPIC at 2.
    \89\ 16 CFR 312.2.
    \90\ Id.
    \91\ See 64 FR 59890-91.
---------------------------------------------------------------------------

    The commenters that asked that ``internal use'' of information be 
defined specifically sought clarification as to whether sharing 
information among corporate affiliates constitutes an internal use or a 
disclosure. The Rule's Statement of Basis and Purpose explains that 
determining whether an operator's sharing of information with another 
entity is an internal use or a disclosure depends on the receiving 
entity's relationship to the information. Sharing information with 
another entity can constitute an internal use of the information only 
if it is solely to facilitate internal support services for the 
operator and the entity does not use the information for any other 
purpose.\92\ Sharing for any other use, whether or not the other entity 
is a corporate affiliate, constitutes a disclosure.\93\ The Commission 
concludes that no modification to the Rule is necessary.
---------------------------------------------------------------------------

    \92\ Id. at 59890, 59891. The Rule's Statement of Basis and 
Purpose incorporates by reference a set of factors that can be used 
to help define an entity's relationship to collected information, 
including ownership, control, payment, use, and maintenance of the 
information, as well as any pre-existing contractual relationships. 
Id. at 59891, citing 64 FR 22750, 22752 (Apr. 27, 1999). See also 
COPPA FAQs, question 47, at http://www.ftc.gov/privacy/coppafaqs.htm.
    \93\ Id.
---------------------------------------------------------------------------

    Another commenter suggested that the Commission expand the Rule's 
definition of ``operator'' to include individuals operating 
noncommercial Web sites and nonprofit entities operating Web sites.\94\ 
COPPA expressly applies only to operators of Web sites and online 
services ``operated for commercial purposes'' and excludes ``any 
nonprofit entity that would otherwise be exempt from coverage under 
Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).'' \95\ 
The Rule includes the statutory language of COPPA,\96\ so the 
Commission cannot modify the definition.
---------------------------------------------------------------------------

    \94\ Reguin.
    \95\ 15 U.S.C. 6502(2).
    \96\ 16 CFR 312.2. The Commission staff has provided guidance 
encouraging all operators to practice fair information principles 
with their visitors, http://www.ftc.gov/privacy/coppafaqs.htm#teen, 
and many nonprofit Web sites do voluntarily comply with COPPA and 
the Rule because they want to protect children's safety and privacy. 
In addition, Federal policy requires all federal Web sites to 
provide their child visitors with COPPA protections. Memorandum for 
the Heads of Executive Departments and Agencies, M-00-13 (June 22, 
2000), available at http://www.whitehouse.gov/omb/memoranda/m00-13.html.
---------------------------------------------------------------------------

    Finally, one commenter sought clarification of certain statutory 
terms set forth in COPPA, such as ``online contact information,'' 
``personal information,'' ``retrievable form,'' and ``recontact.'' \97\ 
To provide businesses and consumers with additional guidance, the 
Commission has provided more specific articulations of some of COPPA's 
statutory terms in the Rule and the Rule's Statement of Basis and 
Purpose. For example, the commenter asked the Commission to clarify 
whether certain types of information not specifically listed in COPPA's 
definition of ``personal information,'' such as IP addresses, unique 
identifiers, birthdates, or photographs, do constitute ``personal 
information.'' The Rule's definition of ``personal information'' 
includes ``a persistent identifier * * * associated with individually 
identifiable information'' as well as a photograph when combined with 
other information that permits contacting the individual.\98\ The 
Commission concludes that no

[[Page 13253]]

additional clarification of the particular terms identified by this 
commenter is necessary.
---------------------------------------------------------------------------

    \97\ Chapin.
    \98\ 16 CFR 312.2.
---------------------------------------------------------------------------

    For the reasons discussed above, the Commission concludes that no 
modifications to the Rule's current definitions are necessary.
2. Section 312.4: Notice
    Section 312.4 of the Rule requires operators to provide notice of 
their information practices to parents. These notices must inform 
parents about their information practices, including what information 
they collect from children online, how they use the information, and 
their disclosure practices for such information. The Commission 
requested comment on whether the notice requirement is effective, if 
its benefits outweigh its costs, and what changes, if any, should be 
made to it.
    Two commenters submitted comments on the Rule's notice provision. 
The first commenter noted the importance of providing parents with 
contact information for the operator, so they can discuss and attempt 
to resolve any concerns with the operator.\99\ The commenter did not 
seek any changes to the Rule's notice provision.
---------------------------------------------------------------------------

    \99\ CUNA 2 at 1-2.
---------------------------------------------------------------------------

    The second commenter stated that it was unclear whether the Rule 
requires a general audience Web site operator with actual knowledge 
that it has collected personal information from a child to post a 
privacy notice on its site.\100\ Section 312.4(b) of the Rule sets 
forth the requirements for posting a privacy notice on a Web site, 
including which operators must post a privacy notice online.\101\ 
According to the Rule, ``an operator of a Web site or online service 
directed to children must post a link to a notice of its information 
practices with regard to children * * *'' \102\ In addition, ``[a]n 
operator of a general audience website or online service that has a 
separate children's area or site must post a link to a notice of its 
information practices with regard to children* * *.'' \103\ The Rule 
therefore does not otherwise require that operators post privacy 
notices, including general audience site operators that have actual 
knowledge that they have collected personal information from children. 
For the above reasons, the Commission concludes that no modification to 
the Rule's notice requirement is necessary.
---------------------------------------------------------------------------

    \100\ Microsoft at 2-3.
    \101\ 16 CFR 312.4.
    \102\ 16 CFR 312.4(b).
    \103\ Id.
---------------------------------------------------------------------------

