[Federal Register Volume 76, Number 187 (Tuesday, September 27, 2011)]
[Proposed Rules]
[Pages 59804-59833]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-24314]



[[Page 59803]]

Vol. 76

Tuesday,

No. 187

September 27, 2011

Part III





Federal Trade Commission





-----------------------------------------------------------------------





16 CFR Part 312





Children's Online Privacy Protection Rule; Proposed Rule

  Federal Register / Vol. 76 , No. 187 / Tuesday, September 27, 2011 / 
Proposed Rules  

[[Page 59804]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AB20


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Proposed rule; request for comment.

-----------------------------------------------------------------------

SUMMARY: The Commission proposes to amend the Children's Online Privacy 
Protection Rule (``COPPA Rule'' or ``Rule''), consistent with the 
requirements of the Children's Online Privacy Protection Act to respond 
to changes in online technology, including in the mobile marketplace, 
and, where appropriate, to streamline the Rule. After extensive 
consideration of public input, the Commission proposes to modify 
certain of the Rule's definitions, and to update the requirements set 
forth in the notice, parental consent, confidentiality and security, 
and safe harbor provisions. In addition, the Commission proposes adding 
a new provision addressing data retention and deletion.

DATES: Written comments must be received on or before November 28, 
2011.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``COPPA Rule Review, 16 
CFR Part 312, Project No. P104503'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/2011copparulereview, by following the instructions on the Web-based 
form. If you prefer to file your comment on paper, write ``COPPA Rule 
Review, 16 CFR Part 312, Project No. P104503'' on your comment, and 
mail or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Room H-113 (Annex E), 600 
Pennsylvania Avenue, NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Phyllis H. Marcus or Mamie Kresses, 
Attorneys, Division of Advertising Practices, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580, (202) 326-2854, or (202) 326-2070.

SUPPLEMENTARY INFORMATION:

I. Background

    The COPPA Rule, 16 CFR part 312, issued pursuant to the Children's 
Online Privacy Protection Act (``COPPA'' or ``COPPA statute''), 15 
U.S.C. 6501 et seq., became effective on April 21, 2000. The Rule 
imposes certain requirements on operators of Web sites or online 
services directed to children under 13 years of age, and on operators 
of other Web sites or online services that have actual knowledge that 
they are collecting personal information online from a child under 13 
years of age (collectively, ``operators''). Among other things, the 
Rule requires that operators provide notice to parents and obtain 
verifiable parental consent prior to collecting, using, or disclosing 
personal information from children under 13 years of age.\1\ The Rule 
also requires operators to keep secure the information they collect 
from children and prohibits them from conditioning children's 
participation in activities on the collection of more personal 
information than is reasonably necessary to participate in such 
activities.\2\ The Rule contains a ``safe harbor'' provision enabling 
industry groups or others to submit to the Commission for approval 
self-regulatory guidelines that would implement the Rule's 
protections.\3\
---------------------------------------------------------------------------

    \1\ See Children's Online Privacy Protection Rule, 16 CFR 312.3.
    \2\ See 16 CFR 312.7 and 312.8.
    \3\ See 16 CFR 312.10; Children's Online Privacy Protection 
Rule, 64 FR 59888, 59906, 59908, 59915 (Nov. 3, 1999), available at 
http://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------

    The Commission initiated a review of the Rule on April 21, 2005, 
pursuant to Section 6507 of the COPPA statute, which required the 
Commission to conduct a review within five years of the Rule's 
effective date.\4\ After considering extensive public comment, the 
Commission determined in March 2006 to retain the Rule without 
change.\5\
---------------------------------------------------------------------------

    \4\ See 15 U.S.C. 6507; 16 CFR 312.11.
    \5\ See Children's Online Privacy Protection Rule, 71 FR 13247 
(Mar. 15, 2006) (retention of rule without modification).
---------------------------------------------------------------------------

    The Commission remains deeply committed to helping to create a 
safer, more secure online experience for children and takes seriously 
the challenge to ensure that COPPA continues to meet its originally 
stated goals, even as online technologies, and children's uses of such 
technologies, evolve. In light of the rapid-fire pace of technological 
change since the Commission's 2005 review, including an explosion in 
children's use of mobile devices, the proliferation of online social 
networking and interactive gaming, the Commission initiated review of 
the COPPA Rule in April 2010 on an accelerated schedule.\6\
---------------------------------------------------------------------------

    \6\ The Commission generally reviews each of its trade 
regulation rules approximately every ten years. Under this schedule, 
the next COPPA Rule review was originally set for 2017.
---------------------------------------------------------------------------

    On April 5, 2010, the Commission published a document in the 
Federal Register seeking public comment on whether technological 
changes to the online environment over the preceding five years 
warranted any changes to the Rule.\7\ The Commission's request for 
public comment examined each aspect of the COPPA Rule, posing 28 
questions for the public's consideration.\8\ The Commission identified 
several areas where public comment would be especially useful, 
including examination of whether: The Rule's existing definitions are 
sufficiently clear and comprehensive, or warrant modification or 
expansion, consistent with the COPPA statute; additional technological 
methods to obtain verifiable parental consent should be added to the 
COPPA Rule, and whether any of the consent methods currently included 
should be removed; whether the Rule provisions on protecting the 
confidentiality and security of personal information are sufficiently 
clear and comprehensive; and the Rule's criteria and process for 
Commission approval and oversight of safe harbor programs should be 
modified in any way. The comment period closed on July 12, 2010. During 
the comment period, on June 2, 2010, the Commission held a public 
roundtable to discuss in detail several of the areas where public 
comment was sought, including the application of COPPA's definitions of 
``Internet,'' ``website,'' and ``online service'' to new devices and 
technologies, the COPPA statute's actual knowledge standard for general 
audience Web sites and online services, the definition of ``personal 
information,'' emerging parental consent mechanisms, and COPPA's 
exceptions to prior parental consent.\9\
---------------------------------------------------------------------------

    \7\ See Request for Public Comment on the Federal Trade 
Commission's Implementation of the Children's Online Privacy 
Protection Rule (``2010 Rule Review''), 75 FR 17089 (Apr. 5, 2010).
    \8\ Id.
    \9\ Information about the June 2, 2010 COPPA Roundtable is 
located at http://www.ftc.gov/bcp/workshops/coppa/index.shtml.
---------------------------------------------------------------------------

    In addition to the dialogue at the public roundtable, the 
Commission received 70 comments from industry representatives, advocacy 
groups, academics, technologists, and individual members of the public 
in response to the April 5, 2010 request for public comment.\10\ The 
comments

[[Page 59805]]

addressed the efficacy of the Rule generally, and several possible 
areas for change.
---------------------------------------------------------------------------

    \10\ Public comments in response to the Commission's April 5, 
2010 Federal Register document are located at http://www.ftc.gov/os/comments/copparulerev2010/index.shtm. Comments have been numbered 
based upon alphabetical order. Comments are cited herein identified 
by commenter name, comment number, and, where applicable, page 
number.
---------------------------------------------------------------------------

II. COPPA's Definition of ``Child''

    The COPPA statute, and by extension, the COPPA Rule, defines as a 
child ``an individual under the age of 13.'' \11\ A few commenters 
suggested that COPPA's protections be broadened to cover a range of 
adolescents over age 12 and urged the Commission to seek a statutory 
change from Congress.\12\ By contrast, the majority of commenters who 
addressed this issue expressed concern that expanding COPPA's coverage 
to teenagers would raise a number of constitutional, privacy, and 
practical issues.\13\
---------------------------------------------------------------------------

    \11\ See 15 U.S.C. 6502(1).
    \12\ See Andrew Bergen (comment 4); Common Sense Media (comment 
12).
    \13\ See Sharon Anderson (comment 2); Kevin Brook (comment 6); 
Center for Democracy and Technology (``CDT'') (comment 8), at 5; 
CTIA (comment 14), at 10; Facebook (comment 22), at 2; Elatia 
Grimshaw (comment 26); Interactive Advertising Bureau (``IAB'') 
(comment 34), at 6-7; Harold Levy (comment 37); Motion Picture 
Association of America (``MPAA'') (comment 42), at 4; National Cable 
& Television Association (comment 44), at 5 n.16; NetChoice (comment 
45), at 2; Promotion Marketing Association (``PMA'') (comment 51), 
at 5; Berin Szoka (comment 59), at 6; Toy Industry Association of 
America (comment 63), at 5. Five commenters urged the Commission to 
consider lowering or eliminating COPPA's age to permit younger 
children access to a variety of educational online offerings. See 
Eric MacDonald (comment 38); Mark Moran (comment 41); Steingreaber 
(comment 58); Karla Talbot (comment 60); Daniel Widrew (comment 67).
---------------------------------------------------------------------------

    Recognizing the difficulties of extending COPPA to children ages 13 
or older, at least one commenter, the Institute for Public 
Representation, proposed the need for alternative privacy protections 
for teenagers. This commenter, while not proposing a statutory change 
to the definition of ``child,'' called on the Commission to develop a 
set of privacy protections for teens, consistent with the Fair 
Information Practices Principles created by the Organization for 
Economic Cooperation and Development, that would require understandable 
notices, limited information collection, an opt-in consent process, and 
access and control rights to data collected from them.\14\
---------------------------------------------------------------------------

    \14\ See Institute for Public Representation (comment 33), at 
42.
---------------------------------------------------------------------------

    In the course of drafting COPPA, Congress looked closely at whether 
adolescents should be covered by the law. Congress initially considered 
a requirement that operators make reasonable efforts to provide parents 
with notice and an opportunity to prevent or curtail the collection or 
use of personal information collected from children over the age of 12 
and under the age of 17.\15\ Ultimately, however, Congress decided to 
define a ``child'' as an individual under age 13.\16\ The Commission 
supported this assessment at the time, based in part on the view that 
young children under age 13 do not possess the level of knowledge or 
judgment to make appropriate determinations about when and if to 
divulge personal information over the Internet.\17\ The Commission 
continues to believe that the statutory definition of a child remains 
appropriate.\18\
---------------------------------------------------------------------------

    \15\ See Children's Online Privacy Protection Act of 1998, S. 
2326, 105th Cong. Sec.  3(a)(2)(iii) (1998).
    \16\ See 15 U.S.C. 6502.
    \17\  See Protection of Children's Privacy on the World Wide 
Web: Hearing on S. 2326 Before the Subcomm. on Communications of the 
S. Comm. on Commerce, Science & Transportation, 105th Cong. (1998), 
at 5 (Statement of Robert Pitofsky, Chairman, Federal Trade 
Commission), available at http://www.ftc.gov/os/1998/09/priva998.htm 
(``Children are not fully capable of understanding the consequences 
of divulging personal information online.'').
    \18\ See Protecting Youths in an Online World: Hearing Before 
the Subcomm. on Consumer Protection, Product Safety, and Insurance 
of the S. Comm. on Commerce, Science & Transportation, 111th Cong. 
14-15 (2010) (Statement of Jessica Rich, Deputy Director, Bureau of 
Consumer Protection, Federal Trade Commission), available at http://www.ftc.gov/os/testimony/100715toopatestimony.pdf.
---------------------------------------------------------------------------

    Although teens face particular privacy challenges online,\19\ 
COPPA's parental notice and consent approach is not designed to address 
such issues. COPPA's parental notice and consent model works fairly 
well for young children, but the Commission continues to believe that 
it would be less effective or appropriate for adolescents.\20\ COPPA 
relies on children providing operators with parental contact 
information at the outset to initiate the consent process. The COPPA 
model would be difficult to implement for teenagers, as many would be 
less likely than young children to provide their parents' contact 
information, and more likely to falsify this information or lie about 
their ages in order to participate in online activities. In addition, 
courts have recognized that as children age, they have an increased 
constitutional right to access information and express themselves 
publicly.\21\ Finally, given that adolescents are more likely than 
young children to spend a greater proportion of their time on Web sites 
and online services that also appeal to adults, the practical 
difficulties in expanding COPPA's reach to adolescents might 
unintentionally burden the right of adults to engage in online 
speech.\22\ For all of these reasons, the Commission declines to 
advocate for a change to the statutory definition of ``child.''
---------------------------------------------------------------------------

    \19\ For example, research shows that teens tend to be more 
impulsive than adults and that they may not think as clearly as 
adults about the consequences of what they do. See, e.g., Transcript 
of Exploring Privacy, A Roundtable Series (Mar. 17, 2010), Panel 3: 
Addressing Sensitive Information, available at http://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdf; Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow, 
How Different Are Young Adults from Older Adults When It Comes to 
Information Privacy Attitudes & Policies? (April 14, 2010), 
available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864. As a result, they may voluntarily disclose more 
information online than they should. On social networking sites, 
young people may share personal details that leave them vulnerable 
to identity theft. See Javelin Strategy and Research, 2010 Identity 
Fraud Survey Report (Feb. 2010), available at https://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdf. They may also share details 
that could adversely affect their potential employment or college 
admissions. See e.g., Commonsense Media, Is Social Networking 
Changing Childhood? A National Poll (Aug. 10, 2009), available at 
http://www.commonsensemedia.org/teen-social-media (indicating that 
28 percent of teens have shared personal information online that 
they would not normally share publicly).
    \20\ Id.
    \21\ See, e.g., American Amusement Mach. Ass'n v. Kendrick, 244 
F.3d 572 (7th Cir. 2001) (citing Erznoznik v. City of Jacksonville, 
422 U.S. 205, 212-14 (1975)); Tinker v. Des Moines Indep. Sch. 
Dist., 393 U.S. 503, 511-14 (1969).
    \22\ See ACLU v. Ashcroft, 534 F.3d 181, 196 (3d Cir. 2008) 
(citing ACLU v. Gonzales, 478 F. Supp. 2d 775, 806 (E.D. Pa. 2007) 
(``Requiring users to go through an age verification process would 
lead to a distinct loss of personal privacy.''); see also Bolger v. 
Youngs Drug Prods. Corp., 463 U.S. 60, 73 (1983) (citing Butler v. 
Michigan, 352 U.S. 380, 383 (1957) (``The Government may not reduce 
the adult population * * * to reading only what is fit for 
children.''). See also Berin Szoka (comment 59), at 6.
---------------------------------------------------------------------------

    Although the Commission does not recommend that Congress expand 
COPPA to cover teenagers, the Commission believes that it is essential 
that teens, like adults, be provided with clear information about uses 
of their data and be given meaningful choices about such uses. 
Therefore, the Commission is exploring new privacy approaches that will 
ensure that teens--and adults--benefit from stronger privacy 
protections than are currently generally available.\23\
---------------------------------------------------------------------------

    \23\ See A Preliminary FTC Staff Report on Protecting Consumer 
Privacy in an Era of Rapid Change: A Proposed Framework for 
Businesses and Policymakers, 36-36 (Dec. 1, 2010), available at 
http://www.ftc.gov/os/2010/12/101201privacyreport.pdf; Protecting 
Youths in an Online World, supra note 18, at 14-15 (``The FTC 
believes that its upcoming privacy recommendations based on its 
roundtable discussions will greatly benefit teens. The Commission 
expects that the privacy proposals emerging from this initiative 
will provide teens both a greater understanding of how their data is 
used and a greater ability to control such data.'').

---------------------------------------------------------------------------

[[Page 59806]]

III. COPPA's ``Actual Knowledge'' Standard

    The COPPA statute applies to two types of operators: (1) Those who 
operate Web sites or online services directed to children and collect 
personal information, and (2) those who have actual knowledge that they 
are collecting personal information from a child under age 13.\24\ The 
second prong, commonly known as ``the actual knowledge standard,'' 
holds operators of Web sites directed to teenagers, adults, or to a 
general audience, liable for providing COPPA's protections only when 
they know they are collecting personal information from a COPPA-covered 
child (i.e., one under age 13). COPPA therefore was never intended to 
apply to the entire Internet, but rather to a subset of Web sites and 
online services.\25\
---------------------------------------------------------------------------

    \24\ See 15 U.S.C. 6503(a)(1).
    \25\ See MPAA (comment 42), at 10 (``Congress deliberately 
selected the actual knowledge standard because it served the 
objective of protecting young children without constraining 
appropriate data collection and use by operators of general audience 
Web sites. This standard was selected to serve the goals of COPPA 
without imposing excessive burdens--including burdens that could 
easily constrain innovation--on general audience sites and online 
services'').
---------------------------------------------------------------------------

    Congress did not define the term ``actual knowledge'' in the COPPA 
statute, nor did the Commission define the term in the Rule. The case 
law makes clear that actual knowledge does not equate to ``knowledge 
fairly implied by the circumstances''; nor is actual knowledge 
``constructive knowledge,'' as that term is interpreted and applied 
legally.\26\ Therefore, the Commission has advised that operators of 
general audience Web sites are not required to investigate the ages of 
their users.\27\ By contrast, however, operators that ask for--or 
otherwise collect--information establishing that a user is under the 
age of 13 trigger COPPA's verifiable parental consent and all other 
requirements.\28\
---------------------------------------------------------------------------

    \26\ The original scope of COPPA, as indicated in S. 2326 and 
H.R. 4667, would have applied to any commercial Web site or online 
service used by an operator to ``knowingly'' collect information 
from children. See Children's Online Privacy Protection Act of 1998, 
S. 2326, 105th Cong. Sec.  2(11)(A)(iii) (1998); Electronic Privacy 
Bill of Rights Act of 1998, H.R. 4667, 105th Cong. Sec.  
105(7)(A)(iii) (1998). Under federal case law, the term 
``knowingly'' encompasses actual, implied, and constructive 
knowledge. See Schmitt v. FMA Alliance, 398 F.3d 995, 997 (8th Cir. 
2005); Freeman United Coal Mining Co. v. Federal Mine Safety and 
Health Review Comm'n, 108 F.3d 358, 363 (D.C. Cir. 1997).
    Upon the consideration of testimony from various witnesses, 
Congress modified the knowledge standard in the final legislation to 
require ``actual knowledge.'' See Internet Privacy Hearing: Hearing 
on S. 2326 Before the Subcomm. on Communications of the S. Comm. on 
Commerce, Science, and Transportation, 105th Cong. 1069 (1998). 
Actual knowledge is generally understood from case law to establish 
a far stricter standard than constructive knowledge or knowledge 
implied from the ambient facts. See United States v. DiSanto, 86 
F.3d 1238, 1257 (1st Cir. 1996) (citing United States v. Spinney, 65 
F.3d 231, 236 (1st Cir. 1995), for the proposition that ``when 
considering the question of ``knowledge'' [it is helpful] to recall 
that ``the length of the hypothetical knowledge continuum'' is 
marked by ``constructive knowledge'' at one end and ``actual 
knowledge'' at the other with various ``gradations,'' such as 
``notice of likelihood'' in the ``poorly charted area that stretches 
between the poles'').
    \27\ See Children's Online Privacy Protection Rule, Statement of 
Basis and Purpose (``1999 Statement of Basis and Purpose''), 64 FR 
59888, 59889 (Nov. 3, 1999), available at http://www.ftc.gov/os/1999/10/64Fr59888.pdf.
    \28\ See id. at 59892 (``Actual knowledge will be present, for 
example, where an operator learns of a child's age or grade from the 
child's registration at the site or from a concerned parent who has 
learned that his child is participating at the site. In addition, 
although the COPPA does not require operators of general audience 
sites to investigate the ages of their site's visitors, the 
Commission notes that it will examine closely sites that do not 
directly ask age or grade, but instead ask `age identifying' 
questions, such as `what type of school do you go to: (a) 
elementary; (b) middle; (c) high school; (d) college.' Through such 
questions, operators may acquire actual knowledge that they are 
dealing with children under 13'').
---------------------------------------------------------------------------

    In general, commenters to the Rule review expressed widespread 
support for Congress's retention of the statutory actual knowledge 
standard. Supporters find that the standard provides necessary 
certainty regarding the boundaries of operators' legal liability for 
COPPA violations.\29\ Commenters generally felt strongly that a lesser 
standard, e.g., constructive or implied knowledge, would cause extreme 
uncertainty for operators of general audience Web sites or online 
services seeking to comply with the law since they would be obliged 
either to make guesses about the presence of underage children or to 
deny access to a wide swath of participants, not only young 
children.\30\ According to commenters, such actions would result in 
greater data collection from all users, including children, in order to 
determine who should receive COPPA protections (or, alternatively, be 
denied access to a site). Commenters viewed this result as 
contradictory to COPPA's goal of minimizing data collection.\31\
---------------------------------------------------------------------------

    \29\ See CTIA (comment 14), at 2; Direct Marketing Association 
(``DMA'') (comment 17), at 8; MPAA (comment 42), at 9; Toy Industry 
Association, Inc. (comment 63), at 5; Jeffrey Greenbaum, Partner, 
Frankfurt Kurnit Klein & Selz PC, and J. Beckwith (``Becky'') Burr, 
Partner, WilmerHale, Remarks from The ``Actual Knowledge'' Standard 
in Today's Online Environment Panel at the Federal Trade 
Commission's Roundtable: Protecting Kids' Privacy Online 78-79 (June 
2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \30\ See Sharon Anderson (comment 2); Boku (comment 5); CDT 
(comment 9), at 6; CTIA (comment 14), at 2; DMA (comment 17), at 8; 
Facebook (comment 22), at 7; IAB (comment 34), at 6.
    \31\ See CTIA (comment 14), at 2; DMA (comment 17), at 8; 
Facebook (comment 22), at 7-8.
---------------------------------------------------------------------------

    A handful of commenters argued for a different standard. One 
commenter urged the Commission to require commercial Web site operators 
to make reasonable efforts to determine if a child is registering 
online, taking into consideration available technology.\32\ According 
to this commenter, Web site operators otherwise face minimal legal risk 
and business incentive to proactively institute privacy protections for 
children online. Other commenters, such as the Institute for Public 
Representation and Microsoft, urged the Commission to adopt clearer 
guidance on when an operator will be considered to have obtained actual 
knowledge that it has collected personal information from a child.\33\
---------------------------------------------------------------------------

    \32\ See Harry A. Valetk (comment 66), at 4.
    \33\ See Institute for Public Representation (comment 33), at 34 
(urging the Commission to make clear that an operator can gain 
actual knowledge where it obtains age information from a source 
other than the child and where it creates a category for behavioral 
advertising to children under age 13. ``Simply, if an operator 
decides on, or uses, or purports to know the fact that someone is a 
child, then that operator has actual knowledge that it is dealing 
with a child.''); Microsoft (comment 39), at 8 (asking the 
Commission to provide clear guidance on how operators can better 
meet COPPA's objectives of providing access to rich media content 
while not undermining parental involvement).
---------------------------------------------------------------------------

    Despite the limitations of the actual knowledge standard, the 
Commission is persuaded that this remains the correct standard to be 
applied to operators of Web sites and online services that are not 
directed to children. Accordingly, the Commission does not advocate 
that Congress amend the COPPA statute's actual knowledge requirement at 
this time. Actual knowledge is far more workable, and provides greater 
certainty, than other legal standards that might be applied to the 
universe of general audience Web sites and online services. This is 
because the actual knowledge standard is triggered only at the point at 
which an operator becomes aware of a child's age. By contrast, imposing 
a lesser ``reasonable efforts'' or ``constructive knowledge'' standard 
might require operators to ferret through a host of circumstantial 
information to determine who may or may not be a child.
    As described in detail below, with this Notice of Proposed 
Rulemaking, the Commission is proposing several modifications to the 
Rule's definition of ``personal information.'' \34\ Were the

[[Page 59807]]

Commission to recommend that Congress change COPPA's actual knowledge 
standard, the changes the Commission proposes to the Rule's definitions 
might prove infeasible if applied across the entire Internet. The 
impact of the proposed changes to the definition of personal 
information are significantly narrowed by the fact that COPPA only 
applies to the finite universe of Web sites and online services 
directed to children and Web sites and online services with actual 
knowledge.
---------------------------------------------------------------------------

    \34\ For example, the Commission proposes defining as personal 
information persistent identifiers and screen or user names where 
they are used for functions other than or in addition to support for 
the internal operations of a Web site or online service. The 
Commission also proposes including identifiers that link the 
activities of a child across different Web sites or online services, 
as well as digital files containing a child's image or voice, in the 
definition. See infra Part V.A.(4).
---------------------------------------------------------------------------

IV. COPPA's Coverage of Evolving Technologies

    The Commission's April 5, 2010 Federal Register document sought 
public input on the implications for COPPA enforcement raised by 
technologies such as mobile communications, interactive television, 
interactive gaming, and other evolving media.\35\ The Commission's June 
2, 2010 roundtable featured significant discussion on the breadth of 
the terms ``Internet,'' ``website located on the Internet,'' and 
``online service'' as they relate to the statute and the Rule.
---------------------------------------------------------------------------

    \35\ See 2010 Rule Review, supra note 7, at 17090.
---------------------------------------------------------------------------

    Commenters and roundtable participants expressed a consensus that 
both the COPPA statute and Rule are written broadly enough to encompass 
many new technologies without the need for new statutory language.\36\ 
First, there is widespread agreement that the statute's definition of 
``Internet,'' covering the ``myriad of computer and telecommunications 
facilities, including equipment and operating software, which comprise 
the interconnected world-wide network of networks that employ the 
Transmission Control Protocol/Internet Protocol,'' is device 
neutral.\37\
---------------------------------------------------------------------------

    \36\ See CDT (comment 8), at 2; Edward Felten, Dir. and 
Professor of Computer Sci. and Pub. Affairs, Princeton Univ. 
(currently Chief Technologist at the Federal Trade Commission), 
Remarks from The Application of COPPA's Definitions of ``Internet,'' 
``Website,'' and ``Online Service'' to New Devices and Technologies 
Panel at the Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online 13-14 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf 
(``[T]his was and still is a spot-on definition of what ``Internet'' 
means--worldwide interconnection and the use of TCP or IP or any of 
that suite of protocols.'').
    \37\ See CDT (comment 8), at 2. However, two commenters urged 
the Commission to consider modifying or expanding the definition of 
``Internet'' so as to expressly acknowledge the convergence of 
technologies, e.g., mobile devices and other applications that are 
platform neutral or capable of storing and transmitting data in the 
manner of a personal computer. See Electronic Privacy Information 
Center (``EPIC'') (comment 19), at 7-8; Jayne Hitchcock (comment 
29).
---------------------------------------------------------------------------

    While neither the COPPA statute nor the Rule defines a ``Web site 
located on the Internet,'' the term is broadly understood to cover 
content that users can access through a browser on an ordinary computer 
or mobile device.\38\ Likewise, the term ``online service'' broadly 
covers any service available over the Internet, or that connects to the 
Internet or a wide-area network.\39\ The Commission agrees with 
commenters that a host of current technologies that access the Internet 
or a wide area network are ``online services'' currently covered by 
COPPA and the Rule. This includes mobile applications that allow 
children to play network-connected games, engage in social networking 
activities, purchase goods or services online, receive behaviorally 
targeted advertisements, or interact with other content or 
services.\40\ Likewise, Internet-enabled gaming platforms, voice-over-
Internet protocol services, and Internet-enabled location based 
services, also are online services covered by COPPA and the Rule. The 
Commission does not believe that the term ``online service'' needs to 
be further defined either in the statute or in the Rule.\41\
---------------------------------------------------------------------------

    \38\ See AT&T (comment 3), at 5; Spratt (comment 57); Edward 
Felten, supra note 36, at 15.
    \39\ See John B. Morris, Jr., General Counsel and Director, 
Internet Standards, Technology and Policy Project, CDT, and Angela 
Campbell, Institute for Public Representation, Georgetown Univ. Law 
Ctr., Remarks from The Application of COPPA's Definitions of 
``Internet,'' ``Web site,'' and ``Online Service'' to New Devices 
and Technologies Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online 16-17 (June 2, 2010), available at 
http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf. One commenter mentioned that the terms ``Internet'' 
and ``online'' were seemingly intended by Congress to be used 
interchangeably to mean ``the interconnected world-wide network of 
networks.'' See Entertainment Software Association (comment 20), at 
15 (citing the legislative history, 144 Cong. Rec. S8482-83, 
Statement of Sen. Bryan (1998)). But see Edward Felten, supra note 
36, at 19.
    \40\ See, e.g., Angela Campbell, supra note 39, at 30-31.
    \41\ The FTC has brought a number of cases alleging violations 
of COPPA in connection with the operation of an online service, 
including: United States v. W3 Innovations LLC, No. CV-11-03958 
(N.D. Cal., filed Aug. 12, 2011) (child-directed mobile 
applications); United States v. Playdom, Inc., No. SA CV-11-00724 
(C.D. Cal., filed May 11, 2011) (online virtual worlds); United 
States v. Sony BMG Music Entertainment, No. 08 Civ. 10730 (S.D.N.Y, 
filed Dec. 10, 2008) (social networking service); United States v. 
Industrious Kid, Inc., No. CV-08-0639 (N.D. Cal., filed Jan. 28, 
2008) (social networking service); United States v. Xanga.com, Inc., 
No. 06-CIV-6853 (S.D.N.Y., filed Sept. 7, 2006) (social networking 
service); and United States v. Bonzi Software, Inc., No. CV-04-1048 
(C.D. Cal., filed Feb. 14, 2004) (desktop software application).
---------------------------------------------------------------------------

    Although many mobile activities are online services, it is less 
clear whether all short message services (``SMS'') and multimedia 
messaging services (``MMS'') are covered by COPPA.\42\ One commenter 
maintained that SMS and MMS text messages cross wireless service 
providers' networks and short message service centers, not the public 
Internet, and therefore that such services are not Internet-based and 
are not ``online services.'' \43\ However, another panelist at the 
Commission's June 2, 2010 roundtable cautioned that not all texting 
programs are exempt from COPPA's coverage.\44\ For instance, mobile 
applications that enable users to send text messages from their web-
enabled devices without routing through a carrier-issued phone number 
constitute online services.\45\ Likewise, retailers' premium texting 
and coupon texting programs that register users online and send text 
messages from the Internet to users' mobile phone numbers are online 
services.\46\
---------------------------------------------------------------------------

    \42\ See 2010 Rule Review, supra note 7, at 17090 (Question 11); 
see also Denise Tayloe, President, Privo, Inc., Remarks from 
Emerging Parental Verification Access and Methods Panel at the 
Federal Trade Commission's Roundtable: Protecting Kids' Privacy 
Online 27 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf (questioning whether 
a ``text to vote'' marketing campaign is covered by COPPA).
    \43\ See CTIA (comment 14), at 2-5 (citing the Federal 
Communications Commission's rules and regulations implementing the 
CAN-SPAM Act of 2003 and the Telephone Consumer Protection Act of 
1991, finding that phone-to-phone SMS is not captured by Section 14 
of CAN-SPAM because such messages do not have references to Internet 
domains). The Commission agrees that where mobile services do not 
traverse the Internet or a wide-area network, COPPA will not apply. 
See Michael Altschul, Senior Vice President and Gen. Counsel, CTIA, 
Remarks from The Application of COPPA's Definitions of ``Internet,'' 
``Web site,'' and ``Online Service'' to New Devices and Technologies 
Panel at the Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online at 19-21 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \44\ See Edward Felten, supra note 36, at 27-28.
    \45\ For example, online texting services offered by TextFree, 
Textie, and textPlus+ that permit users to communicate via text 
message over the Internet.
    \46\ For example, text alert coupon and notification services 
offered by retailers such as Target and JC Penney.
---------------------------------------------------------------------------

    The Commission will continue to assess emerging technologies to 
determine whether or not they constitute ``Web sites located on the 
Internet'' or ``online services'' subject to COPPA's coverage.

V. Proposed Modifications to the Rule

    As discussed above, commenters expressed a consensus that, given 
its flexibility and coverage, the COPPA Rule continues to be useful in 
helping

[[Page 59808]]

to protect children as they engage in a wide variety of online 
activities. The Commission's experience in enforcing the Rule, and 
public input received through the Rule review process, however, 
demonstrate the need to update certain Rule provisions. After extensive 
consideration, the Commission proposes modifications to the Rule in the 
following five areas: Definitions, Notice, Parental Consent, 
Confidentiality and Security of Children's Personal Information, and 
Safe Harbor Programs. In addition to modifying these provisions, the 
Commission proposes adding a new Rule section addressing data retention 
and deletion. Each of these changes is discussed in detail below.

A. Definitions (16 CFR 312.2)

    The Commission proposes to modify particular definitions to update 
the Rule's coverage and, in certain cases, to streamline the Rule's 
language. The Commission proposes modifications to the definitions of 
``collects or collection,'' ``online contact information,'' ``personal 
information,'' ``support for the internal operations of the Web site or 
online service,'' and ``Web site or online service directed to 
children.'' The Commission also proposes a minor structural change to 
the Rule's definition of ``disclosure.''
(1) Collects or Collection
    Section 312.2 of the Rule defines ``collects or collection'' as:

    [T]he gathering of any personal information from a child by any 
means, including but not limited to:
    (a) Requesting that children submit personal information online;
    (b) Enabling children to make personal information publicly 
available through a chat room, message board, or other means, except 
where the operator deletes all individually identifiable information 
from postings by children before they are made public, and also 
deletes such information from the operator's records; or
    (c) The passive tracking or use of any identifying code linked 
to an individual, such as a cookie.

The Commission proposes amending paragraph (a) to change the term 
``requesting that children submit personal information online'' to 
``requesting, prompting, or encouraging a child to submit personal 
information online'' in order to clarify that the Rule covers the 
online collection of personal information both when an operator 
mandatorily requires it, and when an operator merely prompts or 
encourages a child to provide such information.
    Section 312.2(b) currently defines ``collects or collection'' to 
include enabling children to publicly post personal information (e.g., 
on social networking sites or on blogs), ``except where the operator 
deletes all individually identifiable information from postings by 
children before they are made public, and also deletes such information 
from the operator's records.'' \47\ This aspect of COPPA's definition 
of ``collects or collection'' has come to be known as the ``100% 
deletion standard.'' \48\ Several commenters indicated that this 
standard, while well-meaning, serves as an impediment to operators' 
implementation of sophisticated filtering technologies that might aid 
in the detection and removal of personal information.\49\ Some 
commenters urged the Commission to revise the Rule to specify the 
particular types of filtering mechanisms--for example, white lists, 
black lists, or algorithmic systems--that the Commission believes 
conform to the Rule's current 100% deletion requirement.\50\ One 
commenter urged the Commission to exercise caution in modifying the 
Rule to permit the use of automated filtering systems to strip personal 
information from posts prior to posting; this commenter urged the 
Commission to make clear that the use of an automated system would not 
provide an operator with a safe harbor from enforcement action in the 
case of an inadvertent disclosure of personal information.\51\
---------------------------------------------------------------------------

    \47\ Operators who offer services such as social networking, 
chat, bulletin boards and who do not pre-strip (i.e., completely 
delete) such information are deemed to have ``disclosed'' personal 
information under COPPA's definition of ``disclosure.'' See 16 CFR 
312.2.
    \48\ See Phyllis Marcus, Remarks from COPPA's Exceptions to 
Parental Consent Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online 310 (June 2, 2010), available at 
http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \49\ See Entertainment Software Association (comment 20), at 13-
14; Rebecca Newton (comment 46), at 4; see also WiredSafety.org 
(comment 68), at 15.
    \50\ See Berin Szoka (comment 59), Szoka Responses to Questions 
for the Record, at 19 (``[T]he FTC could * * * allow operators, at 
least in some circumstances, to use ``an automated system of review 
and/or posting'' to satisfy the existing ``deletion exception to the 
definition of collection.'' In other words, sites could potentially 
allow children to communicate with each other through chat rooms, 
message boards, and other social networking tools without having to 
obtain verifiable parental consent if they had in place algorithmic 
filters that would automatically detect personal information such as 
a string of seven or ten digits that seems to correspond to a phone 
number, a string of eight digits that might correspond to a Social 
Security number, a street address, a name, or even a personal 
photo--and prevent children from sharing that information in ways 
that make the information ``publicly available''); see also Privo 
(comment 50), at 5.
    \51\ See EPIC (comment 19), at 6-7.
---------------------------------------------------------------------------

    The Commission has undertaken this Rule review with an eye towards 
encouraging the continuing growth of engaging, diverse, and appropriate 
online content for children that includes strong privacy protections by 
design. Children increasingly seek interactive online environments 
where they can express themselves, and operators should be encouraged 
to develop innovative technologies to attract children to age-
appropriate online communities while preventing them from divulging 
their personal information. Unfortunately, Web sites that provide 
children with only limited communications options often fail to capture 
their imaginations for very long. After careful consideration, the 
Commission believes that the 100% deletion standard has set an 
unrealistic hurdle to operators' development and implementation of 
automated filtering systems.\52\ In its place, the Commission proposes 
a ``reasonable measures'' standard whereby operators who employ 
technologies reasonably designed to capture all or virtually all 
personal information inputted by children should not be deemed to have 
``collected'' personal information. This proposed change is intended to 
encourage the development of systems, either automated, manual, or a 
combination thereof, to detect and delete all or virtually all personal 
information that may be submitted by children prior to its public 
posting.\53\
---------------------------------------------------------------------------

    \52\ In fact, inquiries about automated filtering systems, and 
whether they could ever meet the Commission's current 100% deletion 
standard, are among the most frequent calls to the Commission's 
COPPA hotline.
    \53\ In the Commission's experience, establishing a broad 
standard of reasonableness permits industry to innovate specific 
security methods that best suit particular needs, and the Commission 
has set similar ``reasonableness'' standards in other enforcement 
arenas. For example, in its law enforcement actions involving 
breaches of data security, the Commission consistently has required 
respondents to establish and maintain comprehensive information 
security programs that are ``reasonably designed to protect the 
security, confidentiality, and integrity of personal information 
collected from or about consumers.'' See, e.g., Ceridian Corp., FTC 
Dkt. No. C-4325 (June 15, 2011); Lookout Servs., Inc., FTC Dkt. No. 
C-4326 (June 15, 2011).
---------------------------------------------------------------------------

    Finally, the Commission proposes simplifying paragraph (c) of the 
Rule's definition of ``collects or collection'' to clarify that it 
includes all means of passive tracking of a child online, irrespective 
of the technology used. The proposed paragraph removes the language 
``or use of any identifying code linked to an individual, such as a 
cookie'' and simply states ``passive tracking of a child online.''
    Therefore, the Commission proposes to amend the definition of 
``collects or collection'' so that it reads:


[[Page 59809]]


    Collects or collection means the gathering of any personal 
information from a child by any means, including but not limited to:
    (a) Requesting, prompting, or encouraging a child to submit 
personal information online;
    (b) Enabling a child to make personal information publicly 
available in identifiable form. An operator shall not be considered 
to have collected personal information under this paragraph if it 
takes reasonable measures to delete all or virtually all personal 
information from a child's postings before they are made public and 
also to delete such information from its records; or,
    (c) The passive tracking of a child online.\54\
---------------------------------------------------------------------------

    \54\ One commenter, EPIC, expressed the opinion that the Rule's 
reference to information collected ``by any means'' in the 
definition of ``collects or collection'' is ambiguous with regard to 
information acquired offline that is uploaded, stored, or 
distributed to third parties by operators. See EPIC (comment 19), at 
5. However, Congress limited the scope of COPPA to information that 
an operator collects online from a child; COPPA does not govern 
information collected offline. See 15 U.S.C. 6501(8) (defining the 
personal information as ``individually identifiable information 
about an individual collected online. * * *''); 144 Cong. Rec. 
S11657 (Oct. 7, 1998) (Statement of Sen. Bryan) (``This is an online 
children's privacy bill, and its reach is limited to information 
collected online from a child.'').

(2) Disclosure
    Section 312.2 of the Rule defines ``disclosure'' as:

    (a) The release of personal information collected from a child 
in identifiable form by an operator for any purpose, except where an 
operator provides such information to a person who provides support 
for the internal operations of the Web site or online service and 
who does not disclose or use that information for any other purpose. 
For purposes of this definition:
    (1) Release of personal information means the sharing, selling, 
renting, or any other means of providing personal information to any 
third party, and
    (2) Support for the internal operations of the Web site or 
online service means those activities necessary to maintain the 
technical functioning of the Web site or online service, or to 
fulfill a request of a child as permitted by Sec. Sec.  312.5(c)(2) 
and (3); or, (b) Making personal information collected from a child 
by an operator publicly available in identifiable form, by any 
means, including by a public posting through the Internet, or 
through a personal home page posted on a Web site or online service; 
a pen pal service; an electronic mail service; a message board; or a 
chat room.

The Commission proposes making several minor modifications to this 
definition that are consistent with the statutory definition. First, 
the Commission proposes broadening the title of this definition from 
``disclosure'' to ``disclose or disclosure'' to clarify that in every 
instance in which the Rule refers to instances where an operator 
``disclose[s]'' information, the definition of disclosure shall apply. 
In addition, the Commmission proposes moving the definitions of 
``release of personal information'' and ``support for the internal 
operations of the Web site or online service'' contained within the 
definition of ``disclosure'' to stand-alone definitions within ' 312.2 
of the Rule.\55\ This change will clarify what is intended by the terms 
``release of personal information'' and ``support for the internal 
operations of the Web site or online service'' where those terms are 
referenced elsewhere in the Rule and where they are not directly 
connected with the terms ``disclose'' or ``disclosure.'' \56\
---------------------------------------------------------------------------

    \55\ The Commission also proposes minor changes to the 
definition of ``support for the internal operations of a Web site or 
online service,'' as described in Part V.A(5). below.
    \56\ For example, the term ``support for the internal operations 
of the Web site or online service'' is included within the proposed 
revisions to the definition of ``personal information.'' See infra 
Part V.A.(5). The term ``release of personal information'' is 
included within the proposed revised provision to ' 312.8 regarding 
``Confidentiality, security, and integrity of personal information 
collected from children.'' See infra Part V.D.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend the definition of 
``disclosure'' to read:

    Disclose or disclosure means, with respect to personal 
information:
    (a) The release of personal information collected by an operator 
from a child in identifiable form for any purpose, except where an 
operator provides such information to a person who provides support 
for the internal operations of the Web site or online service; and,
    (b) Making personal information collected by an operator from a 
child publicly available in identifiable form by any means, 
including but not limited to a public posting through the Internet, 
or through a personal home page or screen posted on a Web site or 
online service; a pen pal service; an electronic mail service; a 
message board; or a chat room.
(3) ``Release of personal information''
    The Commission proposes to define the term ``release of personal 
information'' separately from its current inclusion within the 
definition of ``disclosure.'' Since the term applies to provisions of 
the Rule that do not relate solely to disclosures,\57\ this stand-alone 
definition will provide greater clarity as to the terms' applicability 
throughout the Rule. In addition, the Commission proposes technical 
changes to clarify that the term ``release of personal information'' 
primarily addresses business-to-business uses of personal information. 
Public disclosure of personal information is covered by paragraph (b) 
of the definition of ``disclosure.'' Therefore, the Commission proposes 
to revise the definition of ``release of personal information'' so that 
it reads:
---------------------------------------------------------------------------

    \57\ See, e.g., discussion regarding 16 CFR 312.8 
(confidentiality, security and integrity of children's personal 
information), infra Part V.D.

    Release of personal information means the sharing, selling, 
renting, or transfer of personal information to any third party.
(4) ``Support for the internal operations of the Web site or online 
service''
    The Commission also proposes separating out the term ``support for 
the internal operations of the Web site or online service'' from the 
definition of ``disclosure.'' The Commission recognizes that the term 
``support for internal operations of the Web site or online service''--
i.e., activities necessary to maintain the technical functioning of the 
Web site or online service--is an important limiting concept that 
warrants further explanation. The Rule recognizes that information that 
is collected by operators for the sole purpose of support for internal 
operations should be treated differently than information that is used 
for broader purposes.
    The term currently is a part of the definitions of ``disclosure'' 
and ``third party'' within the Rule. As explained below, the Commission 
proposes to expand the definition of ``personal information'' to 
include ``screen or user names'' and ``persistent identifiers,'' when 
such items are used for functions other than or in addition to 
``support for the internal operations of the Web site or online 
service.'' \58\ In proposing to create a separate definition of 
``support for the internal operations of a Web site or online 
service,'' the Commission also proposes to expand that definition to 
include ``activities necessary to protect the security or integrity of 
the Web site or online service.'' With this change, the Commission 
recognizes operators' need to protect themselves or their users from 
security threats, fraud, denial of service attacks, user misbehavior, 
or other threats to operators' internal operations.\59\ In addition, 
the Commission proposes adding the limitation that information 
collected for such purposes may not be used or disclosed for any other 
purpose, so that if there is a secondary use of the information, it 
becomes ``personal information'' under the Rule.
---------------------------------------------------------------------------

    \58\ See infra Part V.(5)(b) and (c).
    \59\ See WiredSafety.org (comment 68), at 17.
---------------------------------------------------------------------------

    The Commission recognizes that operators use persistent identifiers 
and screen names to aid the functionality and technical stability of 
Web sites and online services and to provide a good user experience, 
and the Commission does not intend to limit operators'

[[Page 59810]]

ability to collect such information from children for those purposes. 
However, the Commission also recognizes that such identifiers may be 
used in more expansive ways that affect children's privacy. In the 
sections that follow, the Commission sets forth the parameters within 
which operators may collect and use screen names and persistent 
identifiers without triggering COPPA's application.\60\
---------------------------------------------------------------------------

    \60\ Id.
---------------------------------------------------------------------------

    The Commission proposes to revise the definition of ``support for 
the internal operations of Web site or online service'' so that it 
states:

    Support for the internal operations of the Web site or online 
service means those activities necessary to maintain the technical 
functioning of the Web site or online service, to protect the 
security or integrity of the Web site or online service, or to 
fulfill a request of a child as permitted by Sec.  312.5(c)(3) and 
(4), and the information collected for such purposes is not used or 
disclosed for any other purpose.
(5) Online Contact Information
    Section 312.2 of the Rule defines ``online contact information'' as 
``an e-mail address or any other substantially similar identifier that 
permits direct contact with a person online.'' The Commission proposes 
to clarify this definition to flag that the term covers all identifiers 
that permit direct contact with a person online, and to eliminate any 
inconsistency between the stand-alone definition of online contact 
information and the use of the same term within the Rule's definition 
of ``personal information.'' \61\ The revised definition set forth 
below adds commonly used forms of online identifiers, including instant 
messaging user identifiers, voice over internet protocol (VOIP) 
identifiers, and video chat user identifiers. The proposed definition 
makes clear, however, that the identifiers included are not intended to 
be exhaustive, and may include other substantially similar identifiers 
that permit direct contact with a person online.
---------------------------------------------------------------------------

    \61\ The Rule currently defines as personal information ``an e-
mail address or other online contact information, including but not 
limited to an instant messaging user identifier, or a screen name 
that reveals an individual's e-mail address.'' 16 CFR 312.2 
(paragraph (c), definition of ``personal information''). The 
Commission also proposes removing the listing of identifiers from 
the definition of personal information and substituting the simple 
phrase ``online contact information'' instead. See infra Part 
V.A.(4)(a). By doing so, the Commission hopes to streamline the 
Rule's definitions in a way that is useful and accessible for 
operators.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend the definition of 
``online contact information'' to state:

    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct contact with a 
person online, including but not limited to, an instant messaging 
user identifier, a voice over internet protocol (VOIP) identifier, 
or a video chat user identifier.
(6) Personal Information
    The COPPA statute defines personal information as individually 
identifiable information about an individual collected online, 
including:
    (A) A first and last name;
    (B) A home or other physical address including street name and name 
of a city or town;
    (C) An e-mail address;
    (D) A telephone number; \62\
---------------------------------------------------------------------------

    \62\ The term ``telephone number'' includes landline, web-based, 
and mobile phone numbers.
---------------------------------------------------------------------------