3. Section 312.5: Verifiable Parental Consent
a. General Issues
    Section 312.5 of the Rule requires operators to obtain verifiable 
parental consent before collecting, using, or disclosing any personal 
information from children, including making any material change to 
information practices to which the parent previously consented. The 
Commission requested comment on whether the consent requirement is 
effective, if its benefits outweigh its costs, and what changes, if 
any, should be made to the requirement. The Commission further asked 
whether it is reasonable for an operator to use a credit card to verify 
a parent's identity. The Commission also offered an additional 
opportunity for the public to comment on the Rule's sliding scale 
approach to obtaining verifiable parental consent.
1. Parental Opt-Out From Disclosure to Third Parties
    One commenter asked how operators that provide online communication 
services such as e-mail accounts, bulletin boards, and chat rooms can 
comply with Section 312.5(a)(2) of the Rule.\104\ This section mandates 
that parents must be given the option to allow an operator to collect a 
child's personal information (such as by registering a child for an e-
mail or chat account) but not disclose the information collected to 
third parties.\105\ The commenter noted that the Rule defines 
``disclosure'' to include ``making personal information collected * * * 
publicly available in identifiable form,'' such as through an e-mail 
account or chat room.\106\ Specifically, the commenter contended that 
``a parent cannot realistically consent only to the use of his or her 
child's personal information and not to the disclosure of such 
information by these [online communications] services.''\107\
---------------------------------------------------------------------------

    \104\ Microsoft at 4.
    \105\ 16 CFR 312.2.
    \106\ Microsoft at 4, citing 16 CFR 312.2.
    \107\ Id.
---------------------------------------------------------------------------

    Commission staff guidance addresses this point. ``The Rule only 
requires parental choice as to disclosures to third parties. You don't 
have to offer parents choice regarding the collection of personal 
information necessary for chat or a message board; but prior parental 
consent is still required before permitting children to participate in 
chat rooms or message boards that enable them to make their personal 
information publicly available.'' \108\ For example, when an e-mail 
provider obtains verifiable parent consent for registering a child for 
an e-mail account, the operator must let the parent opt out from any 
disclosures, by the operator, of information collected during the 
registration process. The Commission concludes that no modification to 
the Rule is required.
---------------------------------------------------------------------------

    \108\ COPPA FAQs, question 37, available at http://www.ftc.gov/privacy/coppafaqs.htm#consent. See also 64 FR at 59899, note 166.
---------------------------------------------------------------------------

2. Using a Credit Card To Obtain Verifiable Parental Consent
    The Rule sets forth a nonexclusive list of approved methods to 
obtain verifiable parental consent, including the use of a credit card 
in connection with a transaction.\109\ In light of reports that 
companies are marketing credit cards to minors,\110\ the Commission 
specifically requested comment on the continued use of credit cards as 
a means of obtaining verifiable parental consent.
---------------------------------------------------------------------------

    \109\ 16 CFR 312.5(b).
    \110\ See, e.g., articles at http://www.bankrate.com/brm/news/cc/20000508.asp; http://www.commercialalert.org/blog/archives/2005/02/marketing_credi.html; http://www.fool.com/news/commentary/2004/commentary04092804.htm (all last accessed 12/07/05).
---------------------------------------------------------------------------

    The majority of commenters on this issue stated that even if a 
small percentage of children may possess credit cards, using a credit 
card with a transaction is a reasonable and trustworthy method to 
obtain verifiable parental consent.\111\ No information was submitted 
demonstrating to what extent credit cards are issued to children under 
13.\112\ Commenters, however, emphasized that granting credit requires 
the formation of a legally enforceable contract between the creditor 
and the debtor, which has resulted in credit cards being issued almost 
exclusively to adults.\113\ Moreover, even if credit cards are being 
issued to children under 13, the same principles of contract law would 
require the credit cards to be linked to a supervisory adult's 
account.\114\ Through this link, parents can set controls on and 
monitor the account, ensuring that the children cannot use the credit 
cards without permission.\115\
---------------------------------------------------------------------------

    \111\ DMA 2 at 4, 5; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6-8; 
Nickelodeon at 10-11; Scholastic at 2; Time Warner at 2.
    \112\ DMA 2 at 4; ESRB at 2; Mattel 2 at 5; MPAA 2 at 6; 
Scholastic at 2; Time Warner at 7.
    \113\ DMA 2 at 4; MPAA 2 at 7-8; Nickelodeon at 10; Scholastic 
at 2; Time Warner at 7-8.
    \114\ DMA 2 at 4; MPAA 2 at 6; Nickelodeon at 10; Time Warner at 
7.
    \115\ CUNA 2 at 2; NFCU 2 at 1.
---------------------------------------------------------------------------

    In addition, the Rule's requirement that the credit card be used in 
connection with a transaction provides

[[Page 13254]]

extra reliability because parents obtain a transaction record that 
gives them additional notice of the consent provided.\116\ Parents thus 
are notified of the purported consent, and can withdraw it if 
improperly given.\117\ The Commission is satisfied that no change in 
circumstances has invalidated using a credit card with a transaction to 
obtain verifiable parental consent.\118\
---------------------------------------------------------------------------

    \116\ MPAA 2 at 6.
    \117\ DMA 2 at 5; MPAA 2 at 7.
    \118\ The Commission expresses no view about the legal 
ramifications of using a credit card transaction as a proxy for age 
generally, a tangential issue raised by some commenters. Mattel 2 at 
5; MPAA at 7-8; Nickelodeon at 10-11; Scholastic at 2; Time Warner 
at 8.
---------------------------------------------------------------------------