    (E) A Social Security number;
    (F) Any other identifier that the Commission determines permits the 
physical or online contacting of a specific individual; or
    (G) information concerning the child or the parents of that child 
that the Web site collects online from the child and combines with an 
identifier described in this paragraph.\63\
---------------------------------------------------------------------------

    \63\ 15 U.S.C. 6502(8). The Federal Trade Commission originally 
used the authority granted under Section 6502(8)(F) to define 
personal information under the COPPA Rule to include the following 
pieces of information not specifically listed in the statute:
     Other online contact information, including but not 
limited to an instant messaging user identifier;
     A screen name that reveals an individual's e-mail 
address;
     A persistent identifier, such as a customer number held 
in a cookie or a processor serial number, where such identifier is 
associated with individually identifiable information; and,
     A combination of a last name or photograph of the 
individual with other information such that the combination permits 
physical or online contacting.
---------------------------------------------------------------------------

    As explained below, the Commission proposes to use this statutorily 
granted authority in paragraph (F) to modify, and in certain cases, 
expand, upon the Rule's definition of ``personal information'' to 
reflect technological changes.
a. Online Contact Information (Revised Paragraph (c))
    The Commission proposes to replace existing paragraph (c) of the 
Rule's definition of ``personal information,'' which refers to ``an e-
mail address or other online contact information including but not 
limited to an instant messaging user identifier, or a screen name that 
reveals an individual's e-mail address,'' with the broader term 
``online contact information,'' as newly defined.\64\ Moreover, as 
discussed immediately below, the Commission proposes to move the 
existing reference to a ``screen name'' to a separate item within the 
definition of ``personal information.''
---------------------------------------------------------------------------

    \64\ See supra Part V.A.(4)(a).
---------------------------------------------------------------------------

b. Screen or User Names (Revised Paragraph (d))
    Currently, screen names are considered ``personal information'' 
under COPPA only when they reveal an individual's e-mail address. The 
Commission proposes instead that screen (or user) names be categorized 
as personal information when they are used for functions other than, or 
in addition to, support for the internal operations of the Web site or 
online service. This change reflects the reality that screen and user 
names increasingly have become portable across multiple Web sites or 
online services, and permit the direct contact of a specific individual 
online regardless of whether the screen or user names contain an e-mail 
address.\65\
---------------------------------------------------------------------------

    \65\ See, e.g., OpenId, Windows Live ID, and the Facebook 
Platform.
---------------------------------------------------------------------------

    The proposed definition exempts screen or user names that are used 
solely to maintain the technical functioning of the Web site or online 
service. This qualification is intended to retain operators' ability to 
utilize screen or user names within a Web site or online service 
(absent the collection, use, or disclosure of other personal 
information) without obtaining prior parental consent. Accordingly, an 
operator may allow children to establish screen names for use within a 
site or service. Such screen names may be used for access to the site 
or service, to identify users to each other, and to recall user 
settings. However, where the screen or user name is used for purposes 
other than to maintain the technical functioning of the Web site or 
online service, the screen name becomes ``personal information'' under 
the proposed Rule.
c. Persistent Identifiers (Revised Paragraph (g)) and Identifiers 
Linking a Child's Online Activities (New Paragraph (h))
    The existing Rule includes as personal information ``a persistent 
identifier, such as a customer number held in a cookie or a processor 
serial number, where such identifier is associated with individually 
identifiable information.'' \66\ In its 1999 Statement of Basis and 
Purpose, the Commission discussed persistent identifiers that 
automatically are collected by Web sites, such as static IP addresses 
and

[[Page 59811]]

processor serial numbers, stating that ``unless such identifiers are 
associated with other individually identifiable personal information, 
they would not fall within the Rule's definition of `personal 
information.' '' Moreover, with respect to information stored in 
cookies, the Commission stated that ``[i]f the operator either collects 
individually identifiable information using the cookie or collects non-
individually identifiable information using the cookie that is combined 
with an identifier, then the information constitutes `personal 
information' under the Rule, regardless of where it is stored.'' \67\ 
Taken together, these statements limit COPPA's coverage of persistent 
identifiers solely to those identifiers that are otherwise linked to 
``personal information'' as defined by the Rule.
---------------------------------------------------------------------------

    \66\ See paragraph (f) to the definition of ``personal 
information.'' 16 CFR 312.2.
    \67\ See 1999 Statement of Basis and Purpose, 64 FR 59888, 
59892-93.
---------------------------------------------------------------------------

    Developments in technology in the intervening twelve years since 
the COPPA Rule was issued, and the resulting implications for consumer 
privacy, have led to a widespread reexamination of the concept of 
``personal information'' and of the types of information COPPA should 
cover.\68\ While it is clear that COPPA always was intended to regulate 
an operator's ability to obtain information from, and market back to, 
children,\69\ methods of marketing online have burgeoned in recent 
years. In this regard, the Commission sought comment on whether certain 
identifiers, such as IP address, zip code, date of birth, gender, and 
information collected in connection with online behavioral advertising, 
should now be included within the Rule's definition of ``personal 
information.'' \70\
---------------------------------------------------------------------------

    \68\ Commission staff recognized in its 2009 online behavioral 
advertising report that, ``in the context of online behavioral 
advertising, the traditional notion of what constitutes PII versus 
non-PII is becoming less and less meaningful and should not, by 
itself, determine the protections provided for consumer data.'' FTC 
Staff Report: Self-Regulatory Principles for Online Behavioral 
Advertising, 21-22 (Feb. 2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf. Similarly, the Federal Trade 
Commission 2010 Staff Privacy Report cited widespread recognition 
among industry and academics that the traditional distinction 
between the two categories of data has eroded, and that information 
practices and restrictions that rely on this distinction are losing 
their relevance. See Protecting Consumer Privacy in an Era of Rapid 
Change, supra note 23, at 35-36.
    \69\ See 144 Cong. Rec. S8482 (July 17, 1998) (Statement of Sen. 
Bryan) (``Unfortunately, the same marvelous advances in computer and 
telecommunication technology that allow our children to reach out to 
new resources of knowledge and cultural experiences are also leaving 
them unwittingly vulnerable to exploitation and harm by deceptive 
marketers and criminals * * *. Much of this information appears to 
be harmless, but companies are attempting to build a wealth of 
information about you and your family without an adult's approval--a 
profile that will enable them to target and to entice your children 
to purchase a range of products. The Internet gives marketers the 
capability of interacting with your children and developing a 
relationship without your knowledge'').
    \70\ See 2010 Rule Review, supra note 7, at 17090.
---------------------------------------------------------------------------

    Numerous comments to the Rule review addressed this question.\71\ 
Several commenters opposed such an expansion, pointing out that the 
collection of certain identifiers, such as IP addresses, are integral 
to the delivery of online content.\72\ According to these commenters, 
if an IP address, on its own, were to be included within the definition 
of ``personal information,'' virtually every Web site or online service 
directed to children would be subject to COPPA's requirements, 
regardless of whether any additional information is collected, used, or 
disclosed, because a browser's communication with a Web site typically 
reveals the user's IP address to the Web site operator. Commenters 
especially expressed concern about operators' ability to obtain prior 
verifiable parental consent in such situations.\73\ In addition, some 
commenters noted that an IP address may not lead an operator to a 
specific individual, but rather, indicate only a particular computer or 
computing device shared by a number of individuals.\74\
---------------------------------------------------------------------------

    \71\ See, e.g., BOKU (comment 5); CDT (comment 8); DMA (comment 
17), at 6-9; Entertainment Software Association (comment 20), at 17-
18; Google, Inc. (comment 24), at 6-7; Institute for Public 
Representation (comment 33), at 21; IAB (comment 34), at 3-5; 
Interstate Commerce Coalition (comment 35), at 2; Microsoft 
Corporation (comment 39), at 9-10; MPAA (comment 42), at 6-7; 
NetChoice (comment 45), at 6-7; Paul Ohm (comment 48); TechAmerica 
(comment 61), at 5-6; Toy Industry Association, Inc. (comment 63), 
at 7-10; TRUSTe (comment 64), at 3-5.
    \72\ See Google, Inc. (comment 24), at 7; Internet Commerce 
Coalition (comment 35), at 2-3.
    \73\ See, e.g., Entertainment Software Association (comment 20), 
at 18; Interstate Commerce Coalition (comment 35), at 2.
    \74\ See Toy Industry Association, Inc. (comment 63), at 9; 
TRUSTe (comment 64), at 5.
---------------------------------------------------------------------------

    Several other commenters addressed the question of whether 
identifiers such as cookies or other technologies used to track online 
activities should be included within the definition of ``personal 
information.'' As with the comments regarding IP addresses, these 
commenters maintained that uses of cookies and other tracking devices 
do not result in the contacting of specific individuals online as 
contemplated by Congress in the COPPA statute.\75\ Moreover, some 
commenters asserted that these technologies can be used for a number of 
beneficial purposes, e.g., some operators use cookies to protect 
children from inappropriate advertising (and conversely, to deliver 
only appropriate advertising); other operators use cookies to 
personalize children's online experiences. Finally, these commenters 
contended that expanding COPPA to include cookies and other online 
behavioral advertising technologies is unnecessary because existing 
self-regulatory principles for online behavioral advertising are 
sufficient to curtail targeted advertising to children.\76\
---------------------------------------------------------------------------

    \75\ See Facebook (comment 22), at 6; Microsoft Corporation 
(comment 39), at 9; Toy Industry Association, Inc. (comment 63), at 
7.
    \76\ See CDT (comment 8, at 8) (referring to the Network 
Advertising Initiative's 2008 NAI Principles Code of Conduct); 
Entertainment Software Association (comment 20), at 19 (referring to 
the Self-Regulatory Principles for Online Behavioral Advertising 
issued by the American Association of Advertising Agencies, 
Association of National Advertisers, Direct Marketing Association, 
Interactive Advertising Bureau, and Council of Better Business 
Bureaus in July 2009); Facebook (comment 22), at 7.
---------------------------------------------------------------------------

    By contrast, several commenters asserted that identifiers such as 
cookies and IP addresses can be used by online operators to track and 
communicate with specific individuals and should be included within 
COPPA's categories of information considered to be personal.\77\
---------------------------------------------------------------------------

    \77\ See Common Sense Media (comment 12), at 8; EPIC (comment 
19), at 9; Institute for Public Representation (comment 33), at 21.
---------------------------------------------------------------------------

    After careful consideration, the Commission believes that 
persistent identifiers can permit the contacting of a specific 
individual, and thus, with the limitations described below, should be 
included as part of a revised definition of ``personal information'' in 
the COPPA Rule. The Commission does not agree with commenters who argue 
that persistent identifiers only allow operators to contact a specific 
device or computer. Information that ``permits the physical or online 
contacting of a specific individual'' does not mean information that 
permits the contacting of only a single individual, to the exclusion of 
all other individuals. For example, the COPPA statute includes within 
the definition of ``personal information'' a home address alone or a 
phone number alone--information that is often applicable to an entire 
household. The Commission believes this reflects the judgment of 
Congress that an operator who collects this information is reasonably 
likely to be able to contact a specific individual, even without having 
collected other identifying information. The Commission believes the 
same is true of persistent identifiers.
    Moreover, increasingly, consumer access to computers is shifting 
from the model of a single, family-shared,

[[Page 59812]]

personal computer to the widespread distribution of person-specific, 
Internet-enabled, handheld devices to each member within a household, 
including children.\78\ Such handheld devices often have one or more 
unique identifiers associated with them that can be used to 
persistently link a user across Web sites and online services, 
including mobile applications.\79\ With this change in computing use, 
operators now have a better ability to link a particular individual to 
a particular computing device.
---------------------------------------------------------------------------

    \78\ See Common Sense Media, Do Smart Phones = Smart Kids? The 
Impact of the Mobile Explosion on America's Kids, Families, and 
Schools (Apr. 2010), available at http://www.commonsensemedia.org/smartphones-smartkids (citing a study from the NPD Group, Inc. 
finding that 20% of U.S. children ages 4-14 owned a cell phone in 
2008); N. Jackson, ``More Kids Can Work Smartphones Than Can Tie 
Their Own Shoes,'' The Atlantic (Jan. 24, 2011), available at http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/; see also S. Smith, 
``Now It's Personal: Mobile Nears the Privacy Third Rail,'' 
Behavioral Insider (Apr. 22, 2011), available at http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196 (warning that ``[m]any of the arguments used to assuage 
worries about digital privacy online are simply less effective [in 
the mobile space]. When data can be tied to specific device IDs, 
times and location, insistence that the resulting data is 
`anonymized' (no matter how true it may be) is very hard for the 
layman to swallow.'').
    \79\ Sometimes called ``processor serial numbers,'' ``device 
serial numbers,'' or ``unique device identifier,'' unique 
identifiers refer to software-readable or physical numbers embedded 
by manufacturers into individual processors or devices. See, e.g., 
J. Valentino-DeVries, Unique Phone ID Numbers Explained, Wall St. J. 
(Dec. 19, 2010), available at http://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/.
---------------------------------------------------------------------------

    At the same time, the Commission is mindful of the concerns raised 
by commenters that including persistent identifiers within the 
definition of personal information, without further qualification, 
would hinder operators' ability to provide basic online services to 
children. Several commenters indicated that Web sites and online 
services must identify and use IP addresses to deliver content to 
computers; if IP addresses, without more, were treated as ``personal 
information'' under COPPA, a site or service would be liable for 
collecting personal information as soon as a child landed on its home 
page or screen.\80\ The Commission agrees that such an approach is 
over-broad and unworkable.\81\
---------------------------------------------------------------------------

    \80\ See CDT (comment 9), at 7-8; DMA (comment 17), at 6; 
Entertainment Software Association (comment 20), 17-18; Google 
(comment 24), 7; Internet Commerce Coalition (comment 35), at 2-3; 
and TechAmerica (comment 61), at 6.
    \81\ As some commenters noted, it would be impracticable to 
obtain verifiable parental consent prior to the collection of an IP 
address for purposes of delivering online content, since Web site 
operators would not know at that point in time that the Web site 
visitor was a child, and would have no means of obtaining consent 
from that child's parent. See, e.g., Internet Commerce Coalition 
(comment 35), at 2.
---------------------------------------------------------------------------

    The Commission believes that when a persistent identifier is used 
only to support the internal operations of a Web site or online 
service, rather than to compile data on specific computer users, the 
concerns underlying COPPA's purpose are not present.\82\ Accordingly, 
the Commission proposes to modify the definition of ``personal 
information'' by revising paragraph (g), and adding a paragraph (h), as 
follows:
---------------------------------------------------------------------------

    \82\ See 144 Cong. Rec. S8482 (July 17, 1998) (Statement of Sen. 
Bryan).

    (g) A persistent identifier, including but not limited to, a 
customer number held in a cookie, an Internet Protocol (IP) address, 
a processor or device serial number, or unique device identifier, 
where such persistent identifier is used for functions other than or 
in addition to support for the internal operations of the Web site 
or online service;
    (h) an identifier that links the activities of a child across 
different Web sites or online services;

Proposed paragraph (g)--which covers persistent identifiers where they 
are used for functions other than, or in addition to, support for the 
internal operations of the Web site or online service--is designed not 
to interfere with operators' ability to deliver content to children 
within the ordinary operation of their Web sites or online services. 
This limitation takes into account the comments expressing concern 
about the potential for COPPA to interfere with the ordinary operation 
of Web sites or online services.\83\ The new language in the definition 
would permit operators' use of persistent identifiers for purposes such 
as user authentication, improving site navigation, maintaining user 
preferences, serving contextual advertisements, and protecting against 
fraud or theft. However, the new language would require parental 
notification and consent prior to the collection of persistent 
identifiers where they are used for purposes such as amassing data on a 
child's online activities or behaviorally targeting advertising to the 
child. Therefore, operators such as network advertisers may not claim 
the collection of persistent identifiers as a technical function under 
the ``support for internal operations'' exemption.
---------------------------------------------------------------------------

    \83\ See Boku (comment 5) (encouraging the Commission to 
regulate the use of identifiers such as IP address, device data, or 
any other data automatically captured during interaction with a user 
and a web site rather than the data capture itself or the storage of 
such data; see also CDT (comment 8), at 8 (asserting that a 
prohibition on the mere collection of this data would undermine the 
very functioning of the Internet).
---------------------------------------------------------------------------

    New paragraph (h) of the definition of ``personal information'' is 
intended to serve as a catch-all category covering the online gathering 
of information about a child over time for the purposes of either 
online profiling or delivering behavioral advertising to that 
child.\84\ For example, an advertising network or analytics service 
that tracks a child user across a set of Web sites or online services, 
but stores this information in a separate database rather than with the 
persistent identifier, would be deemed to have collected personal 
information from the child under this proposed paragraph.
---------------------------------------------------------------------------

    \84\ ``Online behavioral advertising'' is the practice of 
tracking an individual's online activities in order to deliver 
advertising tailored to the individual's interests. See Self-
Regulatory Principles for Online Behavioral Advertising, supra note 
68, at i.
---------------------------------------------------------------------------

    Several commenters stated that industry self-regulatory efforts 
more effectively address the treatment of online behavioral advertising 
to children than would regulation in this area. For example, citing the 
industry's 2009 Self-Regulatory Principles for Online Behavioral 
Advertising, the Direct Marketing Association asserted that ``robust 
self-regulation is the best and most appropriate way to address privacy 
concerns in connection with online behavioral advertising, including 
concerns related to children.'' \85\
---------------------------------------------------------------------------

    \85\ DMA (comment 17), at 7 (directing the Commission's 
attention to Self-Regulatory Principles for Online Behavioral 
Advertising (July 2009), at 16-17, available at http://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdf. See also 
Entertainment Software Association (comment 20), at 19; Facebook 
(comment 22), at 7; IAB (comment 34), at 3; Microsoft (comment 39), 
at 9-10; Mobile Marketing Association (comment 40), at 3; Toy 
Industry Association (comment 63), at 9.
---------------------------------------------------------------------------

    The Commission finds this argument unpersuasive. Although self-
regulation can play an important role in consumer protection, Congress 
specifically directed the Commission to promulgate and implement 
regulations covering the online collection, use, and disclosure of 
children's personal information. To the extent that children's personal 
information is collected in connection with behavioral advertising, 
such information should be protected under the Rule. While self-
regulatory programs can be valuable in promoting compliance, the 
proposed revision implements the COPPA statute and is enforceable by 
law.\86\
---------------------------------------------------------------------------

    \86\ Although it is unclear from the record before the 
Commission whether operators currently are directing online 
behavioral advertising to children (various members of industry have 
informed Commission staff that they do not believe such activity is 
occurring while media reports have indicated the widespread presence 
of tracking tools on children's Web sites, see Steven Stecklow, On 
the Web, Children Face Intensive Tracking, Wall St. J., Sept. 17, 
2010), the Commission notes that the self-regulatory guidelines 
cited by the commenters do not expressly require prior parental 
consent for such advertising to occur. Rather, operators who adhere 
to such guidelines are merely cautioned that they should comply with 
COPPA when engaging in online behavioral advertising. See Self-
Regulatory Principles for Online Behavioral Advertising, supra note 
85, at 16-17 (``Entities should not collect `personal information', 
as defined in the Children's Online Privacy Protection Act 
(`COPPA'), from children they have actual knowledge are under the 
age of 13 or from sites directed to children under the age of 13 for 
Online Behavioral Advertising, or engage in Online Behavioral 
Advertising directed to children they have actual knowledge are 
under the age of 13 except as compliant with the COPPA''). Moreover, 
the self-regulatory standards cited by commenters do not 
collectively represent all operators subject to COPPA.

---------------------------------------------------------------------------

[[Page 59813]]

d. Photographs, Videos, and Audio Files (New Paragraph (i))
    The Rule's existing definition of ``personal information'' includes 
photographs only when they are combined with ``other information such 
that the combination permits physical or online contacting.'' Given the 
prevalence and popularity of posting photos, videos, and audio files 
online, the Commission has reevaluated the privacy and safety 
implications of such practices as they pertain to children. Inherently, 
photos can be very personal in nature. Also, photographs of children, 
in and of themselves, may contain information, such as embedded 
geolocation data, that permits physical or online contact.\87\ In 
addition, facial recognition technology can be used to further identify 
persons depicted in photos.\88\
---------------------------------------------------------------------------

    \87\ In addition to the personal information that may be 
viewable in a photograph or video, geolocation data is commonly 
embedded as hidden ``metadata'' within these digital images. These 
data usually consist of latitude and longitude coordinates, and may 
also include altitude, bearing, distance, and place names. Such 
geolocation information may be used by operators and may also be 
accessed by the viewing public. The Commission proposes to 
specifically enumerate ``geolocation information'' as a separate 
category of ``personal information'' under the Rule. See infra Part 
V.A.(4)(e).
    \88\ See M. Geuss, ``Facebook Facial Recognition Could Get 
Creepy: new facial recognition technology used to identify your 
friends in photos could have some interesting applications--and some 
scary possibilities,'' PC World (Apr. 26, 2011), available at http://www.pcworld.com/article/226228/facebook_facial_recognition_its_quiet_rise_and_dangerous_future.html (discussing Facebook's 
facial recognition technology, and similar technologies offered by 
services such as Viewdle, Fotobounce, Picasa, iPhoto, and Face.com).
---------------------------------------------------------------------------

    The Commission believes that, with respect to the subset of Web 
sites and online services directed to children or having actual 
knowledge of collecting personal information from children, broader 
Rule coverage of photos is warranted.\89\ In addition, the Commission 
believes that the Rule's definition of ``personal information'' should 
be expanded to include the posting of video and audio files containing 
a child's image or voice, which, similarly to photos, may enable the 
identification and contacting of a child. Therefore, the Commission 
proposes to create a new paragraph (i) of the definition of ``personal 
information'' that states:
---------------------------------------------------------------------------

    \89\ Although the Commission received little comment on this 
topic, one individual commenter, as well as the Commission-approved 
COPPA safe harbor, TRUSTe, strongly supported this approach. See 
Gregory Schiller (comment 47); Office of the State Attorney--15th 
Judicial Circuit in and for Palm Beach County, Florida (comment 47); 
TRUSTe (comment 64), at 4; Maureen Cooney, Chief Privacy Officer, 
TRUSTe, Remarks from COPPA's Definition of ``Personal Information'' 
Panel at the Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online at 191-92 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
---------------------------------------------------------------------------

    (i) A photograph, video, or audio file where such file contains a 
child's image or voice; This proposed change will ensure that parents 
are given notice and the opportunity to decide whether the posting of 
images or audio files is an activity in which they wish their children 
to engage.
e. Geolocation Information (New Paragraph (j))
    In recent years, geolocation services have become ubiquitous 
features of the personal electronics market.\90\ Numerous commenters 
raised with the Commission the issue of the potential risks associated 
with operators' collection of geolocation information from children. 
Some commenters urged the Commission to expressly modify the Rule to 
include geolocation information, given the current pervasiveness of 
such technologies and their popularity among children.\91\ Others 
maintained that geolocation information is already covered by existing 
paragraph (b) of the Rule's definition of ``personal information,'' 
which includes ``a home or other physical address including street name 
and name of a city or town'' \92\
---------------------------------------------------------------------------

    \90\ For example, geolocation-based navigation tools help users 
reach destinations, find local businesses or events, find friends 
and engage in social networking, ``check in'' at certain locations, 
and link their location to other activities. Many users access 
geolocation services through mobile devices. However, devices such 
as laptop and desktop computers, tablets, and in-car navigation and 
assistance systems also may be used to access such services. 
Geolocation information may be used once for a single purpose, or it 
may be stored or combined with other information to produce a 
history of a user's activities or a detailed profile for advertising 
or other purposes. See ACLU, ``Location Based Services: Time For a 
Privacy Check-In'' 1, 3 (Nov. 2010) available at http://dotrights.org/sites/default/files/lbs-white-paper.pdf.
    \91\ See, e.g., EPIC (comment 19), at 8.
    \92\ See Institute for Public Representation (comment 33), at 
26; TRUSTe (comment 64), at 4. See also Jules Polonetsky, Director, 
Future of Privacy Forum; Paul Ohm, Professor, Univ. of Colorado Law 
School; Sheila A. Millar, Partner, Keller & Heckman LLP; Matt 
Galligan, Founder and CEO, SimpleGeo; Heidi C. Salow, Of Counsel, 
DLA Piper, Remarks from COPPA's Definition of ``Personal 
Information'' Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online at 195, 205-07 (June 2, 2010), 
available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
---------------------------------------------------------------------------

    Technologies that collect geolocation information can take a 
variety of forms and can communicate location with varying levels of 
precision. Generally speaking, most commonly used location tracking 
technologies are capable of revealing a person's location at least down 
to the level of a street name and the name of a city or town.\93\ In 
the Commission's view, any geolocation information that provides 
precise enough information to identify the name of a street and city or 
town is covered already under existing paragraph (b) of the definition 
of ``personal information.'' However, because geolocation information 
may be presented in a variety of formats (e.g., coordinates or a map), 
and in some instances may be more precise than street name and name of 
city or town, the Commission proposes making geolocation information a 
stand-alone category within that definition.
---------------------------------------------------------------------------

    \93\ See ACLU, supra note 90, at 9.
---------------------------------------------------------------------------

    Those commenters who opposed the inclusion of geolocation 
information within COPPA's definition of ``personal information'' 
argued that such information cannot be used to identify a specific 
individual, but only a device.\94\ However, as discussed above, the 
Commission finds this argument unpersuasive.\95\ Physical address, 
including street name and name of city or town, alone is considered 
personal information under COPPA. Accordingly, geolocation data that 
provides information at least equivalent to ``physical address'' should 
be covered as personal information.
---------------------------------------------------------------------------

    \94\ See DMA (comment 17), at 7-8; MPAA (comment 42), at 6-7; 
Net Choice (comment 45), at 6.
    \95\ See supra Part V.A.(6)(c).
---------------------------------------------------------------------------

f. Date of Birth, Gender, and ZIP Code
    Several commenters recommended that the Commission include date of 
birth, gender, or ZIP code in the definition of ``personal 
information.'' \96\ The Commission gave careful thought to these 
recommendations, but is not proposing to include these items within

[[Page 59814]]

the definition because the Commission does not believe that any one of 
these items of information, alone, permits the physical or online 
contacting of a specific individual. However, the Commission seeks 
input as to whether the combination of date of birth, gender, and ZIP 
code provides sufficient information to permit the contacting of a 
specific individual such that this combination of information should be 
included in the Rule as ``personal information.'' \97\ Moreover, there 
is a question whether an operator's collection of ``ZIP+4'' may, in 
some cases, be the equivalent of a physical address. `` ZIP+4 Code 
consists of the original 5-digit ZIP Code plus a 4-digit add-on code 
that identifies a geographic segment within the 5-digit delivery area, 
such as a city block, office building, individual high-volume receiver 
of mail, or any other unit that would aid efficient mail sorting and 
delivery.\98\ The Commission seeks input on whether ZIP+4 is the 
equivalent of a physical address and whether it should be added to the 
Rule.\99\
---------------------------------------------------------------------------

    \96\ See EPIC (comment 19), at 8-9; Institute for Public 
Representation (comment 33), at 33.
    \97\ See infra Part X. at Question 9(b). Commenter Paul Ohm 
cites to several studies finding that a significant percentage of 
individuals can be uniquely identified by the combination of these 
three pieces of information. See Paul Ohm (comment 48), at 3, note 
7.
    \98\ See United States Postal Service, Frequently Asked 
Questions, ZIP Code Information, http://faq.usps.com/eCustomer/iq/usps/(search ``ZIP Code Information''; then follow ``ZIP Code 
Information'' hyperlink) (last visited September 12, 2011).
    \99\ See infra Part X. at Question 9(c).
---------------------------------------------------------------------------

g. Other Collections of Information
    Taking a different view of ``personal information,'' one commenter 
argued that the Commission should move away from identifying new 
particular individual items of personal information, and instead add to 
the definition ``any collection of more than twenty-five distinct 
categories of information about a user.'' \100\ This proposed 
definition is based on the premise that above a certain quantity 
threshold, the information an operator holds about a particular user 
becomes sufficiently identifying so as to be ``personal.'' The 
Commission recognizes the potential for collections of diverse bits of 
information to permit the identification of a specific individual; 
however, the record is not sufficiently developed at this time to 
support a quantity-based approach to defining personal information. 
Without greater specificity, a quantity-based approach would not 
provide operators with sufficient certainty to determine which 
collections and combinations of information trigger the Rule's 
requirements and which do not. As a result, this standard would be 
difficult for operators to implement, as well as for the government to 
enforce.\101\ The Commission believes that setting bright-line 
categories of personal information, while potentially both over- and 
under-inclusive, provides greater certainty for operators seeking to 
follow the Rule.
---------------------------------------------------------------------------

    \100\ See Paul Ohm (comment 48), at 2.
    \101\ Professor Ohm acknowledges that ``most websites probably 
do not count their data in this way today, so the regulation will 
require some websites to expend modest new resources to comply. 
Moreover, every time a website decides to collect new categories of 
information from users, it needs to recalculate its count.'' Id. at 
8-9.
---------------------------------------------------------------------------

(7) Web Site or Online Service Directed to Children
    The Commission also considered whether any changes needed to be 
made to the Rule's definition of ``website or online service directed 
to children.'' The current definition is largely a ``totality of the 
circumstances'' test that provides sufficient coverage and clarity to 
enable Web sites to comply with COPPA, and the Commission and its state 
partners to enforce COPPA.\102\ Few commenters addressed the 
definition. However, one commenter, the Institute for Public 
Representation, suggested that the Rule be amended so that a Web site 
per se should be deemed ``directed to children'' if audience 
demographics show that 20% or more of its visitors are children under 
age 13.\103\
---------------------------------------------------------------------------

    \102\ See, e.g., United States v. Playdom, Inc., No. SA CV-11-
00724 (C.D.Ca., filed May 11, 2011) (finding defendants' Pony Stars 
Web site to be ``directed to children''); United States v. 
Industrious Kid, Inc., No. CV-08-0639 (N.D. Cal., filed Jan. 28, 
2008); United States v. UMG Recordings, Inc., No. CV-04-1050 (C.D. 
Cal., filed Feb. 17, 2004); United States v. Bonzi Software, Inc., 
No. CV-04-1048 (C.D. Cal., filed Feb. 17, 2004).
    \103\ See Institute for Public Representation (comment 33), at 
iii (urging the Commission to adopt the same threshold, 20%, used in 
the Commission's 2007 food marketing Orders to File a Special 
Report).
---------------------------------------------------------------------------

    The current definition of ``website or online service directed to 
children'' already notes that the Commission will consider competent 
and reliable empirical evidence of audience composition as part of a 
totality of circumstances analysis. The Commission's experience with 
online audience demographic data in both its studies of food marketing 
to children and marketing violent entertainment to children shows that 
such data is neither available for all Web sites and online services, 
nor is it sufficiently reliable, to adopt it as a per se legal 
standard.\104\ Accordingly, the Commission declines to adopt a standard 
akin to the 20% standard proposed by the Institute for Public 
Representation.
---------------------------------------------------------------------------

    \104\ In the context of the Commission's food marketing studies, 
food marketers were required to identify and report Web site 
expenditures targeted to children based on a number of criteria, one 
of which was whether audience demographic data indicated that 20% or 
more of visitors to a Web site were children ages 2-11. See Fed. 
Trade Comm'n, Order to File Special Report, B-3, note 14 (July 31, 
2007) available at http://www.ftc.gov/os/6b_orders/foodmktg6b/070731boskovichfarmssixb.pdf. There, the 20% threshold was not used 
as a basis to impose legal liability for a Rule violation.
---------------------------------------------------------------------------

    However, the Commission proposes minor modifications to the 
definition, as follows. First, as part of the totality of the 
circumstances analysis, the Commission proposes modifying the term 
``audio content'' to include musical content. In addition, the 
Commission proposes adding the presence of child celebrities, and 
celebrities who appeal to children, within the non-exclusive set of 
indicia it will use to determine whether a Web site or online service 
is directed to children. In the Commission's experience, both music and 
the presence of celebrities are strong indicators of a Web site or 
online service's appeal to children. Finally, the Commission proposes 
reordering the language of the definition so that the terms ``animated 
characters'' and ``child-oriented activities and incentives'' are 
addressed alongside the other indicia of child-directed content.
    Therefore, the proposed definition of ``Web site or online service 
directed to children'' reads:

    Website or online service directed to children means a 
commercial Web site or online service, or portion thereof, that is 
targeted to children. Provided, however, that a commercial Web site 
or online service, or a portion thereof, shall not be deemed 
directed to children solely because it refers or links to a 
commercial website or online service directed to children by using 
information location tools, including a directory, index, reference, 
pointer, or hypertext link. In determining whether a commercial Web 
site or online service, or a portion thereof, is targeted to 
children, the Commission will consider its subject matter, visual 
content, use of animated characters or child-oriented activities and 
incentives, music or other audio content, age of models, presence of 
child celebrities or celebrities who appeal to children, language or 
other characteristics of the website or online service, as well as 
whether advertising promoting or appearing on the Web site or online 
service is directed to children. The Commission will also consider 
competent and reliable empirical evidence regarding audience 
composition, and evidence regarding the intended audience.

B. Notice (16 CFR 312.4)

    The linchpins of the COPPA Rule are its parental notice and consent 
requirements. Providing parents with clear and complete notice of 
operators' information practices is the necessary first step in 
obtaining informed consent

[[Page 59815]]

from parents. COPPA requires that parents be notified in two ways: on 
the operator's Web site or online service (the ``online notice,'' which 
typically takes the form of a privacy policy), and in a notice 
delivered directly to a parent whose child seeks to register on the 
site or service (the ``direct notice''). The current Rule requires that 
operators provide extensive information about their children's privacy 
practices in their online notice. While the Rule states that the direct 
notice must contain the information an operator includes in its online 
notice as well as certain additional information, in the past, the 
Commission has indicated that operators may truncate the information in 
the direct notice by providing a hyperlink to their online privacy 
policy.\105\
---------------------------------------------------------------------------

    \105\ See 1999 Statement of Basis and Purpose, 64 FR 59888, 
59897.
---------------------------------------------------------------------------

    Outside the COPPA context, in recent years, the Commission has 
begun to urge industry to provide consumers with notice and choice 
about information practices at the point consumers enter personal data 
or before accepting a product or service.\106\ The analogous point of 
entry under COPPA would be the direct notice, which has the potential 
to provide parents with the best opportunity to consider an operator's 
information practices and to determine whether to permit children's 
engagement with such operator's Web site or online service. Therefore, 
the Commission proposes to revise the notice requirements to reinforce 
COPPA's goal of providing complete and clear information in the direct 
notice, and to rely less heavily on the online notice or privacy policy 
as a means of providing parents with information about operators' 
information practices.\107\
---------------------------------------------------------------------------

    \106\ See Protecting Consumer Privacy in an Era of Rapid Change, 
supra note 23, at 57-59.
    \107\ The proposed changes to the direct notice provision, 
discussed in Part V.B.(2) infra, would reverse the Commission's 
guidance that operators may truncate the information in the direct 
notice by providing a hyperlink to their online privacy policy. See 
note 105 and accompanying text.
---------------------------------------------------------------------------

(1) Notice on the Web site or Online Service (Revised Paragraph (b))
    The Commission proposes to streamline Sec.  312.4(b),\108\ 
regarding the placement and content of the notice of information 
practices that operators must provide on their Web sites or in their 
online services. The language regarding the required placement of this 
online notice has been shortened and clarified, thereby making the 
provision more instructive to operators. The revised language more 
succinctly requires that the online notice be clearly labeled and 
prominently located, and be posted on an operator's home page or home 
screen and at each location where the operator collects personal 
information from children.\109\
---------------------------------------------------------------------------

    \108\ No changes are proposed to Sec.  312.4(a) (``general 
principles of notice'').
    \109\ The Commission poses a question whether the Rule should be 
modified to require operators to post a link to their online notice 
in any location where their mobile applications can be purchased or 
otherwise downloaded. See infra Part X. at Question 14.
---------------------------------------------------------------------------

    With respect to the content of the online notice, the Commission 
proposes several improvements to the Rule's current list of 
requirements. First, the Commission proposes requiring operators to 
provide contact information, including, at a minimum, the operator's 
name, physical address, telephone number, and e-mail address. In 
contrast to the current Rule, this proposal would apply to all 
operators of a Web site or online service, rather than permitting the 
designation of a single operator as the contact point. Given the 
possibility of a child interacting with multiple operators on a single 
Web site or online service (e.g., in the case of a mobile application 
that grants permission to an advertising network to collect user 
information from within the application), the Commission believes that 
the identification of each operator will aid parents in finding the 
appropriate party to whom to direct any inquiry.
    Second, the Commission proposes eliminating the Rule's current 
lengthy--yet potentially under-inclusive--recitation of an operator's 
information collection, use, and disclosure practices in favor of a 
simple statement of: (1) What information the operator collects from 
children, including whether the Web site or online service enables a 
child to make personal information publicly available, (2) how the 
operator uses such information, and (3) the operator's disclosure 
practices for such information.\110\ In the Commission's experience, 
privacy policies are often long and difficult to understand, and may no 
longer be the most effective way to communicate salient information to 
consumers, including parents.\111\ By streamlining the Rule's online 
notice requirements by reverting to the language of the COPPA statute, 
the Commission hopes to encourage operators to provide clear, concise 
descriptions of their information practices, which may have the added 
benefit of being easier to read on smaller screens (e.g., those on 
Internet-enabled mobile devices).
---------------------------------------------------------------------------

    \110\ This language mirrors the statutory requirements for the 
online notice. See 15 U.S.C. 6503(b)(1)(A)(i).
    \111\ See Protecting Consumer Privacy in an Era of Rapid Change, 
supra note 23, at 7.
---------------------------------------------------------------------------

    The Commission also proposes eliminating the requirement, 
articulated in Sec.  312.4(b)(2)(v), that an operator's privacy policy 
state that the operator may not condition a child's participation in an 
activity on the child's disclosing more personal information than is 
reasonably necessary to participate in such activity. In the 
Commission's experience, this blanket statement, often parroted 
verbatim in operators' privacy policies, detracts from the key 
information of operators' actual information practices, and yields 
little value to a parent trying to determine whether to permit a 
child's participation. In proposing to delete this requirement in the 
privacy notice, however, the Commission does not propose deleting Sec.  
312.7 of the Rule, which still prohibits operators from conditioning a 
child's participation in a game, the offering of a prize, or another 
activity on the child's disclosing more personal information than is 
reasonably necessary to participate in such activity.\112\
---------------------------------------------------------------------------

    \112\ See 16 CFR 312.7.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to revise paragraph (b) of Sec.  
312.4 so that it states:

    (b) Notice on the Web site or online service. Pursuant to Sec.  
312.3(a), each operator of a Web site or online service directed to 
children must post a prominent and clearly labeled link to an online 
notice of its information practices with regard to children on the 
home or landing page or screen of its Web site or online service, 
and, at each area of the Web site or online service where personal 
information is collected from children. The link must be in close 
proximity to the requests for information in each such area. An 
operator of a general audience Web site or online service that has a 
separate children's area or site must post a link to a notice of its 
information practices with regard to children on the home or landing 
page or screen of the children's area. To be complete, the online 
notice of the Web site or online service's information practices 
must state the following:
    (1) Each operator's contact information, which at a minimum, 
must include the operator's name, physical address, telephone 
number, and e-mail address;
    (2) A description of what information each operator collects 
from children, including whether the Web site or online service 
enables a child to make personal information publicly available; how 
such operator uses such information, and; the operator's disclosure 
practices for such information; and,
    (3) That the parent can review and have deleted the child's 
personal information, and refuse to permit further collection or use 
of

[[Page 59816]]

the child's information, and state the procedures for doing so.\113\
---------------------------------------------------------------------------

    \113\ No change is proposed to the Rule's requirement that 
operators disclose that a parent may review and have deleted a 
child's personal information and refuse to permit further collection 
or use of that child's information. Although one commenter observed 
that parents seldom exercise these rights, see WiredSafety.org 
(comment 68), at 28, the Commission believes that requiring 
operators to provide such rights to parents remains an important 
element of the Rule. In the context of its broader inquiry into how 
to best protect privacy in today's marketplace, Commission staff is 
exploring methods of ensuring consumer access to data as a means of 
increasing the transparency of companies' data practices. See 
Protecting Consumer Privacy in an Era of Rapid Change, supra note 
23, at 72-76.
---------------------------------------------------------------------------

(2) Direct Notice to a Parent (Revised Paragraph (c))
    As described above, the Commission proposes refining the Rule 
requirements for the direct notice to ensure that this notice works as 
an effective ``just-in-time'' message to parents about an operator's 
information practices. Specifically, the Commission proposes to 
reorganize and standardize the direct notice requirement to set forth 
the precise items of information that must be disclosed in each type of 
direct notice required under the Rule. These specific notice 
requirements correspond to the requirements for obtaining parental 
consent under Sec.  312.5 of the Rule. The proposed reorganization is 
intended to make it easier for operators to determine what information 
they must include in the direct notice to parents, based upon 
operators' particular information collection practices.
    The proposed revised language of Sec.  312.4(c) specifies, for each 
different form of direct notice required by the Rule, the precise 
information that operators must provide to parents regarding: The items 
of personal information the operator already has obtained from the 
child (the parent's online contact information either alone or together 
with the child's online contact information); the purpose of the 
notification; action that the parent must or may take; and, what use, 
if any, the operator will make of the personal information collected. 
The proposed revised provision also makes clear that each form of 
direct notice must provide a hyperlink to the operator's online notice 
of information practices. The Commission believes the proposed 
revisions will help ensure that parents receive key information up 
front, while directing them online to view any additional information 
contained in the operator's online notice.
    The Commission also proposes adding a new paragraph, Sec.  
312.4(c)(2), setting out the requirements for a direct notice when an 
operator chooses to collect a parent's online contact information from 
the child in order to provide parental notice about a child's 
participation in a Web site or online service that does not otherwise 
collect, use, or disclose children's personal information. This new 
form of parental notice corresponds to a newly proposed exception to 
the parental consent requirement for the collection of a parent's 
online contact information when done to inform the parent of a child's 
participation in a Web site or online service that does not otherwise 
collect personal information from the child.\114\
---------------------------------------------------------------------------

    \114\ See infra Part V.C.(4).
---------------------------------------------------------------------------

    Therefore, the Commission proposes to revise paragraph (c) of Sec.  
312.4 so that it reads:

    (c) Direct notice to a parent. An operator must make reasonable 
efforts, taking into account available technology, to ensure that a 
parent of a child receives direct notice of the operator's practices 
with regard to the collection, use, or disclosure of the child's 
personal information, including notice of any material change in the 
collection, use, or disclosure practices to which the parent has 
previously consented.
    (1) Content of the direct notice to the parent required under 
Sec.  312.5(c)(1) (Notice to Obtain Parent's Affirmative Consent to 
the Collection, Use, or Disclosure of a Child's Personal 
Information). This direct notice shall set forth:
    (i) That the operator has collected the parent's online contact 
information from the child in order to obtain the parent's consent;
    (ii) That the parent's consent is required for the child's 
participation in the Web site or online service, and that the 
operator will not collect, use, or disclose any personal information 
from the child if the parent does not provide such consent;
    (iii) The additional items of personal information the operator 
intends to collect from the child, if any, and the potential 
opportunities for the disclosure of personal information, if any, 
should the parent consent to the child's participation in the Web 
site or online service;
    (iv) A hyperlink to the operator's online notice of its 
information practices required under Sec.  312.4(b);
    (v) The means by which the parent can provide verifiable consent 
to the collection, use, and disclosure of the information; and,
    (vi) That if the parent does not provide consent within a 
reasonable time from the date the direct notice was sent, the 
operator will delete the parent's online contact information from 
its records.
    (2) Content of the direct notice to the parent allowed under 
Sec.  312.5(c)(2) (Notice to Parent of a Child's Online Activities 
Not Involving the Collection, Use or Disclosure of Personal 
Information). This direct notice shall set forth:
    (i) That the operator has collected the parent's online contact 
information from the child in order to provide notice to the parent 
of a child's participation in a Web site or online service that does 
not otherwise collect, use, or disclose children's personal 
information; and,
    (ii) That the parent's online contact information will not be 
used or disclosed for any other purpose;
    (iii) That the parent may refuse to permit the operator to allow 
the child to participate in the Web site or online service and may 
require the deletion of the parent's online contact information, and 
how the parent can do so; and,
    (iv) A hyperlink to the operator's online notice of its 
information practices required under Sec.  312.4(b).
    (3) Content of the direct notice to the parent required under 
Sec.  312.5(c)(4) (Notice to a Parent of Operator's Intent to 
Communicate with the Child Multiple Times). This direct notice shall 
set forth:
    (i) That the operator has collected the child's online contact 
information from the child in order to provide multiple online 
communications to the child;
    (ii) That the operator has collected the parent's online contact 
information from the child in order to notify the parent that the 
child has registered to receive multiple online communications from 
the operator;
    (iii) That the online contact information collected from the 
child will not be used for any other purpose, disclosed, or combined 
with any other information collected from the child;
    (iv) That the parent may refuse to permit further contact with 
the child and require the deletion of the parent's and child's 
online contact information, and how the parent can do so;
    (v) That if the parent fails to respond to this direct notice, 
the operator may use the online contact information collected from 
the child for the purpose stated in the direct notice; and,
    (vi) A hyperlink to the operator's online notice of its 
information practices required under Sec.  312.4(b).
    (4) Content of the direct notice to the parent required under 
Sec.  312.5(c)(5) (Notice to a Parent In Order to Protect a Child's 
Safety). This direct notice shall set forth:
    (i) That the operator has collected the child's name and the 
online contact information of the child and the parent in order to 
protect the safety of a child;
    (ii) That the information will not be used or disclosed for any 
purpose unrelated to the child's safety;
    (iii) That the parent may refuse to permit the use, and require 
the deletion, of the information collected, and how the parent can 
do so;
    (iv) That if the parent fails to respond to this direct notice, 
the operator may use the information for the purpose stated in the 
direct notice; and,
    (v) A hyperlink to the operator's online notice of its 
information practices required under Sec.  312.4(b).

C. Parental Consent (16 CFR 312.5)

    A central element of COPPA is its requirement that operators 
seeking to collect, use, or disclose personal

[[Page 59817]]

information from children first obtain verifiable parental 
consent.\115\ ``Verifiable parental consent'' is defined in the statute 
as ``any reasonable effort (taking into consideration available 
technology), including a request for authorization for future 
collection, use, and disclosure, described in the notice.'' \116\ In 
paragraph (b)(1), the Rule provides that operators:
---------------------------------------------------------------------------

    \115\ Paragraph (a) of Sec.  312.5 reads:
    (1) An operator is required to obtain verifiable parental 
consent before any collection, use, and/or disclosure of personal 
information from children, including consent to any material change 
in the collection, use, and/or disclosure practices to which the 
parent has previously consented.
    (2) An operator must give the parent the option to consent to 
the collection and use of the child's personal information without 
consenting to disclosure of his or her personal information to third 
parties.
    \116\ 15 U.S.C. 6501(9).

must make reasonable efforts to obtain verifiable parental consent, 
taking into consideration available technology. Any method to obtain 
verifiable parental consent must be reasonably calculated in light 
of available technology to ensure that the person providing consent 
---------------------------------------------------------------------------
is the child's parent.

    The Rule then sets forth a non-exclusive list of methods that meet 
the standard of verifiable parental consent.\117\ Specifically, 
paragraph (b)(2) states:
---------------------------------------------------------------------------

    \117\ See 16 CFR 312.5(b).