    One commenter requested clarification on whether the Rule would 
permit using a credit card to obtain verifiable parental consent 
without a concomitant transaction.\119\ The Rule provides: ``Any method 
to obtain verifiable parental consent must be reasonably calculated, in 
light of available technology, to ensure that the person providing 
consent is the child's parent.'' \120\ Some methods can confirm that 
the credit card number provided is consistent with numbers that issuers 
assign to their credit cards, but this does not provide reasonable 
assurance that the number provided is for an actual credit card. Other 
methods can confirm that the credit card number is the number of an 
actual credit card, but does not provide reasonable assurance that the 
card belongs to the child's parent. The Commission therefore concludes 
that these methods are not reasonably calculated to ensure that it was 
the parent who provided consent. In addition, unless the operator 
conducts a transaction in connection with the consent, no record is 
formed notifying the parent of the purported consent and offering an 
opportunity to revisit that consent.\121\ The Commission concludes that 
no modification is warranted to the Rule provision treating the use of 
a credit card in connection with a transaction as one method of 
obtaining verifiable parental consent.\122\
---------------------------------------------------------------------------

    \119\ ESRB at 2.
    \120\ 16 CFR 312.5(b)(1).
    \121\ DMA 2 at 5.
    \122\ Previous FTC staff guidance suggested that operators might 
not always be prohibited from using a credit card without a 
transaction to obtain consent. Such guidance will be clarified to 
reflect the Commission's determination that such a method currently 
does not constitute verifiable parental consent. See COPPA FAQs, 
question 34, at http://www.ftc.gov/privacy/coppafaqs.htm#consent.
---------------------------------------------------------------------------

3. The E-Mail Exceptions to Prior Parental Consent
    The Commission next requested comment on the Rule's exceptions to 
prior parental consent (the ``e-mail exceptions'' to prior parental 
consent). In limited circumstances, COPPA and Section 312.5(c) of the 
Rule allow operators to collect the online contact information of the 
child, and sometimes parent, before obtaining verifiable parental 
consent.\123\ Such circumstances include when the operator seeks to 
obtain parental consent, wants to respond once to a child's specific 
request (such as a homework help question), or wants to respond 
multiple times to a child's specific request (such as an electronic 
newsletter).\124\
---------------------------------------------------------------------------

    \123\ 15 U.S.C. 6503(b)(2); 16 CFR 312.5(c).
    \124\ Id.
---------------------------------------------------------------------------

    Two commenters stated that the e-mail exceptions are useful in 
allowing operators to continue to provide interactive content to 
children online. One stated: ``The ability to use COPPA's `e-mail 
exceptions' to parental consent has enabled us to offer meaningful 
children's content and preserve the interactivity of the medium, while 
still protecting privacy.'' \125\ The commenter noted that the e-mail 
exceptions enable not only online activities popular with children, 
such as contests, online newsletters, and electronic postcards, but 
also sending direct notices and requests for consent to parents.\126\
---------------------------------------------------------------------------

    \125\ Nickelodeon at 1.
    \126\ Id. at 5.
---------------------------------------------------------------------------

    Another commenter suggested that the Rule should prohibit operators 
from collecting any information from children, even just an e-mail 
address, without parental consent. However, the commenter neither 
provided any basis for eliminating the e-mail exceptions nor offered 
any alternative way to provide direct notice and obtain parental 
consent.\127\ The Commission concludes for these reasons that no 
modification to the e-mail exceptions to prior parental consent is 
necessary.
---------------------------------------------------------------------------

    \127\ Domentech at 6.
---------------------------------------------------------------------------

b. The Sliding Scale Approach To Obtaining Verifiable Parental Consent
    In its April 2005 FRN, the Commission gave the public an additional 
opportunity to comment on the Rule's sliding scale approach to 
obtaining verifiable parental consent. The Rule provides that ``[a]ny 
method to obtain verifiable parental consent must be reasonably 
calculated, in light of available technology, to ensure that the person 
providing consent is the child's parent.'' \128\ Prior to issuing the 
Rule, the Commission studied extensively the state of available 
parental consent technologies.\129\ In July 1999, the Commission held a 
workshop on parental consent, which revealed that more reliable 
electronic methods of verification were not widely available or 
affordable.\130\
---------------------------------------------------------------------------

    \128\ 16 CFR 312.5(b)(1).
    \129\ See, e.g., public comments received on initial rulemaking 
(1999), available at http://www.ftc.gov/privacy/comments/index.html.
    \130\ See FTC news release announcing workshop and transcript of 
workshop, available at http://www.ftc.gov/opa/1999/06/kidswork.htm 
and http://www.ftc.gov/privacy/chonlpritranscript.pdf.
---------------------------------------------------------------------------

    In determining to adopt the sliding scale approach in 1999, the 
Commission balanced the costs imposed by the method of obtaining 
parental consent and the risks associated with the intended uses of 
information.\131\ Because of the limited availability and affordability 
of the more reliable methods of obtaining consent--including electronic 
methods of verification--the Commission found that these methods should 
be required only when obtaining consent for uses of information posing 
the greatest risks to children, such as chat, e-mail accounts, and 
message boards.\132\ Accordingly, the Commission implemented the 
sliding scale approach, noting that it would ``provide[] operators with 
cost-effective options until more reliable electronic methods became 
available and affordable, while providing parents with the means to 
protect their children.'' \133\
---------------------------------------------------------------------------

    \131\ 64 FR 59901-02.
    \132\ Id.
    \133\ Id.
---------------------------------------------------------------------------