    Methods to obtain verifiable parental consent that satisfy the 
requirements of this paragraph include: Providing a consent form to 
be signed by the parent and returned to the operator by postal mail 
or facsimile; requiring a parent to use a credit card in connection 
with a transaction; having a parent call a toll-free telephone 
number staffed by trained personnel; using a digital certificate 
that uses public key technology; and using e-mail accompanied by a 
PIN or password obtained through one of the verification methods 
listed in this paragraph.\118\
---------------------------------------------------------------------------

    \118\ Paragraph (b)(2) continues:
    Provided that: Until the Commission otherwise determines, 
methods to obtain verifiable parental consent for uses of 
information other than the ``disclosures'' defined by Sec.  312.2 
may also include use of e-mail coupled with additional steps to 
provide assurances that the person providing the consent is the 
parent. Such additional steps include: Sending a confirmatory e-mail 
to the parent following receipt of consent; or obtaining a postal 
address or telephone number from the parent and confirming the 
parent's consent by letter or telephone call. Operators who use such 
methods must provide notice that the parent can revoke any consent 
given in response to the earlier e-mail.
    A discussion of paragraph (b)(2) follows in Part V.C.(2).

    The Rule's enumerated consent mechanisms were discussed in-depth at 
the Commission's June 2, 2010 COPPA roundtable and also were addressed 
by a number of commenters.\119\ While several persons acknowledged that 
no one method provides complete certainty that the operator has reached 
and obtained consent from a parent, they generally agreed that the 
listed methods continue to have utility for operators and should be 
retained.\120\ A great number of commenters also urged the Commission 
to expand the list of acceptable mechanisms to incorporate newer 
technologies.\121\ After careful consideration, the Commission proposes 
several significant changes to the mechanisms of verifiable parental 
consent set forth in paragraph (b) of Sec.  312.5, including: Adding 
several newly recognized mechanisms for parental consent; eliminating 
the sliding scale approach to parental consent; and, adding two new 
processes for evaluation and pre-clearance of parental consent 
mechanisms.
---------------------------------------------------------------------------

    \119\ See Federal Trade Commission's Roundtable: Protecting 
Kids' Privacy Online at 195, 208-71 (June 2, 2010), available at 
http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.
    \120\ See DMA (comment 17), at 10, 12; Microsoft (comment 39), 
at 7; Toy Industry Association, Inc. (comment 63), at 3; 
WiredSafety.org. (comment 68), at 18.
    \121\ See, e.g., Boku (comment 5); DMA (comment 17), at 11-12; 
EchoSign, Inc. (comment 18); Entertainment Software Association 
(comment 20), at 7-9; Facebook (comment 22), at 2; Janine Hiller 
(comment 27), at 447-50; Mary Kay Hoal (comment 30); Microsoft 
(comment 39), at 4; MPAA (comment 42), at 12; RelyID (comment 53), 
at 3; TRUSTe (comment 64), at 3; Harry Valetk (comment 66), at 6; 
WiredSafety.org (comment 68), at 53; Susan Wittlief (comment 69).
---------------------------------------------------------------------------

(1) Mechanisms for Verifiable Parental Consent (Paragraph (b)(2))
    A number of commenters made suggestions for strengthening, 
modernizing, and simplifying the Rule's mechanisms for parental 
consent. For example, commenters asked the Commission to recognize 
additional methods of obtaining parental consent, such as by sending a 
text message to the parent's mobile phone number,\122\ offering online 
payment services other than credit cards,\123\ offering parental 
controls in gaming consoles,\124\ offering a centralized parents' opt-
in list,\125\ and permitting electronic signatures.\126\ Upon 
consideration of each proposal in light of the existing record, the 
Commission determines that the record is sufficient to justify certain 
proposed mechanisms, but insufficient to adopt others.
---------------------------------------------------------------------------

    \122\ See BOKU (comment 5); Entertainment Software Association 
(comment 20), at 11-12; TRUSTe (comment 64), at 3; Harry A. Valetk 
(comment 66), at 6-7. See discussion supra Part IV, regarding 
COPPA's application to mobile communications via SMS messaging.
    \123\ See WiredSafety.org (comment 68), at 24 (noting that 
operators are considering employing online financial accounts such 
as iTunes for parental consent).
    \124\ See Entertainment Software Association (comment 20), at 9-
10; Microsoft (comment 39), at 7.
    \125\ See Entertainment Software Association (comment 20), at 
12; Janine Hiller (comment at 27), at 31.
    \126\ See DMA (comment 17), at 12; EchoSign (comment 18); 
Entertainment Software Association (comment 20), at 10; Toy Industry 
Association (comment 63), at 11.
---------------------------------------------------------------------------

    First, the Commission notes that the collection of a parent's 
mobile phone number to effectuate consent via an SMS text message would 
require a statutory change, as the COPPA statute currently permits only 
the collection of a parent's ``online contact'' information for such 
purposes, and a phone number does not fall within the statute's 
definition of ``online contact information,'' i.e., ``an e-mail address 
or another substantially similar identifier that permits direct contact 
with a person online.'' \127\ There are advantages to using SMS texting 
as a method of contacting the parent and obtaining consent--among them 
that parents typically do not have multiple mobile phone numbers, and 
generally have their mobile phones with them at all times. Some 
commenters opined that this method was as reliable as use of a credit 
card or fax; \128\ others compared the use of SMS text messaging to the 
``e-mail plus'' method permitted under the Rule's sliding scale 
approach to parental consent.\129\ The Commission believes the more apt 
analogy is to the e-mail plus method in that the operator sends a 
notice to the parent via the parent's mobile phone number and requests 
opt-in consent by a return message in some form. In this way, the use 
of SMS text messaging for parental consent would suffer from the same 
inadequacies as does e-mail plus, which, as described below, the 
Commission proposes to eliminate. Just as with an e-mail address, there 
is no way to verify that the phone number provided by a child is that 
of the parent rather than that of the child. For these reasons, the 
Commission declines to add use of SMS text messaging to the enumerated 
list of parental consent mechanisms.
---------------------------------------------------------------------------

    \127\ 15 U.S.C. 6502(12).
    \128\ See, e.g., Entertainment Software Association (comment 
20), at 11-12.
    \129\ See Boku (comment 5).
---------------------------------------------------------------------------

    With respect to expanding the Rule to permit the use of online 
payment services for verifying consent in lieu of a credit card, the 
Commission finds that the record is insufficient to warrant adding 
online payment services as a consent mechanism. The Commission notes 
that no commenters provided any

[[Page 59818]]

analysis of how online payment services might meet the requirements of 
Sec.  312.5(b)(1); however, one commenter cautioned the Commission 
against embracing such technologies at this time, noting that 
alternative payment systems may not be as well-regulated as the credit 
card industry and thereby may provide even less assurance of parental 
consent than use of a credit card.\130\ The Commission also is mindful 
of the potential for children's easy access to and use of alternative 
forms of payments (such as gift cards, debit cards, and online 
accounts), and would expect to see a fuller discussion of the risks 
presented in any future application to the Commission for recognition 
of these consent methods.
---------------------------------------------------------------------------

    \130\ See EPIC (comment 19), at 5. (``Alternative methods may 
not be as heavily regulated as more traditional systems. As a 
result, the use of alternative methods in gaining parental consent 
or payment remain inadvisable, although that may change as such 
methods come under stronger regulation.'').
---------------------------------------------------------------------------

    Several commenters asked the Commission to consider whether, and in 
what circumstances, parental control features in game consoles could be 
used to verify consent under COPPA.\131\ Parental control settings 
often permit parents to limit or block functions such as Internet 
access, information sharing, chat, and interactive game play, and 
require parental approval before a child adds friends.\132\ Parental 
control features appear to offer parents a great deal of control over a 
child's gaming experience, and, as commenters acknowledged, can serve 
as a complement to COPPA's parental consent requirements.\133\ As 
acknowledged in the comments, at present, such systems are not designed 
to comply with COPPA's standards for verifiable parental consent,\134\ 
and the record currently is insufficient for the Commission to 
determine whether a hypothetical parental consent mechanism would meet 
COPPA's verifiable parental consent standard. The Commission encourages 
continued exploration of the concept of using parental controls in 
gaming consoles (and, presumably, on a host of handheld devices) to 
notify parents and obtain their prior verifiable consent.
---------------------------------------------------------------------------

    \131\ See Entertainment Software Association (comment 20), at 4; 
Microsoft (comment 39), at 7.
    \132\ See Entertainment Software Association (comment 20), at 4-
6.
    \133\ Id. at 6.
    \134\ See id. at 9 (``Therefore, it makes sense to consider how 
these tools could be harnessed for the related task of acquiring 
verifiable parental consent under the COPPA Rule''); Microsoft 
(comment 39), at 7 (describing how a hypothetical parental controls 
method might be structured in the future to notify a parent and 
obtain parental consent).
---------------------------------------------------------------------------

    Several commenters also asked the Commission to accept electronic 
signatures as a form of verifiable consent.\135\ The term ``electronic 
signature'' has many meanings, and can range from ``an electronic 
sound, symbol, or process, attached to or logically associated with a 
contract or other record and executed or adopted by a person with the 
intent to sign the record,'' \136\ to an electronic image of the 
stylized script associated with a person. Although the law recognizes 
electronic signatures for the assertion that a document has been 
signed,\137\ electronic signatures do not necessarily confirm the 
underlying identity of the individual signing the document. Therefore, 
their use, without more indicia of reliability, is problematic in the 
context of COPPA's verifiable parental consent requirement.
---------------------------------------------------------------------------

    \135\ See DMA (comment 17), at 12; EchoSign (comment 18); 
Entertainment Software Association (comment 20), at 10; Toy Industry 
Association (comment 63), at 11.
    \136\ See Electronic Signatures in Global and National Commerce 
Act, 15 U.S.C. 7006(5).
    \137\ 15 U.S.C. 7001(a).
---------------------------------------------------------------------------

    The Entertainment Software Association proposed that the Commission 
incorporate a ``sign and send'' method, given that Internet-enabled 
mobile devices increasingly include technologies that allow a user to 
input data by touching or writing on the device's screen. The 
Commission agrees that such sign-and-send methods are substantially 
analogous to the print-and-send method already recognized by Sec.  
312.5(b)(2) of the Rule.\138\ However, because of the proliferation of 
mobile devices among children and the ease with which children could 
sign and return an on-screen consent, the Commission is concerned that 
such mechanisms may not ``ensure that the person providing consent is 
the child's parent.'' \139\ The Commission welcomes further comment on 
how to enhance the reliability of these convenient methods.
---------------------------------------------------------------------------

    \138\ See Entertainment Software Association (comment 20), at 
10.
    \139\ 16 CFR 312.5(b)(1).
---------------------------------------------------------------------------

    Several commenters urged the Commission to recognize the submission 
of electronically scanned versions of signed parental consent forms and 
the use of video verification methods.\140\ The Commission agrees that 
now commonly-available technologies such as electronic scans and video 
conferencing are functionally equivalent to the written and oral 
methods of parental consent originally recognized by the Commission in 
1999. Therefore, the Commission proposes to recognize these two methods 
in the proposed Rule.
---------------------------------------------------------------------------

    \140\ See Denise Tayloe, supra note 42, at 227; Phyllis B. 
Spaeth, Assoc. Dir., Children's Adver. Review Unit, Council of 
Better Bus. Bureaus, Remarks from The ``Actual Knowledge'' Standard 
in Today's Online Environment Panel at the Federal Trade 
Commission's Roundtable: Protecting Kids' Privacy Online at 269 
(June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf; DMA (comment 17), at 11; EPIC 
(comment 19), at 3.
---------------------------------------------------------------------------

    The Commission also proposes allowing operators to collect a form 
of government-issued identification--such as a driver's license, or a 
segment of the parent's social security number--from the parent, and to 
verify the parent's identity by checking this identification against 
databases of such information, provided that the parent's 
identification is deleted by the operator from its records promptly 
after such verification is complete. The Commission recognizes that 
information such as social security number, driver's license number, or 
other record of government-issued identification are sensitive 
data.\141\ In permitting operators to use government-issued 
identification as an approved method of parental verification, the 
Commission emphasizes the importance of limiting the collection of such 
identification information to only those segments of information needed 
to verify the data.\142\ For example, the Commission notes that the 
last four digits of a person's social security number are commonly used 
by verification services to confirm a person's identity.\143\ The 
requirement in the proposed Rule that operators immediately delete 
parents' government-issued identification information upon completion 
of the verification process provides further protection against 
operators' unnecessary retention of the information, use of the 
information for

[[Page 59819]]

other purposes, and potential compromise of such information.\144\
---------------------------------------------------------------------------

    \141\ The COPPA statute itself lists social security number 
among the items considered to be personal information. See 16 CFR 
312.2. In other contexts, driver's licenses and social security 
numbers, among other things, have traditionally been considered by 
Commission staff to be personal, or sensitive, as well. See Self-
Regulatory Principles for Online Behavioral Advertising, supra note 
68, at 20, 42, 44.
    \142\ The use of a driver's license to verify a parent, while 
not specifically enumerated in the Final Rule as an approved method 
of parental consent, was addressed in the Statement of Basis and 
Purpose in connection with a discussion of the methods to verify the 
identity of parents who seek access to their children's personal 
information under Sec.  312.6(a)(3) of the Rule. See 1999 Statement 
of Basis and Purpose, 64 FR 59888, 59905. There, the Commission 
concluded that the use of a driver's license was an acceptable 
method of parental verification.
    \143\ See, e.g., Privo, Inc., ``Request for Safe Harbor Approval 
by the Federal Trade Commission for Privo, Inc.'s Privacy Assurance 
Program under Section 312.10 of the Children's Online Privacy 
Protection Rule,'' 25 (Mar. 3, 2004), available at http://www.ftc.gov/os/2004/04/privoapp.pdf.
    \144\ The Commission poses a question whether operators should 
be required to maintain a record that parental consent was obtained. 
See infra Part X., at Question 17.
---------------------------------------------------------------------------

    Finally, the Commission proposes including the term ``monetary'' to 
modify ``transaction'' in connection with use of a credit card to 
verify parental consent. This added language is intended to make clear 
the Commission's long-standing position that the Rule limits use of a 
credit card as a method of parental consent to situations involving 
actual monetary transactions.\145\
---------------------------------------------------------------------------

    \145\ See Children's Online Privacy Protection Rule, 71 FR 
13247, 13253, 13254 (Mar. 15, 2006) (retention of rule without 
modification) (requirement that the credit card be used in 
connection with a transaction provides extra reliability because 
parents obtain a transaction record, which is notice of the 
purported consent, and can withdraw consent if improperly given); 
Fed. Trade Comm'n., Frequently Asked Questions about the Children's 
Online Privacy Protection Rule, Question 33, available at http://www.ftc.gov/privacy/coppafaqs.shtm#consent.
---------------------------------------------------------------------------

(2) The Sliding Scale Approach to Parental Consent
    In conducting the Rule review, the Commission sought comment on 
whether the sliding scale set forth in Sec.  312.5(b)(2) remains a 
viable approach to verifiable parental consent.\146\ Under the sliding 
scale, an operator, when collecting personal information only for its 
internal use, may obtain verifiable parental consent through an e-mail 
from the parent, so long as the e-mail is coupled with an additional 
step. Such additional steps have included: Obtaining a postal address 
or telephone number from the parent and confirming the parent's consent 
by letter or telephone call, or sending a delayed confirmatory e-mail 
to the parent after receiving consent. The purpose of the additional 
step is to provide greater assurance that the person providing consent 
is, in fact, the parent.\147\ This consent method is often called 
``email plus.'' In contrast, for uses of personal information that 
involve disclosing the information to the public or third parties, the 
sliding scale approach requires operators to use more reliable methods 
of obtaining verifiable parental consent. These methods have included: 
Using a print-and-send form that can be faxed or mailed back to the 
operator; requiring a parent to use a credit card in connection with a 
transaction; having a parent call a toll-free telephone number staffed 
by trained personnel; using a digital certificate that uses public key 
technology; and using e-mail accompanied by a PIN or password obtained 
through one of the above methods.
---------------------------------------------------------------------------

    \146\ See 2010 Rule Review, supra note 7, at 17091.
    \147\ The Commission was persuaded by commenters' views that 
internal uses of information, such as marketing to children, 
presented less risk than external disclosures of the information to 
third parties or through public postings. See 1999 Statement of 
Basis and Purpose, 64 FR 59888, 59901. Other internal uses of 
children's personal information may include sweepstakes, prize 
promotions, child-directed fan clubs, birthday clubs, and the 
provision of coupons.
---------------------------------------------------------------------------

    In adopting the sliding scale approach in 1999, the Commission 
recognized that the e-mail plus method was not as reliable as the other 
enumerated methods of verifiable parental consent.\148\ However, it 
believed that this lower cost option was acceptable as a temporary 
option, in place only until the Commission determined that more 
reliable (and affordable) consent methods had adequately 
developed.\149\ In 2006, the Commission extended use of the sliding 
scale indefinitely, stating that the agency would continue to monitor 
technological developments and modify the Rule should an acceptable 
electronic consent technology develop.\150\
---------------------------------------------------------------------------

    \148\ See id. at 59,902 (``[E]mail alone does not satisfy the 
COPPA because it is easily subject to circumvention by children.'').
    \149\ See id. at 59,901 (``The Commission believes it is 
appropriate to balance the costs imposed by a method against the 
risks associated with the intended uses of the information 
collected. Weighing all of these factors in light of the record, the 
Commission is persuaded that temporary use of a ``sliding scale'' is 
an appropriate way to implement the requirements of the COPPA until 
secure electronic methods become more available and affordable'').
    \150\ See Children's Online Privacy Protection Rule, 71 FR 
13247, 13255, 13254 (Mar. 15, 2006) (retention of rule without 
modification).
---------------------------------------------------------------------------

    E-mail plus has enjoyed wide appeal among operators, who credit its 
simplicity.\151\ Numerous commenters, including associations who 
represent operators, support the continued retention of this method as 
a low-cost means to obtain parents' consent.\152\ At the same time, 
several commenters, including safe harbor programs and proponents of 
new parental consent mechanisms, challenged the method's reliability, 
given that operators have no real way of determining whether the e-mail 
address provided by a child is that of the parent, and there is no 
requirement that the parent's e-mail response to the operator contain 
any additional information providing assurance that it is from a 
parent.\153\
---------------------------------------------------------------------------

    \151\ See WiredSafety.org (comment 68), at 21 (``We all assumed 
[email plus] would be phased out once digital signatures became 
broadly used. But when new authentication models and technologies 
failed to gain in parental adoption, it was continued and is in 
broad use for one reason--it's simple'').
    \152\ See Rebecca Newton, Chief Cmty. & Safety Officer, Mind 
Candy, Inc., Remarks from Emerging Parental Verification Access and 
Methods Panel at the Federal Trade Commission's Roundtable: 
Protecting Kids' Privacy Online at 211-13 (June 2, 2010), available 
at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf (e-mail plus is as reliable as any other method); DMA 
(comment 17), at 10; IAB (comment 34), at 2; Rebecca Newton (comment 
46), at 3; PMA (comment 51), at 4-5; Toy Industry Association, Inc. 
(comment 63), at 8.
    \153\ See Privo, Inc. (comment 50), at 5 (``the presentation of 
a verified email is much less reliable if there is virtually no 
proofing or analyzing that goes on to determine who the email 
belongs to''); RelyId (comment 53), at 3 (``The email plus mechanism 
does not obtain verifiable parental consent at all. It simply does 
not ensure that a parent `authorizes' anything required by the COPPA 
statute. The main problem with this approach is that the child can 
create an email address to act as the supposed parent's email 
address, send the email from that address, and receive the 
confirmatory email at that address''). See also Denise Tayloe, supra 
note 42, at 215-17; Phyllis Spaeth, supra note 140, at 215-17 (e-
mail plus is very unreliable).
---------------------------------------------------------------------------

    The Commission believes that the continued reliance on e-mail plus 
has inhibited the development of more reliable methods of obtaining 
verifiable parental consent.\154\ In fact, the Commission notes that 
few, if any, new methods for obtaining parental consent have emerged 
since the sliding scale was last extended in 2006. The Commission 
limited the use of e-mail plus to instances where operators only 
collect children's personal information for internal uses. Although 
internal uses may pose a lower risk of misuse of children's personal 
information than the sharing or public disclosure of such information, 
all collections of children's information merit strong verifiable 
parental consent. Indeed, children's personal information is one of the 
most sensitive types of data collected by operators online. In light of 
this, therefore, the Commission believes that e-mail plus has outlived 
its usefulness and should no longer be a recognized approach to 
parental consent under the Rule.
---------------------------------------------------------------------------

    \154\ See Privo (comment 50), at 4 (``[Extending the sliding 
scale mechanism] had the effect of giving industry absolutely no 
reason to create, innovate, adopt or make use of any other method 
for the internal use of children's personal data.'')
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend Sec.  312.5(b)(2) so 
that it reads:

    (2) Existing methods to obtain verifiable parental consent that 
satisfy the requirements of this paragraph include: Providing a 
consent form to be signed by the parent and returned to the operator 
by postal mail, facsimile, or an electronic scan; permitting a 
parent to use a credit card in connection with a monetary 
transaction; having a parent call a toll-free telephone number 
staffed by trained personnel; having a parent connect to trained 
personnel via video-conference; or, verifying a parent's identity by 
checking a form of government-issued identification against 
databases of such information, provided that the parent's 
identification is deleted by the operator from its records promptly 
after such verification is complete.