    The sliding scale approach allows an operator, when collecting 
personal information only for its internal use, to obtain verifiable 
parental consent through an e-mail from the parent, so long as the e-
mail is coupled with additional steps. Such additional steps include: 
obtaining a postal address or telephone number from the parent and 
confirming the parent's consent by letter or telephone call, or sending 
a delayed confirmatory e-mail to the parent after receiving 
consent.\134\ The purpose of the additional steps is to provide greater 
assurance that the person providing the consent is, in fact, the 
parent.
---------------------------------------------------------------------------

    \134\ Id. CARU, a Commission-approved COPPA safe harbor program, 
expressed concern that operators may not understand that an 
additional step is required.
---------------------------------------------------------------------------

    In contrast, for uses of personal information that involve 
disclosing the information to the public or third parties, the Rule 
requires operators to use more reliable methods of obtaining verifiable 
parental consent. These methods include: using a print-and-send form 
that can be faxed or mailed back to the Web site operator; requiring a 
parent to use a credit card in connection with a transaction; having a 
parent call a toll-free telephone number staffed by trained personnel; 
using a digital certificate that uses public key

[[Page 13255]]

technology; and using e-mail accompanied by a PIN or password obtained 
through one of the above methods.\135\ As noted in the Rule's Statement 
of Basis and Purpose, these more reliable methods of obtaining parental 
consent are justified because ``the record shows that disclosures to 
third parties are among the most sensitive and potentially risky uses 
of children's personal information.'' \136\
---------------------------------------------------------------------------

    \135\ 16 CFR 312.5(b)(2).
    \136\ 64 FR 59899.
---------------------------------------------------------------------------

    When it issued the Rule, the Commission anticipated that the 
sliding scale approach would be necessary only in the short term 
because more reliable methods of obtaining verifiable parental consent 
would become widely available and affordable.\137\ Accordingly, the 
approach originally was set to expire two years after the Rule went 
into effect.\138\ However, when public comment in 2002 revealed that 
the expected progress in available technology had not occurred, the 
Commission extended the approach three more years.\139\
---------------------------------------------------------------------------

    \137\ 64 FR 59902.
    \138\ 16 CFR 312.5(b)(2).
    \139\ 67 FR 18818.
---------------------------------------------------------------------------

    With the sliding scale approach set to expire on April 21, 2005, 
the Commission again sought comment on it in its January 2005 NPR.\140\ 
The NPR noted that the expected progress in available technology 
apparently still had not transpired and requested comment on a proposed 
amendment making the sliding scale approach a permanent feature of the 
Rule. The Commission also requested comment on: (1) The current and 
anticipated availability and affordability of more secure electronic 
mechanisms or infomediaries for obtaining parental consent; (2) the 
effect of the sliding scale approach on the incentive to develop and 
deploy more secure electronic mechanisms; (3) the effect of the sliding 
scale approach on operators' incentives to disclose children's personal 
information to third parties or the public; and (4) any evidence the 
sliding scale approach is being misused or not working effectively.
---------------------------------------------------------------------------

    \140\ 70 FR 2580.
---------------------------------------------------------------------------

    The vast majority of the commenters responding to the NPR stated 
that the development and deployment of secure electronic verification 
technologies did not appear to be on the horizon. However, because some 
commenters questioned the effectiveness of and need for the sliding 
scale approach, the Commission decided it would be beneficial to accept 
additional comments during the regulatory review comment period. To 
allow for such additional comments, the Commission eliminated the 
sliding scale approach's sunset date from the Rule, thereby extending 
the approach.\141\
---------------------------------------------------------------------------

    \141\ 70 FR at 21106.
---------------------------------------------------------------------------

    Having reviewed the comments submitted in response to the January 
2005 NPR and the April 2005 NPR, the Commission concludes that more 
secure electronic mechanisms and infomediary services for obtaining 
verifiable parental consent are not yet widely available at a 
reasonable cost. The Commission therefore has decided to extend the 
sliding scale approach indefinitely, while continuing to monitor 
technological developments. As discussed below, the Commission believes 
that this flexible approach will allow parents and operators to 
continue to rely on a familiar and efficient tool and allow the Rule to 
reflect changes in technology.
1. The Availability and Cost of More Secure Methods of Verification
a. Electronic Verification Technology
    Most of the commenters that specifically addressed the sliding 
scale approach stated that secure electronic mechanisms have not 
developed to the point where they are widely available and 
affordable.\142\ In addition, the anticipated date for the development 
and deployment of such technologies on a widespread and affordable 
basis cannot be predicted with any reasonable certainty.\143\ For 
example, the Software & Information Industry Association, the principal 
and worldwide trade association of the software code and digital 
content industry, stated that:
---------------------------------------------------------------------------

    \142\ ADVO at 1; Aftab at 5; AAAA at 2; CARU at 2; CASRO at 3-5; 
CMOR; CUNA at 2; CUNA 2 at 2; DMA at 4; DMA 2 at 6; EPIC at 2; EPIC 
2 at 3; ITLG at 1; Masterfoods; Mattel at 1; Mattel 2 at 4; MPAA at 
6; NCTA at 2; NFCU at 1; NCFU 2 at 1-2; Nickelodeon at 8; P&G SIIA 
at 1; Scholastic at 2; Time Warner 3-4; TRUSTe at 2; U.S. ISPA at 1; 
WLF at 6-7.
    \143\ CASRO at 5-6; DMA at 4; MPAA at 2; SIIA at 3; Time Warner 
at 3-4; U.S. ISPA at 3.

In reviewing developments over the last several years, there are no 
clear signals that the anticipated verification technology--
technology that must be low-cost, widely deployed and acceptable to 
consumer end users--is likely to be economically and widely 
available in the consumer market in the foreseeable future.\144\
---------------------------------------------------------------------------

    \144\ SIIA at 3.

    The comments received suggest that extending the sliding scale 
approach will not discourage technological innovation or undermine the 
global development of secure electronic verification technologies.\145\ 
One commenter noted that the sliding scale approach does not prevent 
companies from using secure electronic technologies now or in the 
future.\146\ Although three commenters suggested that extending the 
sliding scale approach may discourage the development of secure 
verification technologies, none explained how or to what extent 
children's privacy and parental consent issues would have such an 
effect.\147\
---------------------------------------------------------------------------

    \145\ CARU at 2; Mattel at 1.
    \146\ MPAA at 6.
    \147\ CASRO at 6; Mehdikdani at 3; Privo at 7.
---------------------------------------------------------------------------

    Several commenters discussed the state of electronic verification 
technology in detail and noted the lack of widely available, cost 
effective, and consumer friendly verification technologies.\148\ In 
particular, commenters discussed how digital signatures, digital 
certificates, public key infrastructure, P3P, and other electronic 
technologies have not developed as anticipated.\149\ For example, the 
Motion Picture Association of America (``MPAA'') said that ``the range 
of digital signature technologies are either too costly for consumers 
(e.g., biometric verification systems), not able to confirm the 
identity of users (e.g., P3P), or not widely deployed (e.g., encryption 
key systems).'' \150\ The MPAA further stated that encryption key 
technology is only effective at confirming which computer has 
transmitted consent and cannot independently identify whether the user 
is a parent or a child.\151\ No commenters presented evidence that the 
state of these technologies--or their usefulness in obtaining parental 
consent--has improved since the inception of the Rule.
---------------------------------------------------------------------------

    \148\ Aftab at 5; CASRO at 3-5; Mattel 2 at 4; MPAA at 5-6; SIIA 
at 3; Time Warner at 3-4; U.S. ISPA at 2-3.
    \149\ Id.
    \150\ MPAA at 5.
    \151\ Id. at 5-6.
---------------------------------------------------------------------------

    The United States Internet Service Provider Association, which 
represents major Internet service providers and network providers, 
explained that widespread public key infrastructure solutions have not 
developed due to the lack of an appropriate legal regime: ``there is no 
easily identifiable certification authority that will take on the 
liability for verifying identities in an open, public system.'' \152\ 
The group also stated that reliable public key solutions are difficult 
to achieve because ``certification standards are insufficiently 
developed and precise to assure reliable interoperability of the 
various subtly different implementations of a given standard

[[Page 13256]]

* * * that inevitably appear in the open Internet environment.'' \153\
---------------------------------------------------------------------------

    \152\ US ISPA at 3.
    \153\ Id.
---------------------------------------------------------------------------

    The Platform for Privacy Preferences Project (``P3P''), developed 
by the World Wide Web Consortium, is a technology that enables Web 
sites to express their privacy practices in a standard, machine-
readable format. P3P-enabled browsers can ``read'' privacy practices 
automatically and compare them to a consumer's own set of privacy 
preferences. The technology is designed to give consumers a simple, 
automated way to gain more control over the use of their personal 
information on Web sites they visit.\154\ While P3P technology can 
offer individuals more control over how their personal information is 
used or disclosed online, it is not employed widely by consumers.\155\ 
Even if it were widely used, the automated P3P platform would not 
facilitate the notice and consent required by COPPA. To give verifiable 
parental consent under COPPA, a parent must be informed about specific 
information and then provide an appropriate form of verifiable parental 
consent. P3P cannot ensure either that a parent has been informed or 
that the person providing consent is the child's parent. Moreover, 
parents' privacy preferences for themselves might not be the same as 
for their children.
---------------------------------------------------------------------------

    \154\ See World Wide Web Consortium Recommendation for the 
Platform for Privacy Preferences 1.0 (P3P1.0) Specification, 
available at http://www.w3.org/TR/P3P/#Introduction.
    \155\ CASRO at 4-5; MPAA at 5.
---------------------------------------------------------------------------

    Other commenters agreed that digital signature, digital 
certificate, and other digital verification technologies are not 
currently viable options for obtaining parental consent because they 
have not developed sufficiently and are not widely accessible to 
consumers.\156\ One commenter also noted that the cost of these 
technologies may be prohibitive for both businesses and consumers to 
use in obtaining parental consent.\157\
---------------------------------------------------------------------------

    \156\ CARU at 2; Mattel at 1; Mehdikdani at 1; NCTA at 2.
    \157\ MPAA at 6.
---------------------------------------------------------------------------

    Finally, commenters also noted that, to the extent these electronic 
verification technologies have improved, the advances have been in 
business-to-business, not business-to-consumer, applications.\158\ For 
example, digital signature and digital certificate technologies, which 
can provide reliable electronic verification of a signer's identity, 
are sometimes employed in commercial transactions, but have not 
advanced to the point of being a viable alternative for obtaining 
verifiable parental consent.\159\ Public key infrastructure solutions, 
which provide a means for encrypting and decrypting information, also 
seem to be marketed almost exclusively for business-to-business 
applications.\160\
---------------------------------------------------------------------------

    \158\ CASRO at 4-5; MPAA at 5; US ISPA at 2.
    \159\ CASRO at 4; MPAA at 5.
    \160\ MPAA at 5; U.S. ISPA at 3.
---------------------------------------------------------------------------

b. The Availability and Cost of Infomediary Services
    Commenters likewise submitted information about whether infomediary 
services are widely available and affordable. Infomediary services act 
as middlemen in obtaining verifiable parental consent for Web sites and 
can offer options such as driver's license and social security number 
verification. Several commenters noted that infomediary services to 
facilitate obtaining verifiable parental consent are not widely 
available and affordable.\161\
---------------------------------------------------------------------------