[[Page 59820]]


    However, as explained below, given the proposed discontinuance of 
e-mail plus, and in the interest of spurring innovation in parental 
consent mechanisms, the Commission proposes a new process by which 
parties may voluntarily seek Commission approval of a particular 
consent mechanism, as explained below.
(3) Commission and Safe Harbor Approval of Parental Consent Mechanisms 
(New Paragraphs (b)(3) and (b)(4))
    Under the Rule, methods to obtain verifiable parental consent 
``must be reasonably calculated, in light of available technology, to 
ensure that the person providing consent is the child's parent.'' \155\ 
This standard provides operators with the opportunity to craft consent 
mechanisms that meet this standard but otherwise are not enumerated in 
paragraph (b)(2) of Sec.  312.5. Nevertheless, whether out of concern 
for potential liability, ease of implementation, or lack of 
technological developments, operators have been reluctant to utilize 
consent methods other than those specifically set forth in the 
Rule.\156\ As a result, there appears to be little technical innovation 
in any area of parental consent.\157\
---------------------------------------------------------------------------

    \155\ See 16 CFR 312.5(b)(1).
    \156\ The June 2, 2010 Roundtable and the public comments 
reflect a tension between operators' desire for new methods of 
parental verification and their hesitation to adopt consent 
mechanisms other than those specifically enumerated in the Rule. See 
Remarks from Federal Trade Commission's Roundtable: Protecting Kids' 
Privacy Online at 226-27 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/vCOPPARuleReview_Transcript.pdf; 
CDT (comment 8), at 3 (``innovation in developing procedures to 
obtain parental consent has been limited as websites choose to use 
the methods suggested by the FTC out of fear that a more innovative 
method could lead to liability'').
    \157\ See Children's Online Privacy Protection Rule, 71 FR 
13247, 13250 (Mar. 15, 2006) (retention of rule without 
modification).
---------------------------------------------------------------------------

    To encourage the development of new consent mechanisms, and to 
provide transparency regarding consent mechanisms that may be proposed, 
the Commission proposes to establish a process in the Rule through 
which parties may, on a voluntary basis, seek Commission approval of a 
particular consent mechanism. Applicants who seek such approval would 
be required to present a detailed description of the proposed parental 
consent mechanism, together with an analysis of how the mechanism meets 
the requirements of Sec.  312.5(b)(1) of the Rule. The Commission would 
publish the application in the Federal Register for public comment, and 
approve or deny the applicant's request in writing within 180 days of 
the filing of the request.
    The Commission believes that this new approval process, aided by 
public input, will allow the Commission to give careful consideration, 
on a case-by-case basis, to new forms of consent as they develop in the 
marketplace. The new process also will increase transparency by 
publicizing approvals or rejections of particular consent mechanisms 
and should encourage operators who may previously have been tentative 
about exploring technological advancements to come forward and share 
them with the Commission and the public.
    Several commenters urged the Commission to permit Commission-
approved safe harbor programs to serve as laboratories for developing 
new consent mechanisms.\158\ The Commission agrees that establishing 
such a system may aid the pace of development in this area, and given 
the strengthened oversight of safe harbor programs described in Part F. 
below, will not result in the loosening of COPPA's standards for 
parental consent. Therefore, the Commission proposes adding a provision 
to the Rule stating that operators participating in a Commission-
approved safe harbor program may use any parental consent mechanism 
deemed by the safe harbor program to meet the general consent standard 
set forth in Sec.  312.5(b)(1).
---------------------------------------------------------------------------

    \158\ See MPAA (comment 42), at 12; Rebecca Newton (comment 46), 
at 2; Privo (comment 50), at 2; PMA (comment 51), at 5; Berin Szoka 
(comment 59), Szoka Responses to Questions for the Record, at 56; 
TRUSTe (comment 64), at 3). See also generally WiredSafety.org 
(comment 68), at 31-32.
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend Sec.  312.5(b) to add 
two new paragraphs, (3) and (4) that read:

    (3) Commission approval of parental consent mechanisms. 
Interested parties may file written requests for Commission approval 
of parental consent mechanisms not currently enumerated in paragraph 
(b)(2). To be considered for approval, parties must provide a 
detailed description of the proposed parental consent mechanism, 
together with an analysis of how the mechanism meets paragraph 
(b)(1). The request shall be filed with the Commission's Office of 
the Secretary. The Commission will publish in the Federal Register a 
document seeking public comment on the request. The Commission shall 
issue a written determination within 180 days of the filing of the 
request.
    (4) Safe harbor approval of parental consent mechanisms. A safe 
harbor program approved by the Commission under Sec.  312.11 may 
approve its member operators' use of a parental consent mechanism 
not currently enumerated in paragraph (b)(2) where the safe harbor 
program determines that such parental consent mechanism meets the 
requirements of paragraph (b)(1).
(4) Exceptions to Prior Parental Consent (Paragraph (c))
    Congress anticipated that certain situations would arise in which 
it was not necessary or practical for an operator to obtain consent 
from parents prior to engaging with children online. Accordingly, the 
COPPA statute and Rule contain five scenarios in which an operator may 
collect limited pieces of personal information (i.e., name and online 
contact information) from children prior to, or sometimes without, 
obtaining consent.\159\ These exceptions permit operators to 
communicate with the child to: initiate the parental consent process, 
respond to the child once or multiple times, and protect the child's 
safety or the integrity of the Web site.\160\
---------------------------------------------------------------------------

    \159\ See 15 U.S.C. 6503(b)(2); 16 CFR 315.5(c).
    \160\ The Act and the Rule currently permit the collection of a 
parent's e-mail address for the limited purposes of: (1) obtaining 
verified parental consent; (2) providing parents with a right to 
opt-out of an operator's use of a child's e-mail address for 
multiple contacts of the child; and (3) to protect a child's safety 
on a Web site or online service. See 15 U.S.C. 6503(b)(2); 16 CFR 
312.5(c)(1), (2), and (4).
---------------------------------------------------------------------------

    The Commission proposes adding one new exception to parental 
consent in order to give operators the option to collect a parent's 
online contact information for the purpose of providing notice to or 
updating the parent about a child's participation in a Web site or 
online service that does not otherwise collect, use, or disclose 
children's personal information.\161\ The parent's online contact 
information may not be used for any other purpose, disclosed, or 
combined with any other information collected from the child. The 
Commission believes that collecting a parent's online contact 
information for the limited purpose of notifying the parent of a 
child's online activities in a site or service that does not otherwise 
collect personal information is reasonable and should be 
encouraged.\162\
---------------------------------------------------------------------------

    \161\ At least a few online virtual worlds directed to very 
young children already follow this practice. Because the Rule does 
not currently include such an exception, these operators technically 
are in violation of COPPA.
    \162\ This proposed new exception is mirrored in the proposed 
revisions to the direct notice requirement of Sec.  312.4. See supra 
Part V.B.(2).
---------------------------------------------------------------------------

    Therefore, the Commission proposes to amend Sec.  312.5(c) to add a 
new subsection, Sec.  312.4(c)(2), that reads:

    Where the sole purpose of collecting a parent's online contact 
information is to provide notice to, and update the parent about, 
the child's participation in a Web site or online service that does 
not otherwise collect, use, or disclose children's personal 
information. In such cases, the parent's online contact information 
may not be used

[[Page 59821]]

or disclosed for any other purpose. In such cases, the operator must 
make reasonable efforts, taking into consideration available 
technology, to ensure that the parent receives notice as described 
in Sec.  312.4(c)(2).

    The Commission also proposes minor technical corrections to the 
Rule's current exceptions provisions. First, in Sec.  312.4(c)(1), the 
Rule permits an operator to collect ``the name or online contact 
information of a parent or child'' to be used for the sole purpose of 
obtaining parental consent. The clear intent of this provision is to 
allow for the collection of the parent's online contact information in 
order to reach the parent to initiate the consent process. Therefore, 
the Commission proposes to amend Sec.  312.5(c)(1) to clarify the 
language so that it reads:

    Where the sole purpose of collecting a parent's online contact 
information and the name of the child or the parent is to provide 
notice and obtain parental consent under Sec.  312.4(c)(1). If the 
operator has not obtained parental consent after a reasonable time 
from the date of the information collection, the operator must 
delete such information from its records.

    Second, Sec.  312.5(c)(3) provides that an operator may notify a 
parent of the collection of a child's online contact information for 
multiple contacts via e-mail or postal address. The Commission proposes 
to eliminate the option of collecting a parent's postal address for 
notification purposes. The collection of postal address is not provided 
for anywhere else in the Rule's notice requirements, and is clearly 
outmoded at this time. Therefore, the Commission proposes to amend 
Sec.  312.5(c)(3), now renumbered as Sec.  312.5(4), so that it reads:

    Where the sole purpose of collecting a child's and a parent's 
online contact information is to respond directly more than once to 
the child's specific request, and where such information is not used 
for any other purpose, disclosed, or combined with any other 
information collected from the child. In such cases, the operator 
must make reasonable efforts, taking into consideration available 
technology, to ensure that the parent receives notice as described 
in Sec.  312.4(c)(3). An operator will not be deemed to have made 
reasonable efforts to ensure that a parent receives notice where the 
notice to the parent was unable to be delivered.

    Finally, in various places in Sec.  312.5(c), the Commission 
proposes to emphasize that the collection of online contact information 
is to be used for the limited purpose articulated within each 
paragraph, and not for any other purpose.
    Therefore, the Commission proposes to amend Sec.  312.5(c) so that 
it reads in its entirety:

    (c) Exceptions to prior parental consent. Verifiable parental 
consent is required prior to any collection, use, or disclosure of 
personal information from a child except as set forth in this 
paragraph:
    (1) Where the sole purpose of collecting a parent's online 
contact information and the name of the child or the parent is to 
provide notice and obtain parental consent under Sec.  312.4(c)(1). 
If the operator has not obtained parental consent after a reasonable 
time from the date of the information collection, the operator must 
delete such information from its records;
    (2) Where the sole purpose of collecting a parent's online 
contact information is to provide notice to, and update the parent 
about, the child's participation in a Web site or online service 
that does not otherwise collect, use, or disclose children's 
personal information. In such cases, the parent's online contact 
information may not be used or disclosed for any other purpose. In 
such cases, the operator must make reasonable efforts, taking into 
consideration available technology, to ensure that the parent 
receives notice as described in Sec.  312.4(c)(2);
    (3) Where the sole purpose of collecting a child's online 
contact information is to respond directly on a one-time basis to a 
specific request from the child, and where such information is not 
used to re-contact the child or for any other purpose, is not 
disclosed, and is deleted by the operator from its records promptly 
after responding to the child's request; \163\
---------------------------------------------------------------------------

    \163\ This ``one time use'' exception does not require an 
operator to provide notice to a parent.
---------------------------------------------------------------------------

    (4) Where the sole purpose of collecting a child's and a 
parent's online contact information is to respond directly more than 
once to the child's specific request, and where such information is 
not used for any other purpose, disclosed, or combined with any 
other information collected from the child. In such cases, the 
operator must make reasonable efforts, taking into consideration 
available technology, to ensure that the parent receives notice as 
described in Sec.  312.4(c)(3). An operator will not be deemed to 
have made reasonable efforts to ensure that a parent receives notice 
where the notice to the parent was unable to be delivered;
    (5) Where the sole purpose of collecting a child's name, and a 
child's and a parent's online contact information, is to protect the 
safety of a child, and where such information is not used or 
disclosed for any purpose unrelated to the child's safety. In such 
cases, the operator must make reasonable efforts, taking into 
consideration available technology, to provide a parent with notice 
as described in Sec.  312.4(c)(4);
    (6) Where the sole purpose of collecting a child's name and 
online contact information is to: (i) Protect the security or 
integrity of its Web site or online service; (ii) take precautions 
against liability; (iii) respond to judicial process; or (iv) to the 
extent permitted under other provisions of law, to provide 
information to law enforcement agencies or for an investigation on a 
matter related to public safety; and, where such information is not 
be used for any other purpose.\164\
---------------------------------------------------------------------------

    \164\ This exception does not require an operator to provide 
notice to a parent.
---------------------------------------------------------------------------

D. Confidentiality, Security, and Integrity of Personal Information 
Collected From Children (16 CFR 312.8)

    The Commission proposes to amend Sec.  312.8 to strengthen the 
provision for maintaining the confidentiality, security, and integrity 
of personal information. To accomplish this, the Commission proposes 
adding a requirement that operators take reasonable measures to ensure 
that any service provider or third party to whom they release 
children's personal information has in place reasonable procedures to 
protect the confidentiality, security, and integrity of such personal 
information.
    COPPA requires operators to establish and maintain reasonable 
procedures to protect the confidentiality, security, and integrity of 
personal information collected from children, but is silent on the data 
security obligations of third parties.\165\ The COPPA Rule mirrors the 
statutory language but also requires covered operators to disclose in 
their online privacy policies whether third parties to whom personal 
information is disclosed have agreed to maintain the confidentiality, 
security, and integrity of the personal information they obtain from 
the operator.\166\
---------------------------------------------------------------------------

    \165\ 15 U.S.C. 6503(b)(1)(D).
    \166\ See 16 CFR 312.4(b)(2)(iv) and 312.8.
---------------------------------------------------------------------------

    Under the Commission's proposed amendment to Sec.  312.8, an 
operator must take reasonable measures to ensure that any service 
provider or third party to whom it releases children's personal 
information has in place reasonable procedures to protect the 
confidentiality, security, and integrity of such personal information. 
This provision is intended to address security issues surrounding 
business-to-business releases of data.\167\
---------------------------------------------------------------------------

    \167\ See supra Part V.A.(3).
---------------------------------------------------------------------------

    The proposed requirement that operators must take reasonable 
measures to ensure that third parties and service providers keep the 
shared information confidential and secure is a logical and necessary 
extension of the statutory requirement that operators themselves keep 
such information confidential and secure. Therefore, the Commission 
proposes to amend Sec.  312.8 to add a second sentence so that it 
reads:

    The operator must establish and maintain reasonable procedures 
to protect the confidentiality, security, and integrity of personal 
information collected from children. The operator must take 
reasonable measures

[[Page 59822]]

to ensure that any service provider or any third party to whom it 
releases children's personal information has in place reasonable 
procedures to protect the confidentiality, security, and integrity 
of such personal information.

E. Data Retention and Deletion Requirements (Proposed 16 CFR 312.10)

    As noted above, COPPA authorizes the Commission to promulgate 
regulations requiring operators to establish and maintain reasonable 
procedures to protect the confidentiality, security, and integrity of 
personal information collected from children.\168\ Deleting unneeded 
information is an integral part of any reasonable data security 
strategy. Accordingly, the Commission proposes adding a new data 
retention and deletion provision to become Sec.  312.10.\169\
---------------------------------------------------------------------------

    \168\ 15 U.S.C. 6503(b)(1)(D).
    \169\ The Commission proposes moving the current Sec.  312.10 
(Safe Harbors) to Sec.  312.11, and deleting as obsolete the current 
Sec.  312.11 (Rulemaking review).
---------------------------------------------------------------------------

    The proposed provision states that operators shall retain 
children's personal information for only as long as is reasonably 
necessary to fulfill the purpose for which the information was 
collected. In addition, it states that an operator must delete such 
information by taking reasonable measures to protect against 
unauthorized access to, or use of, the information in connection with 
its deletion.
    Although the current Rule does not contain a data retention and 
deletion requirement, the Commission has long encouraged such 
practices. According to its 1999 Notice of Proposed Rulemaking: ``[t]he 
Commission encourages operators to establish reasonable procedures for 
the destruction of personal information once it is no longer necessary 
for the fulfillment of the purpose for which it was collected. Timely 
elimination of data is the ultimate protection against misuse or 
unauthorized disclosure.'' \170\ More recently, the Commission has 
testified that companies should adopt a ``privacy by design'' approach, 
including by building data retention and disposal protections into 
their everyday business practices.\171\
---------------------------------------------------------------------------

    \170\ See Children's Online Privacy Protection Rule, Notice of 
Proposed Rulemaking, 64 FR 22750, 22758-59 (Apr. 27, 1999), 
available at http://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf.
    \171\ See, e.g., Internet Privacy: The Views of the FTC, the 
FCC, and NTIA: Hearing Before the Subcomms. on Commerce, 
Manufacturing, & Trade and Communications & Technology of the H.R. 
Comm. on Energy and Commerce, 112th Cong., at 14 (2011) (Statement 
of Edith Ramirez, Commissioner, Federal Trade Commission), available 
at http://www.ftc.gov/os/testimony/110714internetprivacytestimony.pdf; Privacy and Data Security: 
Protecting Consumers in the Modern World: Hearing Before the S. 
Comm. on Commerce, Science & Transportation, 112th Cong., at 12 
(2011) (Statement of Julie Brill, Commissioner, Federal Trade 
Commission), available at http://www.ftc.gov/os/testimony/110629privacytestimonybrill.pdf; Data Security: Hearing Before the 
Subcomm. on Commerce, Manufacturing & Trade, H.R. Comm. on Energy 
and Commerce, 112th Cong., at 9 (2011) (Statement of Edith Ramirez, 
Commissioner, Federal Trade Commission), available at http://www.ftc.gov/os/testimony/110615datasecurityhouse.pdf. See also 
Protecting Consumer Privacy in an Era of Rapid Change, supra note 
23, at 44.
---------------------------------------------------------------------------

    The proposed new data retention and deletion provision (Sec.  
312.10) reads:
    An operator of a Web site or online service shall retain personal 
information collected online from a child for only as long as is 
reasonably necessary to fulfill the purpose for which the information 
was collected. The operator must delete such information using 
reasonable measures to protect against unauthorized access to, or use 
of, the information in connection with its deletion.

F. Safe Harbors (Current 16 CFR 312.10, Proposed 16 CFR 312.11)

    The COPPA statute established a ``safe harbor'' for participants in 
Commission-approved COPPA self-regulatory programs.\172\ With the safe 
harbor provision, Congress intended to encourage industry members and 
other groups to develop their own COPPA oversight programs, thereby 
promoting efficiency and flexibility in complying with COPPA's 
substantive provisions.\173\ COPPA's safe harbor provision also was 
intended to reward operators' good faith efforts to comply with COPPA. 
The Rule therefore provides that operators fully complying with an 
approved safe harbor program will be A ``deemed to be in compliance'' 
with the Rule for purposes of enforcement. In lieu of formal 
enforcement actions, such operators instead are subject first to the 
safe harbor program's own review and disciplinary procedures.\174\
---------------------------------------------------------------------------

    \172\ See 15 U.S.C. 6503.
    \173\ See 1999 Statement of Basis and Purpose, 64 FR 59888, 
59906 (``[T]his section serves as an incentive for industry self-
regulation; by allowing flexibility in the development of self-
regulatory guidelines, it ensures that the protections afforded 
children under this Rule are implemented in a manner that takes into 
account industry specific concerns and technological 
developments'').
    \174\ See 16 CFR 312.10(a) and (b)(4).
---------------------------------------------------------------------------

    Current Sec.  312.10 of the Rule sets forth the criteria the 
Commission uses to approve applications for safe harbor status under 
COPPA. First, the self-regulatory program must contain guidelines that 
protect children's online privacy to the same or greater extent as the 
Rule and ensure that each potential participant complies with these 
guidelines.\175\ Second, the program must monitor the participant's 
practices on an ongoing basis to ensure that the participant continues 
to comply with both the program's guidelines and the participant's own 
privacy notices.\176\ Finally, the safe harbor program must contain 
effective incentive mechanisms to ensure operators' compliance with 
program guidelines.\177\
---------------------------------------------------------------------------

    \175\ See 16 CFR 312.10(b)(1).
    \176\ See 16 CFR 312.10(b)(2)(i)-(iv).
    \177\ See 16 CFR 312.10(b)(3)(i)-(v). Effective incentives 
include mandatory public reporting of disciplinary action taken 
against participants by the safe harbor program; consumer redress; 
voluntary payments to the United States Treasury; referral of 
violators to the Commission; or any other equally effective 
incentive. Id.
---------------------------------------------------------------------------

    Several comments supported strengthening the Commission's oversight 
of participating safe harbor programs. TRUSTe, a Commission-approved 
COPPA safe harbor program, asked the Commission to develop better 
criteria for the approval of safe harbor programs that reflect the 
principles of reliability, accountability, transparency, and 
sustainability.\178\ Another commenter urged the Commission regularly 
to audit the Commission-approved COPPA safe harbor programs to ensure 
compliance with the Rule.\179\ The Commission finds merit in the calls 
to strengthen the Safe Harbor provisions of the Rule, and accordingly, 
proposes three substantive changes: requiring that applicants seeking 
Commission approval of self-regulatory guidelines submit comprehensive 
information about their capability to run an effective safe harbor 
program; establishing more rigorous baseline oversight by Commission-
approved safe harbor programs of their members; and, requiring 
Commission-approved safe harbor programs to submit periodic reports to 
the Commission. The Commission also proposes several structural and 
linguistic changes to the Safe Harbors section to increase the Rule's 
clarity.
---------------------------------------------------------------------------

    \178\ See TRUSTe (comment 64), at 6.
    \179\ See Harry A. Valetk (comment 66), at 4.
---------------------------------------------------------------------------

(1) Criteria for Approval of Self-Regulatory Guidelines (Paragraph (b))
    Paragraph (b) of the Rule's safe harbor provisions set forth the 
criteria the Commission will use to review an application for safe 
harbor status. Among other things, safe harbor applicants must 
demonstrate that they have an effective mandatory mechanism for the 
independent assessment of their members' compliance. The Rule outlines 
possible, non-exclusive, methods applicants may employ to conduct this 
independent review,

[[Page 59823]]

including periodic comprehensive or random checks of members' 
information practices, seeding members' databases if coupled with 
random or periodic checks,\180\ or ``any other equally effective 
independent assessment mechanism.'' \181\
---------------------------------------------------------------------------

    \180\ ``Seeding'' a participant's database means registering as 
a child on the Web site or online service and then monitoring the 
site or service to ensure that it complies with the Rule's 
requirements.
    \181\ See 16 CFR 312.10(b)(2).
---------------------------------------------------------------------------

    The Commission proposes maintaining the standard that safe harbor 
programs implement ``an effective, mandatory mechanism for the 
independent assessment of subject operators' compliance.'' Rather than 
provide a set of alternative mechanisms that safe harbor programs can 
use to carry out this requirement, the Commission proposes to mandate 
that, at a minimum, safe harbor programs conduct annual, comprehensive 
reviews of each of their members' information practices. In the 
Commission's view, this baseline benchmark for oversight will improve 
the accountability and transparency of Commission-approved COPPA safe 
harbor programs.
    Therefore, the Commission proposes to amend paragraph (b)(2) of the 
safe harbor provisions of the Rule to read:

    (2) An effective, mandatory mechanism for the independent 
assessment of subject operators' compliance with the self-regulatory 
program guidelines. At a minimum, this mechanism must include a 
comprehensive review by the safe harbor program, to be conducted not 
less than annually, of each subject operator's information policies, 
practices, and representations. The assessment mechanism required 
under this paragraph can be provided by an independent enforcement 
program, such as a seal program.
(2) Request for Commission Approval of Self-Regulatory Program 
Guidelines (Paragraph (c))
    Paragraph (c) of the Rule's current safe harbor provision sets 
forth the application requirements for safe harbor status. Among other 
things, an applicant must include the full text of the guidelines for 
which approval is sought and any accompanying commentary, a statement 
explaining how the applicant's proposed self-regulatory guidelines meet 
COPPA, and how the independent assessment mechanism and effective 
incentives for subject operators' compliance (required under paragraphs 
(b)(2) and (3)) provide effective enforcement of COPPA.\182\
---------------------------------------------------------------------------

    \182\ See 16 CFR 312.10(c).
---------------------------------------------------------------------------

    To enhance the reliability and sustainability of programs granted 
safe harbor status,\183\ the Commission proposes adding a requirement 
that program applicants include with their application a detailed 
explanation of their business model and the technological capabilities 
and mechanisms they will use for initial and continuing assessment of 
subject operators' fitness for membership in the safe harbor program. 
This requirement will enable the Commission to better evaluate the 
qualifications of a safe harbor program applicant.
---------------------------------------------------------------------------

    \183\ See TRUSTe (comment 64), at 6.
---------------------------------------------------------------------------

    Therefore, the Commission proposes adding a new requirement to 
paragraph (c) (paragraph (c)(1)) that reads:

    (c) Request for Commission approval of self-regulatory program 
guidelines. To obtain Commission approval of self-regulatory program 
guidelines, proposed safe harbor programs must file a request for 
such approval. A request shall be accompanied by the following:
    (1) A detailed explanation of the applicant's business model, 
and the technological capabilities and mechanisms that will be used 
for initial and continuing assessment of subject operators' fitness 
for membership in the safe harbor program.\184\
---------------------------------------------------------------------------

    \184\ The Commission will consider applicants' requests that 
certain materials submitted in connection with an application for 
safe harbor should receive confidential treatment. See FTC Operating 
Manual, 15.5.1, and 15.5.2.
---------------------------------------------------------------------------

(3) Safe Harbor Reporting and Recordkeeping Requirements (Paragraph 
(d))
    Paragraph (d) of the current safe harbor provision requires 
Commission-approved safe harbor programs to maintain records of 
consumer complaints, disciplinary actions, and the results of the 
independent assessments required under paragraph (b)(2) for a period of 
at least three years. Such records shall be made available to the 
Commission for inspection and copying at the Commission's request.\185\
---------------------------------------------------------------------------

    \185\ See 16 CFR 312.10(d).
---------------------------------------------------------------------------

    One commenter urged the Commission to make greater use of its 
inspection powers under paragraph (d) to audit safe harbor programs in 
order to ``give the Commission a better understanding of actual 
marketplace practices, and inspire commercial operators to improve 
online practices.'' \186\ The Institute for Public Representation went 
further, asking the Commission to ``assess the effectiveness of the 
safe harbor programs by requiring annual reports about their 
enforcement efforts.'' \187\ The Commission believes that instituting a 
periodic reporting requirement, in addition to retaining the right to 
access program records, will better ensure that all safe harbor 
programs maintain sufficient records and that the Commission is 
routinely apprised of key information about approved safe harbor 
programs and their members. Therefore, the Commission proposes 
modifying paragraph (d) to require, within one year of the effective 
date of the Final Rule amendments, and every eighteen months 
thereafter, the submission of reports to the Commission containing, at 
a minimum, the results of an independent audit described in revised 
paragraph (b)(2), and the reporting of any disciplinary action taken 
against any member operator within the relevant reporting period.
---------------------------------------------------------------------------

    \186\ See Harry A. Valetk (comment 66), at 4.
    \187\ See Institute for Public Representation (comment 33), at 
37.
---------------------------------------------------------------------------

    Therefore, the Commission proposes modifying paragraph (d) to read:

    (d) Reporting and recordkeeping requirements. Approved safe 
harbor programs shall:
    (1) Within one year after the effective date of the Final Rule 
amendments, and every eighteen months thereafter, submit a report to 
the Commission containing, at a minimum, the results of the 
independent assessment conducted under paragraph (b)(2), a 
description of any disciplinary action taken against any subject 
operator under paragraph (b)(3), and a description of any approvals 
of member operators' use of parental consent mechanism, pursuant to 
Sec.  312.5(b)(4);
    (2) Promptly respond to requests by the Commission for 
additional information; and,
    (3) Maintain for a period not less than three years, and upon 
request make available to the Commission for inspection and copying:
    (i) Consumer complaints alleging violations of the guidelines by 
subject operators;
    (ii) Records of disciplinary actions taken against subject 
operators; and
    (iii) Results of the independent assessments of subject 
operators' compliance required under paragraph (b)(2).
(4) Revisions to Increase the Clarity of the Safe Harbor Provisions
    The Commission also proposes a general reorganization of the safe 
harbor provision to provide a clearer roadmap of the requirements for 
obtaining and maintaining safe harbor status. This reorganization 
includes consolidating into separate paragraphs: the criteria for 
approval of self-regulatory program guidelines; the application 
requirements for Commission approval; reporting and recordkeeping 
requirements; post-approval modifications to self-regulatory program 
guidelines; and revocation of approval of self-regulatory program 
guidelines.\188\ In addition, the

[[Page 59824]]

Commission proposes adding language to the revocation of approval 
paragraph to require currently approved safe harbor programs to propose 
modifications to their guidelines within 60 days of publication of the 
Final Rule amendments in order to come into compliance or face 
revocation.\189\ Finally, the proposed revision would move to the end 
of this section the Rule's provision on the effect of an operators' 
participation in a safe harbor program.
---------------------------------------------------------------------------

    \188\ The Commission also proposes deleting the requirement that 
the Commission must determine ``in fact'' that approved self-
regulatory program guidelines or their implementation do not meet 
the requirements of the Rule's safe harbor provisions prior to 
revoking their approval.
    \189\ Therefore, the Commission proposes to amend paragraph (f) 
of the safe harbor provisions of the Rule to read:
    (f) Revocation of approval of self-regulatory program 
guidelines. The Commission reserves the right to revoke any approval 
granted under this Section if at any time it determines that the 
approved self-regulatory program guidelines or their implementation 
do not meet the requirements of this part. Safe harbor programs that 
were approved prior to the publication of the Final Rule amendments 
must, within 60 days of publication of the Final Rule amendments, 
submit proposed modifications to their guidelines that would bring 
them into compliance with such amendments, or their approval shall 
be revoked.
---------------------------------------------------------------------------

VI. Request for Comment

    The Commission invites interested persons to submit written 
comments on any issue of fact, law, or policy that may bear upon the 
proposals under consideration. Please include explanations for any 
answers provided, as well as supporting evidence where appropriate. 
After evaluating the comments, the Commission will determine whether to 
issue specific amendments.
    Comments should refer to ``COPPA Rule Review: FTC File No. 
P104503'' to facilitate the organization of comments. Please note that 
your comment--including your name and your state--will be placed on the 
public record of this proceeding, including on the publicly accessible 
FTC Web site, at http://www.ftc.gov/os/publiccomments.shtm. Comments 
must be received on or before the deadline specified above in the DATES 
section in order to considered by the Commission.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before November 28, 
2011. Write ``COPPA Rule Review, 16 CFR Part 312, Project No. P104503'' 
on your comment. Your comment--including your name and your state--will 
be placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment doesn't include any 
sensitive personal information, such as anyone's Social Security 
number, date of birth, driver's license number or other state 
identification number or foreign country equivalent, passport number, 
financial account number, or credit or debit card number. You are also 
solely responsible for making sure that your comment doesn't include 
any sensitive health information, like medical records or other 
individually identifiable health information. In addition, don't 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't 
include competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you must follow the procedure explained in 
FTC Rule 4.9(c), 16 CFR 4.9(c).\190\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \190\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/2011copparulereview, by following the instructions on the web-based 
form. If this document appears at http://www.regulations.gov/#!home, 
you also may file a comment through that Web site.
    If you file your comment on paper, write ``COPPA Rule Review, 16 
CFR part 312, Project No. P104503'' on your comment and on the 
envelope, and mail or deliver it to the following address: Federal 
Trade Commission, Office of the Secretary, Room H-113 (Annex E), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. If possible, submit 
your paper comment to the Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before November 28, 2011.\191\ You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------

    \191\ Questions for the public regarding proposed revisions to 
the Rule are found at Part X., infra.
---------------------------------------------------------------------------

    Comments on any proposed recordkeeping, disclosure, or reporting 
requirements subject to review under the Paperwork Reduction Act should 
additionally be submitted to OMB. If sent by U.S. mail, they should be 
addressed to Office of Information and Regulatory Affairs, Office of 
Management and Budget, Attention: Desk Officer for the Federal Trade 
Commission, New Executive Office Building, Docket Library, Room 10102, 
725 17th Street, NW.,Washington, DC 20503. Comments sent to OMB by U.S. 
postal mail, however, are subject to delays due to heightened security 
precautions. Thus, comments instead should be sent by facsimile to 
(202) 395-5167.

VII. Regulatory Flexibility Act

    The Regulatory Flexibility Act of 1980 (``RFA''), 5 U.S.C. 601 et 
seq., requires a description and analysis of proposed and final rules 
that will have significant economic impact on a substantial number of 
small entities. The RFA requires an agency to provide an Initial 
Regulatory Flexibility Analysis (``IRFA'') with the proposed Rule, and 
a Final Regulatory Flexibility Analysis (``FRFA''), if any, with the 
final Rule.\192\ The Commission is not required to make such analyses 
if a Rule would not have such an economic effect.\193\
---------------------------------------------------------------------------

    \192\ See 5 U.S.C. 603-04.
    \193\ See 5 U.S.C. 605.
---------------------------------------------------------------------------

    Although, as described below, the Commission does not anticipate 
that the proposed changes to the Rule will result in substantially more 
Web sites and online services being subject to the Rule, it will result 
in greater disclosure, reporting, and compliance

[[Page 59825]]

responsibilities for all entities covered by the Rule. The Commission 
believes that a number of operators of Web sites and online services 
potentially affected by the revisions are small entities as defined by 
the RFA. It is unclear whether the proposed amended Rule will have a 
significant economic impact on these small entities. Thus, to obtain 
more information about the impact of the proposed Rule on small 
entities, the Commission has decided to publish the following IRFA 
pursuant to the RFA and to request public comment on the impact on 
small businesses of its proposed amended Rule.

A. Description of the Reasons That Agency Action Is Being Considered

    As described in Part I above, the Commission commenced a voluntary 
review of the COPPA Rule in early April 2010, seeking public comment on 
whether technological changes to the online environment warranted any 
changes to the Rule.\194\ After careful review of the comments 
received, the Commission concludes that there is a need to update 
certain Rule provisions. Therefore, it proposes modifications to the 
Rule in the following five areas: Definitions, Notice, Parental 
Consent, Confidentiality and Security of Children's Personal 
Information, and Safe Harbor Programs. In addition, the Commission 
proposes adding a new Section to the Rule regarding data retention and 
deletion.
---------------------------------------------------------------------------

    \194\ See 75 FR 17089 (Apr. 5, 2010).
---------------------------------------------------------------------------

B. Succinct Statement of the Objectives of, and Legal Basis for, the 
Revised Proposed Rule

    The objectives of the amendments are to update the Rule to ensure 
that children's online privacy continues to be protected, as directed 
by Congress, even as new online technologies evolve, and to clarify 
existing obligations for operators under the Rule. The legal basis for 
the proposed amendments is the Children's Online Privacy Protection 
Act, 15 U.S.C. 6501 et seq.

C. Description and Estimate of the Number of Small Entities to Which 
the Revised Proposed Rule Will Apply

    The proposed amendments to the Rule will affect operators of Web 
sites and online services directed to children, as well as those 
operators that have actual knowledge that they are collecting personal 
information from children. The proposed Rule amendments will impose 
costs on entities that are ``operators'' under the Rule.
    The Commission staff is unaware of any empirical evidence 
concerning the number of operators subject to the Rule. However, based 
on our compliance monitoring efforts in the area of children's privacy, 
data received by the Commission in connection with preparing its most 
recent studies of food marketing to children and marketing of violent 
entertainment to children, and the recent growth in interactive mobile 
applications that may be directed to children, the Commission staff 
estimates that approximately 2,000 operators may be subject to the 
Rule's requirements.
    Under the Small Business Size Standards issued by the Small 
Business Administration, ``Internet publishing and broadcasting and web 
search portals'' qualify as small businesses if they have fewer than 
500 employees.\195\ The Commission staff estimates that approximately 
80% of operators potentially subject to the Rule qualify as small 
entities. The Commission staff bases this estimate on its experience in 
this area, which includes its law enforcement activities, oversight of 
safe harbor programs, conducting relevant workshops, and discussions 
with industry and privacy professionals. The Commission seeks comment 
and information with regard to the estimated number or nature of small 
business entities on which the proposed Rule would have a significant 
economic impact.
---------------------------------------------------------------------------

    \195\ See U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes, available at http://www.sba.gov/sites/default/files/Size_Standards_Table.pdf.
---------------------------------------------------------------------------

D. Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements

    The proposed amended Rule would impose reporting, recordkeeping, 
and other compliance requirements within the meaning of the Paperwork 
Reduction Act, as set forth in Part VIII. of this Notice of Proposed 
Rulemaking. Therefore, the Commission is submitting the proposed 
requirements to OMB for review before issuing a final rule.
    The proposed Rule likely would increase the recordkeeping, 
reporting, and other compliance requirements for covered operators. In 
particular, the proposed requirement that the direct notice to parents 
include more specific details about an operator's information 
collection practices, pursuant to a revised Sec.  312.4 (Notice), would 
impose a one-time cost on operators. The Commission's proposed 
elimination of the sliding scale for acceptable mechanisms of obtaining 
parental consent, pursuant to a revised Sec.  312.5 (consent mechanisms 
for verifiable parental consent), would require those operators who 
previously used the e-mail plus method to now use a more reliable 
method for obtaining parental consent. The addition of proposed 
language in Sec.  312.8 (confidentiality, security, and integrity of 
personal information collected from children) would require operators 
to take reasonable measures to ensure that service providers and third 
parties to whom they release children's personal information have in 
place reasonable procedures to protect the confidentiality, security, 
and integrity of such personal information. Finally, the proposed Rule 
contains additional reporting requirements for entities voluntarily 
seeking approval to be a COPPA safe harbor self-regulatory program, and 
additional reporting and recordkeeping requirements for all Commission-
approved safe harbor programs. Each of these proposed improvements to 
the Rule may entail some added cost burden to operators, including 
those that qualify as small entities.
    The estimated burden imposed by these proposed amendments is 
discussed in the Paperwork Reduction Act section of this document, and 
there should be no difference in that burden as applied to small 
businesses. While the Rule's compliance obligations apply equally to 
all entities subject to the Rule, it is unclear whether the economic 
burden on small entities will be the same as or greater than the burden 
on other entities. That determination would depend upon a particular 
entity's compliance costs, some of which may be largely fixed for all 
entities (e.g., Web site programming) and others variable (e.g., Safe 
Harbor participation), and the entity's income or profit from operation 
of the Web site itself (e.g., membership fees) or related sources 
(e.g., revenue from marketing to children through the site). As 
explained in the Paperwork Reduction Act section, in order to comply 
with the rule's requirements, Web site operators will require the 
professional skills of legal (lawyers or similar professionals) and 
technical (e.g., computer programmers) personnel. As explained earlier, 
the Commission staff estimates that there are approximately 2,000 Web 
site or online services that would qualify as operators under the 
proposed Rule, and that approximately 80% of such operators would 
qualify as small entities under the SBA's Small Business Size 
standards. The Commission invites

[[Page 59826]]

comment and information on these issues.

E. Identification of Other Duplicative, Overlapping, or Conflicting 
Federal Rules

    The Commission has not identified any other federal statutes, 
rules, or policies that would duplicate, overlap, or conflict with the 
proposed Rule. The Commission invites comment and information on this 
issue.

F. Description of Any Significant Alternatives to the Proposed Rule

    In drafting the proposed amended Rule, the Commission has made 
every effort to avoid unduly burdensome requirements for entities. The 
Commission believes that the proposed amendments are necessary in order 
to continue to protect children's online privacy in accordance with the 
purposes of COPPA. For each of the proposed amendments, the Commission 
has attempted to tailor the provision to any concerns evidenced by the 
record to date. On balance, the Commission believes that the benefits 
to children and their parents outweigh the costs of implementation to 
industry.
    The Commission considered, but decided against, providing an 
exemption for small businesses. The primary purpose of COPPA is to 
protect children's online privacy by requiring verifiable parental 
consent before an operator collects personal information. The record 
and the Commission's enforcement experience have shown that the threats 
to children's privacy are just as great, if not greater, from small 
businesses or even individuals than from large businesses.\196\ 
Accordingly, any exemption for small businesses would undermine the 
very purpose of the Statute and Rule.
---------------------------------------------------------------------------

    \196\ See, e.g., United States v. W3 Innovations, LLC, No. CV-
11-03958 (N.D. Cal., filed Aug. 12, 2011); United States v. 
Industrious Kid, Inc., No. CV-08-0639 (N.D. Cal., filed Jan. 28, 
2008); United States v. Xanga.com, Inc., No. 06-CIV-6853 (S.D.N.Y., 
filed Sept. 7, 2006); United States v. Bonzi Software, Inc., No. CV-
04-1048 (C.D. Cal., filed Feb. 17, 2004); United States v. 
Looksmart, Ltd., Civil Action No. 01-605-A (E.D. Va., filed Apr. 18, 
2001); United States v. Bigmailbox.Com, Inc., Civil Action No. 01-
606-B (E.D. Va., filed Apr. 18, 2001).
---------------------------------------------------------------------------

    Nonetheless, the Commission has taken care in developing the 
proposed amendments to set performance standards that will establish 
the objective results that must be achieved by regulated entities, but 
do not mandate a particular technology that must be employed in 
achieving these objectives. For example, the Commission has retained 
the standard that verifiable parental consent may be obtained via a 
means reasonably calculated, in light of available technology, to 
ensure that the person providing consent is the child's parent. The 
proposed new requirements for maintaining the security of children's 
personal information and deleting such information when no longer 
needed do not mandate any specific means to accomplish those 
objectives. The Commission also proposes to make it easier for 
operators to avoid the collection of children's personal information by 
adopting a ``reasonable measures'' standard enabling operators to use 
competent filtering technologies to prevent children's public 
disclosure of information.
    The Commission seeks comments on ways in which the Rule could be 
modified to reduce any costs or burdens for small entities.

VIII. Paperwork Reduction Act

    The existing Rule contains recordkeeping, disclosure, and reporting 
requirements that constitute ``information collection requirements'' as 
defined by 5 CFR 1320.3(c) under the OMB regulations that implement the 
Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq. OMB has 
approved the Rule's existing information collection requirements 
through July 31, 2014 (OMB Control No. 3084-0117).
    The proposed amendments to the COPPA Rule would change the 
definition of ``personal information,'' potentially increasing the 
number of operators subject to the Rule. The proposed amendments also 
would eliminate e-mail plus as an acceptable method for obtaining 
parental consent, require operators to provide parents with a more 
detailed direct notice, and increase reporting and recordkeeping 
requirements for Commission-approved safe harbor programs. Accordingly, 
the Commission is providing PRA burden estimates for the proposed 
amendments, which are set forth below.
    The Commission invites comments on: (1) Whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information shall 
have practical utility; (2) the accuracy of the FTC's estimate of the 
burden of the proposed collection of information; (3) ways to enhance 
the quality, utility, and clarity of the information to be collected; 
and (4) ways to minimize the burden of collecting information on those 
who respond, including through the use of automated collection 
techniques or other forms of information technology.

Estimated Additional Annual Hours Burden

A. Number of Respondents

    As noted in the Regulatory Flexibility Section of this NPR, 
Commission staff estimates that there are currently approximately 2,000 
operators subject to the Rule. The Commission believes that the number 
of operators subject to the Rule's requirements will not change 
significantly as a result of the proposed revisions to the definition 
of personal information. Even though altering the definition of 
personal information potentially expands the pool of covered operators, 
other proposed changes in the Rule should offset much of this potential 
expansion. Specifically, these offsets include provisions allowing the 
use of persistent identifiers to support the internal operations of a 
Web site or online service, and permitting the use of reasonable 
measures such as automated filtering to strip out personal information 
before posting children's content in interactive venues. The Commission 
also anticipates many of these potentially new operators will make 
adjustments to their information collection practices so that they will 
not be collecting personal information from children, as defined by the 
Rule.
    For this burden analysis, the Commission staff retains its recently 
published estimate of 100 new operators per year \197\ for a 
prospective three-year PRA clearance period.\198\ The Commission staff 
also retains its estimate that no more than one additional safe harbor 
applicant will submit a request within the next three years.
---------------------------------------------------------------------------

    \197\ See Agency Information Collection Activities; Submission 
for OMB Review; Comment Request; Extension, 76 FR 31334 (May 31, 
2011) (``FTC COPPA PRA Extension'').
    \198\ Under the PRA, agencies may seek a maximum of three years' 
clearance for a collection of information. 44 U.S.C. 3507(g). 
Recordkeeping, disclosure, and reporting requirements are all forms 
of information collection. See 44 U.S.C. 3502(3).
---------------------------------------------------------------------------

B. Recordkeeping Hours

    The proposed Rule amendments do not impose any new significant 
recordkeeping requirements on operators. The proposed amendments do 
impose additional recordkeeping requirements on safe harbor programs, 
however. Commission staff estimates that in the year of implementation 
(``Year 1''), the four existing safe harbor programs will require no 
more than 100 hours to set up and implement a new recordkeeping system 
to comply with the proposed amendments.\199\ In later

[[Page 59827]]

years, once compliant systems are established, the burden for these 
entities should be negligible--no more than one hour each year.\200\ 
Thus, annualized burden per year for a prospective three-year clearance 
for existing safe harbor programs is 34 hours per safe harbor program 
(100 + 1 + 1 = 102 hours; 102 hours) 3 = 34 hour per year). 
Accordingly, for the four existing safe harbor programs, cumulative 
annualized recordkeeping burden would be 136 hours.
---------------------------------------------------------------------------

    \199\ See, e.g., Telemarketing Sales Rule (``TSR''), Notice of 
Proposed Rulemaking, 74 FR 41988, 42013 (Aug. 19, 2009). Arguably, 
this estimate conservatively errs upward in the instant context.
    \200\ Id.
---------------------------------------------------------------------------

    For a new entrant, the initial burden of establishing recordkeeping 
systems and the burden of maintenance thereafter should be no more than 
for the existing safe harbors. Assuming, as noted above, that there 
will be one new safe harbor entrant per a given three-year PRA 
clearance period, the incremental annualized recordkeeping burden for 
the entrant under the proposed amendments would be 34 hours.
    Thus, cumulative annualized recordkeeping burden for new and 
existing safe harbor applicants would be 170 hours.

C. Disclosure Hours

(1) New Operators' Disclosure Burden
    Under the existing OMB clearance for the Rule, the Commission staff 
has already accounted for the time that new operators will spend to 
craft a privacy policy (approximately 60 hours per operator), design 
mechanisms to provide the required online privacy notice and, where 
applicable, direct notice to parents in order to obtain verifiable 
consent. The proposed amendments should no more than minimally add to, 
if at all, the time required to accomplish this task because their 
effect primarily is to transfer required information from the privacy 
policy to the direct notice.
(2) Existing Operators' Disclosure Burden
    In Year 1, operators would have a one-time burden to re-design 
their existing privacy policies and direct notice procedures that would 
not carry over to the second and third years of prospective PRA 
clearance. In addition, existing operators that currently use the e-
mail plus method would incur burden in Year 1 for converting to a more 
reliable method of parental verification. Commission staff believes 
that an existing operator's time to make these changes would be no more 
than that estimated for a new entrant to craft a privacy policy for the 
first time, i.e., 60 hours. Annualized over three years of PRA 
clearance, this amounts to 20 hours ((60 hours + 0 + 0)) 3) per year. 
Aggregated for the 2,000 existing operators, annualized disclosure 
burden would be 40,000 hours.

D. Reporting Hours

    The FTC previously has estimated that a prospective safe harbor 
organization requires 265 hours to prepare and submit its safe harbor 
proposal.\201\ The proposed Rule amendments, however, require a safe 
harbor applicant to submit a more detailed proposal than what the 
current Rule mandates. Existing safe harbor programs will thus need to 
submit a revised application and new safe harbor applicants will have 
to provide greater detail than they would under the current Rule. The 
FTC estimates this added information would entail approximately 60 
additional hours for safe harbors to prepare. Accordingly, the 
aggregate incremental burden for this added one-time preparation is 300 
hours (60 hours x 5 safe harbors) or, annualized for an average single 
year per three-year PRA clearance, 100 hours.
---------------------------------------------------------------------------

    \201\ For PRA purposes, annualized over the course of three 
years of clearance, this averages roughly 100 hours per year given 
that the 265 hours is a one-time, not recurring, expenditure of time 
for an applicant.
---------------------------------------------------------------------------

    The proposed amendments to the Rule require safe harbor programs to 
audit their members at least annually and to submit periodic reports to 
the Commission on the results of their audits of members. As such, this 
will increase currently cleared burden estimates pertaining to safe 
harbor applicants. The burden for conducting member audits and 
preparing these reports will likely vary for each safe harbor program 
depending on the number of members. The Commission staff estimates that 
conducting audits and preparing reports will require approximately 100 
hours per program per year. Aggregated for five safe harbor programs, 
this amounts to an increased disclosure burden of 500 hours per year. 
Accordingly, cumulative yearly reporting burden for five safe harbor 
applicants to provide the added information proposed and to conduct 
audits and prepare reports is 600 hours.

E. Labor Costs

(1) Recordkeeping
    Based on the above estimate of 170 hours for existing and new safe 
harbor programs, annualized for an average single year per three-year 
PRA clearance, and applying a skilled labor rate of $26/hour,\202\ 
associated labor costs are $4,420 per year.
---------------------------------------------------------------------------

    \202\ This rounded figure is derived from the mean hourly 
earnings shown for computer support specialists found in the Bureau 
of Labor Statistics National Compensation Survey: Occupational 
Earnings in the United States, 2010, at Table 3, available at http://www.bls.gov/ncs/ocs/sp/nctb1477.pdf (``National Compensation Survey 
Table 3'').
---------------------------------------------------------------------------

(2) Disclosure
    The Commission staff assumes that the time spent on compliance for 
operators would be apportioned five to one between legal (lawyers or 
similar professionals) and technical (e.g., computer programmers) 
personnel.\203\ As noted above, the Commission staff estimates a total 
of 40,000 hours disclosure burden, annualized, for 2,000 existing 
operators. Thus, apportioned five to one, this amounts to, rounded, 
33,333 hours of legal, and 6,667 hours of technical, assistance. 
Applying hourly rates of $150 and $36, respectively, for these 
personnel categories,\204\ associated labor costs would total 
approximately $5,240,000.
---------------------------------------------------------------------------

    \203\ See FTC COPPA PRA Extension, 76 FR at 31335 n. 1.
    \204\ The estimated rate of $150 per hour is roughly midway 
between Bureau of Labor Statistics (BLS) mean hourly wages for 
lawyers (approximately $54) in the most recent whole-year data 
(2010) available online and what Commission staff believes more 
generally reflects hourly attorney costs ($250) associated with 
Commission information collection activities. The $36 estimate of 
mean hourly wages for computer programmers also is based on the most 
recent whole-year BLS data. See National Compensation Survey Table 
3.
---------------------------------------------------------------------------

(3) Reporting
    The Commission staff assumes that the task to prepare safe harbor 
program applications will be performed primarily by lawyers at a mean 
labor rate of $150 an hour. Thus, applied to an assumed industry total 
of 500 hours per year for this task, associated yearly labor costs 
would total $75,000.
    The Commission staff assumes periodic reports will be prepared by 
compliance officers, at a labor rate of $28.\205\ Applied to an assumed 
industry total of 500 hours per year for this task, associated yearly 
labor costs would be $14,000.
---------------------------------------------------------------------------

    \205\ See National Compensation Survey Table 3.
---------------------------------------------------------------------------

    Cumulatively, labor costs for the above-noted reporting 
requirements total approximately $89,000 per year.