    \161\ CASRO at 5; ITLG at 1; P&G.
---------------------------------------------------------------------------

    One commenter, Privo Inc., an infomediary service recently approved 
as a COPPA safe harbor program, stated that such services are already 
widely available at a reasonable cost, but cited only one example, 
itself.\162\ Privo's comment did not indicate how many clients have 
used its service, although another commenter stated that it has used 
Privo's service.\163\ This commenter expressed support for Privo's 
registration process; however, it did not contend that infomediary 
services are otherwise widely available.\164\
---------------------------------------------------------------------------

    \162\ Privo at 6. Privo did note that it has ``processed 
hundreds of thousands of online registrations requiring verifiable 
parental consent.''
    \163\ Schwab Learning at 1.
    \164\ Id.
---------------------------------------------------------------------------

    The comments received did not demonstrate that infomediary services 
are affordable or would be widely used. Privo's comment did not provide 
any information about the start-up and monthly costs for operators that 
use its service, although it stated that it ``currently does not charge 
more than $1 per verification, and often much less.'' \165\ Other 
commenters, in contrast, stated that the costs of obtaining verifiable 
parental consent through more verifiable means, like infomediary 
services, are higher than what many small and medium-size operators can 
afford to pay.\166\ Moreover, one commenter stated that parents are 
willing to grant consent to an operator with a recognizable brand name, 
but would be unlikely to ``embrace infomediary technology'' because it 
involves granting consent to an entity with which the parents have 
little or no experience.\167\ Consequently, the Commission finds that 
more secure electronic verification technologies and infomediary 
services to facilitate obtaining parental consent do not appear to be, 
currently or foreseeably, widely available at a reasonable cost.\168\
---------------------------------------------------------------------------

    \165\ Privo at 6.
    \166\ CARU at 2; DMA at 5; ITLG at 1; MPAA at 3-4; see also P&G 
SIIA at 3.
    \167\ Mattel 2 at 4.
    \168\ One commenter stated that more research is required to 
better understand the role of infomediaries but did not explain what 
specifically needs to be studied. CDD at 2.
---------------------------------------------------------------------------

2. The Effectiveness of the Sliding Scale Approach
    The Commission concludes that, over the course of five years, the 
sliding scale approach has proven to be an effective method for 
protecting children's privacy without hindering the development of 
children's online content.\169\ Several commenters noted that there 
have been few complaints by parents about the sliding scale 
approach.\170\ Although some commenters suggested that the e-mail plus 
mechanism, permitted for internal use of information collected from 
children, is unreliable, they did not provide any examples where 
children's privacy has been violated.\171\ One commenter was concerned 
that operators may not understand that an additional follow-up step is 
required in addition to the consent e-mail itself.\172\
---------------------------------------------------------------------------

    \169\ Comments that support the Commission's conclusion include: 
ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; DMA at 2; Mattel 2 at 
4; MPAA at 2; NCTA at 1; P&G Scholastic at 2; SIIA at 3; Time 
Warner at 3-4; US ISPA at 3; WLF at 4, 6.
    \170\ ALA; CARU at 2; CASRO at 7; CoSN; DMA at 4; Mattel at 2; 
Mattel 2 at 4; MPAA at 3; NCTA at 2; Scholastic at 2; WLF at 7. 
These comments are consistent with the FTC staff's enforcement 
experience.
    \171\ E.g., Acampora; Privo at 2, 4-5; Villamil at 3; Vogel at 
1-2. Some commenters appear to be under the misimpression that the 
Rule permits operators to obtain consent through a single e-mail, 
without more. E.g., Abbate and 47 other commenters who submitted 
form letters.
    \172\ CARU at 2. The commenter did not suggest any particular 
language that might further clarify the language, which identifies 
such steps as ``sending a confirmatory e-mail to the parent 
following receipt of consent; or obtaining a postal address or 
telephone number from the parent and confirming the parent's consent 
by letter or telephone call.'' 16 CFR 312.5(b)(2).
---------------------------------------------------------------------------

    Some comments received in response to the January 2005 NPR 
suggested that making the sliding scale approach permanent may foster 
the development of appropriate children's online content.\173\ These 
commenters noted that the sliding scale approach enables Web sites to 
provide interactive content for children without requiring operators to 
institute more costly parental consent mechanisms that could have the 
unintended effect of reducing children's

[[Page 13257]]

content on the Internet.\174\ The commenters suggested that making the 
sliding scale approach permanent may encourage companies to make the 
types of investments in children's content that they may have hesitated 
to make in the past given the temporary nature of the sliding scale 
approach.\175\
---------------------------------------------------------------------------

    \173\ ADVO at 1; AAAA at 1; CoSN 2 at 1; DMA at 4-5; MPAA at 4; 
Nickelodeon at 1-2, 8; SIIA at 3.
    \174\ ADVO at 1; AAAA at 1; DMA at 4-5; MPAA at 4; SIIA at 3.
    \175\ Id.; Nickelodeon at 8.
---------------------------------------------------------------------------

    Nearly all commenters agreed that use of the sliding scale approach 
is justified because collecting children's personal information only 
for internal use continues to present a low risk to children.\176\ Even 
when an operator obtains consent through the e-mail plus mechanism, 
such information is protected because the operator must comply with the 
Rule's mandate to ``establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity'' of that 
information.\177\ In addition, commenters noted that disclosing 
children's personal information continues to pose a greater risk to 
children than keeping it internal.\178\ Some commenters stated that the 
low cost of the e-mail plus mechanism will encourage operators to not 
disclose children's information to third parties,\179\ which furthers 
one of COPPA's stated goals of protecting children's online 
safety.\180\ Two commenters even suggested that, given the lesser risks 
posed by operators' internal uses of information, the Commission should 
eliminate the prior parental consent requirement for such operators and 
require them only to provide parents with direct notice and an 
opportunity to opt-out of the maintenance and use of their child's 
information.\181\
---------------------------------------------------------------------------

    \176\ ADVO at 1; AAAA at 1; ALA; Brewer; CARU at 2; CoSN; CUNA 
at 1-2; ICUL; Mattel at 1; NFCU at 1; P&G SIIA at 4; US ISPA at 3. 
But cf. Privo at 5; Villamil at 1, 3; Vogel at 1, 2 (stating that 
internal use and disclosure are equally risky).
    \177\ 16 CFR 312.8.
    \178\ ADVO at 1; AAAA at 1; Brewer; CARU at 2; CoSN; CUNA at 1-
2; DMA at 2-3; ICUL; Mattel at 1; NFCU at 1; P&G SIIA at 4; US ISPA 
at 3.
    \179\ ADVO at 1; ALA 2 at 2; CASRO at 6; CUNA at 2; NFCU at 1; 
TRUSTe at 2.
    \180\ ADVO at 1; CUNA at 2; NFCU at 1.
    \181\ CARU at 2; Mattel at 2.
---------------------------------------------------------------------------

    The Commission concludes that the effectiveness of the sliding 
scale approach warrants its continued use without modification.
3. The Commission's Decision To Extend the Sliding Scale on an 
Indefinite Basis
    Several commenters argued that the sliding scale approach should be 
made permanent rather than extending it for a finite period of time. 
They stressed the benefits of greater regulatory certainty, including 
providing a consistent standard that operators can rely on in deciding 
how to structure their activities and encouraging investments in 
children's content with some assurance about the law's requirements for 
parental consent mechanisms.\182\ Some commenters additionally noted 
that many operators have made significant investments in implementing 
the sliding scale and that abandoning the regime without an equally 
viable, cost-effective alternative may adversely affect these 
companies, particularly the small ones.\183\
---------------------------------------------------------------------------

    \182\ DMA at 5; MPAA at 2; NCTA at 2; P&G SIIA at 3.
    \183\ CASRO at 6; CARU at 2; ITLG at 1; Mattel at 1; MPAA at 3; 
NCTA at 2.
---------------------------------------------------------------------------

    Based on the public comments received, and its own experience in 
administering the Rule, the Commission concludes that the risk to 
children's privacy from an operator collecting personal information 
only for its internal use remains relatively low. The Commission also 
determines that more secure electronic technologies and infomediary 
services that might be used to obtain parental consent for internal use 
of personal information from children are not widely available at a 
reasonable cost. Further, the Commission concludes that the sliding 
scale approach has worked well and its continued use may foster the 
development of children's online content.
    In light of the unpredictability of technological advancement and 
the benefits of decreasing regulatory uncertainty, the Commission has 
determined to retain the sliding scale indefinitely while it continues 
to evaluate developments. As one commenter noted, nothing precludes the 
Commission from revisiting the issue at an appropriate point in the 
future.\184\ If warranted by future developments, the Commission will 
seek comment on amending the Rule to change the sliding scale 
mechanism.
---------------------------------------------------------------------------

    \184\ CUNA at 2.
---------------------------------------------------------------------------

4. Section 312.6: Parental Access
    Section 312.6 of the Rule requires operators to give a parent, upon 
request: (1) A description of the types of personal information 
collected from children (e.g., ``We collect full name and e-mail 
address from children''); (2) the opportunity for the parent to refuse 
to permit the further use or collection of personal information from 
his or her child and direct the deletion of the information; and (3) a 
means of reviewing any actual personal information collected from his 
or her child (e.g., ``We have collected the following information from 
your child: Mary Smith, [email protected]''). The Commission asked if 
these requirements are effective, if their benefits outweigh their 
costs, and what changes, if any, should be made.
    The Commission received one comment related to a parent's right to 
direct the operator to delete the child's personal information.\185\ 
The commenter indicated that operators may want to retain children's 
personal information in certain situations, ranging from private 
contractual obligations to active law enforcement investigations, 
irrespective of a parent's direction to delete the information.\186\ 
The commenter then suggested that the Commission should draft a list of 
exceptions to the Rule's deletion requirement to address these 
situations.\187\
---------------------------------------------------------------------------

    \185\ 16 CFR 312.6(a)(2).
    \186\ Microsoft at 3.
    \187\ Id.
---------------------------------------------------------------------------

    COPPA mandates, and the Rule requires, that operators satisfy three 
requests when made by parents upon ``proper identification.'' \188\ 
First, operators must provide parents with a description of the types 
of information collected from children.\189\ Second, operators must 
provide parents with ``the opportunity at any time to refuse to permit 
the operator's further use or maintenance in retrievable form'' of 
their child's personal information.\190\ Third, operators must provide 
parents with the actual information collected from their child.\191\ 
Without a change in the Act, the Commission cannot adopt the exceptions 
from the parental deletion requirement the commenter advocated.\192\ 
The Commission also is not aware of information sufficient to justify 
recommending that Congress amend the Act to create such exceptions.
---------------------------------------------------------------------------

    \188\ 15 U.S.C. 6503(b)(1)(B).
    \189\ 15 U.S.C. 6503(b)(1)(B)(i).
    \190\ 15 U.S.C. 6503(b)(1)(B)(ii).
    \191\ 15 U.S.C. 6503(b)(1)(B)(iii).
    \192\ The Rule does give operators the right to collect, without 
parental consent, the name and online contact information of a child 
``to the extent permitted under other provisions of law, to provide 
information to law enforcement agencies or for an investigation on a 
matter related to public safety.'' 16 CFR 312.5(c)(5)(iv).
---------------------------------------------------------------------------

    The commenter also requested that the Commission clarify why 
operators must verify the identity of a purported parent before 
disclosing his or her child's personal information, but not verify the 
identity of a purported parent

[[Page 13258]]

before deleting the information.\193\ In drafting the Rule, the 
Commission carefully considered what level of identification would be 
appropriate for these two requirements. Erroneously disclosing a 
child's actual personal information to a purported parent poses a high 
risk to that child's privacy because the purported parent receives the 
actual personal information of the child.\194\ In contrast, erroneously 
deleting a child's actual personal information poses a lower risk 
because the purported parent never receives the information.\195\ The 
Commission thus concluded that the former, but not the latter, 
situation warrants verifying the purported parent's identity.\196\ 
After reconsideration, the Commission concludes that no modification to 
this requirement is warranted.
---------------------------------------------------------------------------

    \193\ In conducting this verification, operators are required to 
use the same methods that they must use to obtain verifiable 
parental consent. 16 CFR 312.6(a)(3)(i).
    \194\ 64 FR at 59904.
    \195\ Id. at 59904-05.
    \196\ 16 CFR 312.6(a)(1) and (2).
---------------------------------------------------------------------------

5. Section 312.7: Prohibition Against Conditioning a Child's 
Participation on the Collection of More Personal Information Than Is 
Necessary
    Section 312.7 of the Rule prohibits operators from conditioning a 
child's participation in an activity on disclosing more personal 
information than is reasonably necessary to participate in that 
activity. The Commission asked whether this prohibition is effective, 
if its benefits outweigh its costs, and what changes, if any, should be 
made to it. The Commission received one comment addressing this 
provision of the Rule. The commenter raised no concerns and cited this 
provision as one way in which the Rule has ``succeeded in providing 
more privacy protections and safeguards for both children and their 
parents.'' \197\ The Commission concludes that no changes to this 
provision are warranted.
---------------------------------------------------------------------------

    \197\ CUNA 2 at 2.
---------------------------------------------------------------------------

6. Section 312.8: Confidentiality, Security, and Integrity of Personal 
Information Collected From a Child
    Section 312.8 of the Rule requires operators to establish and 
maintain reasonable procedures to protect the confidentiality, 
security, and integrity of personal information collected from a child. 
The Commission asked whether this requirement is effective, if its 
benefits outweigh its costs, and what changes, if any, should be made 
to it. The FTC also specifically asked if the term ``reasonable 
procedure'' is sufficiently clear. The Commission received no comments 
addressing this provision of the Rule. The FTC concludes that no 
modifications to this requirement are necessary.
7. Section 312.10: Safe Harbors
    Section 312.10 of the Rule provides that an operator will be deemed 
in compliance if the operator complies with Commission-approved self-
regulatory guidelines. The Commission asked if this ``safe harbor'' 
approach is effective, if its benefits outweigh its costs, and what 
changes, if any, should be made to it. In addressing the Rule's safe 
harbor provision, commenters uniformly lauded the part played by COPPA 
safe harbors in making successful the Commission's effort to protect 
children's online safety and privacy.\198\ In addition, one commenter 
stated that the COPPA safe harbors ``are an important educational 
resource on children's privacy issues, and serve to heighten awareness 
of children's privacy issues more generally.'' \199\ Another commenter 
said, ``the Safe Harbor program demonstrates the benefits of a self-
regulatory scheme and mechanism for industry to maintain high standards 
with limited government intervention.'' \200\
---------------------------------------------------------------------------

    \198\ DMA 2 at 5; ESRB at 3-4; Mattel 2 at 5-6; TRUSTe at 1-3.
    \199\ DMA 2 at 5.
    \200\ Mattel 2 at 5-6.
---------------------------------------------------------------------------

    One commenter, a COPPA safe harbor, suggested that the Commission 
encourage greater participation in COPPA safe harbor programs by 
amending the Rule to provide that ``membership in good standing in a 
Commission-approved safe harbor program is an affirmative defense to an 
enforcement action'' under COPPA.\201\ As this commenter recognized, 
the Rule already provides that operators ``in compliance'' with an 
approved safe harbor program ``will be deemed to be in compliance'' 
with the Rule and the Commission will consider an operator's 
participation in a safe harbor program in determining whether to open 
an investigation or file an enforcement action, and what remedies to 
seek.\202\ The commenter did not provide any evidence demonstrating 
that these current incentives to participate in safe harbor programs 
are inadequate. The Commission thus concludes that no changes to the 
safe harbor provision are necessary.
---------------------------------------------------------------------------

    \201\ TRUSTe at 3.
    \202\ 16 CFR 312.10(a) and 312.10(b)(4).
---------------------------------------------------------------------------

IV. Conclusion

    For the foregoing reasons, the Commission has determined to retain 
the Children's Online Privacy Protection Rule without modification.

List of Subjects in 16 CFR Part 312

    Communications, Computer technology, Consumer protection, Infants 
and Children, Privacy, Reporting and recordkeeping requirements, 
Safety, Science and technology, Trade practices, Youth.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 06-2356 Filed 3-14-06; 8:45 am]
BILLING CODE 6750-01-P