F. Non-Labor/Capital Costs

    Because both operators and safe harbor programs will already be 
equipped with the computer equipment and software necessary to comply 
with the Rule's notice requirements, the proposed amendments to the 
Rule

[[Page 59828]]

should not impose any additional capital or other non-labor costs.

IX. Communications by Outside Parties to the Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding, from any 
outside party to any Commissioner or Commissioner's advisor, will be 
placed on the public record. See 16 CFR 1.26(b)(5).

X. Questions for the Proposed Revisions to the Rule

    The Commission is seeking comment on various aspects of the 
proposed Rule, and is particularly interested in receiving comment on 
the questions that follow. These questions are designed to assist the 
public and should not be construed as a limitation on the issues on 
which public comment may be submitted. Responses to these questions 
should cite the numbers and subsection of the questions being answered. 
For all comments submitted, please submit any relevant data, 
statistics, or any other evidence, upon which those comments are based.

General Questions

    1. Please provide comment on any or all of the provisions in the 
proposed Rule. For each provision commented on please describe (a) The 
impact of the provision(s) (including any benefits and costs), if any, 
and (b) what alternatives, if any, the Commission should consider, as 
well as the costs and benefits of those alternatives.

Definitions (Sec.  312.2)

    2. Do the changes to the definition of ``collects or collection'' 
sufficiently encompass all the ways in which information can be 
collected online from children?
    3. Does the ``reasonable measures'' standard articulated in the 
proposed definition of ``collects or collection'' adequately protect 
children while providing sufficient guidance to operators?
    4. Are there identifiers that the Commission should consider adding 
to the list of ``online contact information''?
    5. Proposed Sec.  312.2 would define personal information to 
include a ``screen or user name.''
    a. What would be the impact of including ``screen or user name'' in 
the definition of personal information?
    b. Is the limitation ``used for functions other than or in addition 
to support for the internal operations of the Web site or online 
service'' sufficiently clear to provide notice of the circumstances 
under which screen or user name is covered by the Rule?
    6. Proposed Sec.  312.2 would define personal information to 
include a ``persistent identifier.''
    a. What would be the impact of the changes to the term ``persistent 
identifier'' in the definition of personal information?
    b. Is the limitation ``used for functions other than or in addition 
to support for the internal operations of the Web site or online 
service'' sufficiently clear to provide notice of the circumstances 
under which a persistent identifier is covered by the Rule?
    c. Are there additional identifiers that the Commission should 
consider adding to the list of ``persistent identifiers''?
    7. Proposed Sec.  312.2 would define personal information to 
include a ``an identifier that links the activities of a child across 
different Web sites or online services.'' Is the language sufficiently 
clear to provide notice of the types of identifiers covered by this 
paragraph?
    8. Proposed Sec.  312.2 would define personal information to 
include ``photograph, video, or audio file where such file contains a 
child's image or voice'' and no longer requires that photographs (or 
similar items) be combined with ``other information such that the 
combination permits physical or online contacting.'' What would be the 
impact of expanding the definition of personal information in this 
regard?
    9. Are there identifiers that the Commission should consider adding 
to Sec.  312.2's definition of ``personal information''?
    a. Should paragraph (e) of the definition of personal information 
include other forms of government-issued identification in addition to 
Social Security Number?
    b. Does the combination of date of birth, gender, and ZIP code 
provide sufficient information to permit the contacting of a specific 
individual such that this combination of identifiers should be included 
as an item of personal information?
    c. Should the Commission include ``ZIP + 4'' as an item of personal 
information?
    10. Proposed Sec.  312.2 would define ``release of personal 
information'' as ``the sharing, selling, renting, or transfer of 
personal information to any third party.'' Is this definition 
sufficient to cover all potential secondary uses of children's personal 
information?
    11. Proposed Sec.  312.2 would define ``support for the internal 
operations of the Web site or online service'' as ``those activities 
necessary to maintain the technical functioning of the Web site or 
online service or to fulfill a request of a child as permitted by 
Sec. Sec.  312.5(c)(3) and (4), and the information collected for such 
purposes is not used or disclosed for any other purpose.''
    a. Is the term ``activities necessary to maintain the technical 
functioning'' sufficiently clear to provide notice of the types of 
activities that constitute ``support for the internal operations of the 
Web site or online service''? For example, is it sufficiently clear 
that the mere collection of an IP address, which is a necessary 
technical step in providing online content to web viewers, constitutes 
an ``activity necessary to maintain the technical functioning of the 
Web site or online service''?
    b. Should activities other than those necessary to maintain the 
technical functioning or to fulfill a request of a child under 
Sec. Sec.  312.5(c)(3) and (4) be included within the definition of 
``support for the internal operations of the Web site or online 
service''?

 Notice (Sec.  312.4)

    12. Do the proposed changes to the ``notice on the web site or 
online service'' requirements in Sec.  312.4(b) clarify or improve the 
quality of such notice?
    13. Do the proposed changes to the ``direct notice to the parent'' 
requirements in Sec.  312.4(c) clarify or improve the quality of such 
notices?
    14. Should the Commission modify the notice requirement of the Rule 
to require that operators post a link to their online notice in any 
location where their mobile applications can be purchased or otherwise 
downloaded (e.g., in the descriptions of their applications in Apple's 
App Store or in Google's Android Market)?
    15. Are there other effective ways of placing notices that should 
be included in the proposed revised Rule?

Parental Consent (Sec.  312.5)

    16. Do the additional methods for parental consent set forth in 
proposed Sec.  312.5(b)(2) sufficiently reflect available technologies 
to ensure that the person providing consent is the child's parent?
    17. Should the Commission require operators to maintain records 
indicating that parental consent was obtained, and if so, what would 
constitute a sufficient record? What burdens would be imposed on 
operators by such a requirement?
    18. Is there other information the Commission should take into 
account before declining to adopt certain parental consent mechanisms 
discussed

[[Page 59829]]

in Part V.C.(1). of the Notice of Proposed Rulemaking?
    19. The Commission proposes eliminating the ``email plus'' 
mechanism of parental consent from Sec.  312.5(b)(2). What are the 
costs and benefits to operators, parents, and children of eliminating 
this mechanism?
    20. Proposed Sec.  312.5(b)(3) would provide that operators subject 
to Commission-approved self-regulatory program guidelines may use a 
parental consent mechanism determined by such safe harbor program to 
meet the requirements of Sec.  312.5(b)(1). Does proposed Sec.  
312.5(b)(3) provide a meaningful incentive for the development of new 
parental consent mechanisms? What are the potential downsides of this 
approach?

Confidentiality, Security and Integrity of Personal Information 
Collected From Children ( Sec.  312.8)

    21. Proposed Sec.  312.8 would add the requirement that an operator 
``take reasonable measures to ensure that any third party to whom it 
releases children's personal information has in place reasonable 
procedures to protect the confidentiality, security, and integrity of 
such personal information.''
    a. What are the costs and benefits to operators, parents, and 
children of adding this requirement?
    b. Does the language proposed by the Commission provide sufficient 
guidance and flexibility to operators to effectuate this requirement?

Data Retention and Deletion (Sec.  312.10)

    22. The Commission proposes adding a requirement that an operator 
retain personal information collected online from a child for only as 
long as is reasonably necessary to fulfill the purpose for which the 
information was collected. The operator must delete such information 
using reasonable measures to protect against unauthorized access to, or 
use of, the information in connection with its deletion.
    a. Does the language proposed by the Commission provide sufficient 
guidance and flexibility to operators to effectuate this requirement?
    b. Should the Commission propose specific time frames for data 
retention and deletion?
    c. Should the Commission more specifically delineate what 
constitutes ``reasonable measures to protect against unauthorized 
access to or use of the information''?

Safe Harbors (Sec.  312.11)

    23. Proposed Sec.  312.11(b)(2) would require safe harbor program 
applicants to conduct a comprehensive review of all member operators' 
information policies, practices, and representations at least annually. 
Is this proposed annual review requirement reasonable? Would it go far 
enough to strengthen program oversight of member operators?
    24. Proposed Sec.  312.11(c)(1) would require safe harbor program 
applicants to include a detailed explanation of their business model, 
and the technological capabilities and mechanisms that will be used for 
initial and continuing assessment of member operators' fitness for 
membership in the safe harbor program. Is this proposed requirement 
reasonable? Would it provide the Commission with useful information 
about an applicant's ability to run a safe harbor program?
    25. Proposed Sec.  312.11(d) would require Commission-approved safe 
harbor programs to submit periodic reports to the Commission regarding 
their oversight of member Web sites.
    a. Should the Commission consider requiring safe harbor programs to 
submit reports on a more frequent basis, e.g., annually?
    b. Should the Commission require that safe harbor programs report 
to the Commission a member's violations of program guidelines 
immediately upon their discovery by the safe harbor program?

Paperwork Reduction Act

    26. The Commission solicits comments on whether the changes to the 
notice requirements (Sec.  312.4) and to the safe harbor requirements 
(Sec.  312.11), as well as the new data retention and deletion 
requirement (Sec.  312.10), constitute ``collections of information'' 
within the meaning of the Paperwork Reduction Act. The Commission 
requests comments that will enable it to:
    a. Evaluate whether the proposed collections of information are 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    b. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collections of information, including the validity of the 
methodology and assumptions used;
    c. Enhance the quality, utility, and clarity of the information to 
be collected; and,
    d. Minimize the burden of the collections of information on those 
who must comply, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology.

XI. Proposed Revisions to the Rule

List of Subjects in 16 CFR Part 312

    Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety, 
Science and Technology, Trade practices, Web site, Youth.

    For the reasons discussed above, the Commission proposes to amend 
Part 312 of Title 16, Code of Federal Regulations, as follows:

PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE

    1. The authority citation for part 312 continues to read as 
follows:

    Authority:  15 U.S.C. 6501-6508.

    2. Amend Sec.  312.2 by revising the following definitions:


Sec.  312.2  Definitions.

* * * * *
    Collects or collection means the gathering of any personal 
information from a child by any means, including but not limited to:
    (a) Requesting, prompting, or encouraging a child to submit 
personal information online;
    (b) Enabling a child to make personal information publicly 
available in identifiable form. An operator shall not be considered to 
have collected personal information under this paragraph if it takes 
reasonable measures to delete all or virtually all personal information 
from a child's postings before they are made public and also to delete 
such information from its records; or,
    (c) Passive tracking of a child online.
* * * * *
    Disclose or disclosure means, with respect to personal information:
    (a) The release of personal information collected by an operator 
from a child in identifiable form for any purpose, except where an 
operator provides such information to a person who provides support for 
the internal operations of the Web site or online service; and,
    (b) Making personal information collected by an operator from a 
child publicly available in identifiable form by any means, including 
but not limited to a public posting through the Internet, or through a 
personal home page or screen posted on a Web site or online service; a 
pen pal service; an electronic mail service; a message board; or a chat 
room.
* * * * *
    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct

[[Page 59830]]

contact with a person online, including but not limited to, an instant 
messaging user identifier, a voice over internet protocol (VOIP) 
identifier, or a video chat user identifier.
* * * * *
    Personal information means individually identifiable information 
about an individual collected online, including:
    (a) A first and last name;
    (b) A home or other physical address including street name and name 
of a city or town;
    (c) Online contact information as defined in this Section;
    (d) A screen or user name where such screen or user name is used 
for functions other than or in addition to support for the internal 
operations of the Web site or online service;
    (e) A telephone number;
    (f) A Social Security number;
    (g) A persistent identifier, including but not limited to, a 
customer number held in a cookie, an Internet Protocol (IP) address, a 
processor or device serial number, or unique device identifier, where 
such persistent identifier is used for functions other than or in 
addition to support for the internal operations of, or protection of 
the security or integrity of, the Web site or online service;
    (h) An identifier that links the activities of a child across 
different Web sites or online services;
    (i) A photograph, video, or audio file where such file contains a 
child's image or voice;
    (j) Geolocation information sufficient to identify street name and 
name of a city or town; or,
    (k) Information concerning the child or the parents of that child 
that the operator collects online from the child and combines with an 
identifier described in this definition.
    Release of personal information means the sharing, selling, 
renting, or transfer of personal information to any third party.
    Support for the internal operations of the Web site or online 
service means those activities necessary to maintain the technical 
functioning of the Web site or online service, to protect the security 
or integrity of the Web site or online service, or to fulfill a request 
of a child as permitted by Sec. Sec.  312.5(c)(3) and (4), and the 
information collected for such purposes is not used or disclosed for 
any other purpose.
* * * * *
    Web site or online service directed to children means a commercial 
Web site or online service, or portion thereof, that is targeted to 
children. Provided, however, that a commercial Web site or online 
service, or a portion thereof, shall not be deemed directed to children 
solely because it refers or links to a commercial Web site or online 
service directed to children by using information location tools, 
including a directory, index, reference, pointer, or hypertext link. In 
determining whether a commercial Web site or online service, or a 
portion thereof, is targeted to children, the Commission will consider 
its subject matter, visual content, use of animated characters or 
child-oriented activities and incentives, music or other audio content, 
age of models, presence of child celebrities or celebrities who appeal 
to children, language or other characteristics of the Web site or 
online service, as well as whether advertising promoting or appearing 
on the Web site or online service is directed to children. The 
Commission will also consider competent and reliable empirical evidence 
regarding audience composition, and evidence regarding the intended 
audience.
    3. Amend Sec.  312.4 by revising paragraphs (b) and (c) as follows:


Sec.  312.4  Notice.

* * * * *
    (b) Notice on the Web site or online service. Pursuant to Sec.  
312.3(a), each operator of a Web site or online service directed to 
children must post a prominent and clearly labeled link to an online 
notice of its information practices with regard to children on the home 
or landing page or screen of its Web site or online service, and, at 
each area of the Web site or online service where personal information 
is collected from children. The link must be in close proximity to the 
requests for information in each such area. An operator of a general 
audience Web site or online service that has a separate children's area 
or site must post a link to a notice of its information practices with 
regard to children on the home or landing page or screen of the 
children's area. To be complete, the online notice of the Web site or 
online service's information practices must state the following:
    (1) Each operator's contact information, which at a minimum, must 
include the operator's name, physical address, telephone number, and e-
mail address;
    (2) A description of what information each operator collects from 
children, including whether the Web site or online service enables a 
child to make personal information publicly available; how such 
operator uses such information, and; the operator's disclosure 
practices for such information; and,
    (3) That the parent can review and have deleted the child's 
personal information, and refuse to permit further collection or use of 
the child's information, and state the procedures for doing so.
    (c) Direct notice to a parent. An operator must make reasonable 
efforts, taking into account available technology, to ensure that a 
parent of a child receives direct notice of the operator's practices 
with regard to the collection, use, or disclosure of the child's 
personal information, including notice of any material change in the 
collection, use, or disclosure practices to which the parent has 
previously consented.
    (1) Content of the direct notice to the parent required under Sec.  
312.5(c)(1) (Notice to Obtain Parent's Affirmative Consent to the 
Collection, Use, or Disclosure of a Child's Personal Information.) This 
direct notice shall set forth:
    (i) That the operator has collected the parents' online contact 
information from the child in order to obtain the parent's consent;
    (ii) That the parent's consent is required for the child's 
participation in the Web site or online service, and that the operator 
will not collect, use, or disclose any personal information from the 
child if the parent does not provide such consent;
    (iii) The additional items of personal information the operator 
intends to collect from the child, if any, and the potential 
opportunities for the disclosure of personal information, if any, 
should the parent consent to the child's participation in the Web site 
or online service;
    (iv) A hyperlink to the operator's online notice of its information 
practices required under Sec.  312.4(b);
    (v) The means by which the parent can provide verifiable consent to 
the collection, use, and disclosure of the information; and,
    (vi) That if the parent does not provide consent within a 
reasonable time from the date the direct notice was sent, the operator 
will delete the parent's online contact information from its records.
    (2) Content of the direct notice to the parent allowed under Sec.  
312.5(c)(2) (Notice to Parent of a Child's Online Activities Not 
Involving the Collection, Use or Disclosure of Personal Information.) 
This direct notice shall set forth:
    (i) That the operator has collected the parent's online contact 
information from the child in order to provide notice to the parent of 
a child's participation in a Web site or online service that does

[[Page 59831]]

not otherwise collect, use, or disclose children's personal 
information; and,
    (ii) That the parent's online contact information will not be used 
or disclosed for any other purpose;
    (iii) That the parent may refuse to permit the operator to allow 
the child to participate in the Web site or online service and may 
require the deletion of the parent's online contact information, and 
how the parent can do so; and,
    (iv) A hyperlink to the operator's online notice of its information 
practices required under Sec.  312.4(b).
    (3) Content of the direct notice to the parent required under Sec.  
312.5(c)(4) (Notice to a Parent of Operator's Intent to Communicate 
with the Child Multiple Times.) This direct notice shall set forth:
    (i) That the operator has collected the child's online contact 
information from the child in order to provide multiple online 
communications to the child;
    (ii) That the operator has collected the parent's online contact 
information from the child in order to notify the parent that the child 
has registered to receive multiple online communications from the 
operator;
    (iii) That the online contact information collected from the child 
will not be used for any other purpose, disclosed, or combined with any 
other information collected from the child;
    (iv) That the parent may refuse to permit further contact with the 
child and require the deletion of the parent's and child's online 
contact information, and how the parent can do so;
    (v) That if the parent fails to respond to this direct notice, the 
operator may use the online contact information collected from the 
child for the purpose stated in the direct notice; and,
    (vi) A hyperlink to the operator's online notice of its information 
practices required under Sec.  312.4(b).
    (4) Content of the direct notice to the parent required under Sec.  
312.5(c)(5) (Notice to a Parent In Order to Protect a Child's Safety.) 
This direct notice shall set forth:
    (i) That the operator has collected the child's name and the online 
contact information of the child and the parent in order to protect the 
safety of a child;
    (ii) That the information will not be used or disclosed for any 
purpose unrelated to the child's safety;
    (iii) That the parent may refuse to permit the use, and require the 
deletion, of the information collected, and how the parent can do so;
    (iv) That if the parent fails to respond to this direct notice, the 
operator may use the information for the purpose stated in the direct 
notice; and,
    (v) A hyperlink to the operator's online notice of its information 
practices required under Sec.  312.4(b).
    4. Amend Sec.  312.5 by revising paragraph (b)(2), by adding new 
paragraphs (b)(3) and (b)(4), and by revising paragraph (c), to read as 
follows:


Sec.  312.5  Parental consent.

* * * * *
    (b) * * *
    (2) Existing methods to obtain verifiable parental consent that 
satisfy the requirements of this paragraph include: providing a consent 
form to be signed by the parent and returned to the operator by postal 
mail, facsimile, or an electronic scan; requiring a parent to use a 
credit card in connection with a monetary transaction; having a parent 
call a toll-free telephone number staffed by trained personnel; having 
a parent connect to trained personnel via video-conference; or, 
verifying a parent's identity by checking a form of government-issued 
identification against databases of such information, provided that the 
parent's identification is deleted by the operator from its records 
promptly after such verification is complete.
    (3) Commission approval of parental consent mechanisms. Interested 
parties may file written requests for Commission approval of parental 
consent mechanisms not currently enumerated in paragraph (b)(2). To be 
considered for approval, parties must provide a detailed description of 
the proposed parental consent mechanism, together with an analysis of 
how the mechanism meets paragraph (b)(1). The request shall be filed 
with the Commission's Office of the Secretary. The Commission will 
publish in the Federal Register a document seeking public comment on 
the request. The Commission shall issue a written determination within 
180 days of the filing of the request.
    (4) Safe harbor approval of parental consent mechanisms. A safe 
harbor program approved by the Commission under Sec.  312.11 may 
approve its member operators' use of a parental consent mechanism not 
currently enumerated in paragraph (b)(2) where the safe harbor program 
determines that such parental consent mechanism meets the requirements 
of paragraph (b)(1).
    (c) Exceptions to prior parental consent. Verifiable parental 
consent is required prior to any collection, use, or disclosure of 
personal information from a child except as set forth in this 
paragraph:
    (1) Where the sole purpose of collecting a parent's online contact 
information and the name of the child or the parent is to provide 
notice and obtain parental consent under Sec.  312.4(c)(1) of this 
part. If the operator has not obtained parental consent after a 
reasonable time from the date of the information collection, the 
operator must delete such information from its records;
    (2) Where the sole purpose of collecting a parent's online contact 
information is to provide notice to, and update the parent about, the 
child's participation in a Web site or online service that does not 
otherwise collect, use, or disclose children's personal information. In 
such cases, the parent's online contact information may not be used or 
disclosed for any other purpose. In such cases, the operator must make 
reasonable efforts, taking into consideration available technology, to 
ensure that the parent receives notice as described in Sec.  
312.4(c)(2);
    (3) Where the sole purpose of collecting a child's online contact 
information is to respond directly on a one-time basis to a specific 
request from the child, and where such information is not used to re-
contact the child or for any other purpose, is not disclosed, and is 
deleted by the operator from its records promptly after responding to 
the child's request;
    (4) Where the sole purpose of collecting a child's and a parent's 
online contact information is to respond directly more than once to the 
child's specific request, and where such information is not used for 
any other purpose, disclosed, or combined with any other information 
collected from the child. In such cases, the operator must make 
reasonable efforts, taking into consideration available technology, to 
ensure that the parent receives notice as described in Sec.  
312.4(c)(4). An operator will not be deemed to have made reasonable 
efforts to ensure that a parent receives notice where the notice to the 
parent was unable to be delivered;
    (5) Where the sole purpose of collecting a child's name, and a 
child's and a parent's online contact information, is to protect the 
safety of a child, and where such information is not used or disclosed 
for any purpose unrelated to the child's safety. In such cases, the 
operator must make reasonable efforts, taking into consideration 
available technology, to provide a parent with notice as described in 
Sec.  312.4(c)(4);
    (6) Where the sole purpose of collecting a child's name and online 
contact information is to: (i) protect the security or integrity of its 
Web site or online service; (ii) take precautions against liability; 
(iii) respond to judicial process; or (iv) to the extent permitted 
under other provisions of law, to provide information to law 
enforcement

[[Page 59832]]

agencies or for an investigation on a matter related to public safety; 
and, where such information is not be used for any other purpose.
    5. Revise Sec.  312.8 to read as follows:


Sec.  312.8  Confidentiality, security, and integrity of personal 
information collected from children.

    The operator must establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children. The operator must take reasonable 
measures to ensure that any third party to whom it releases children's 
personal information has in place reasonable procedures to protect the 
confidentiality, security, and integrity of such personal information.
    6. Revise Sec.  312.10 to read as follows:


Sec.  312.10  Data retention and deletion requirements.

    An operator of a Web site or online service shall retain personal 
information collected online from a child for only as long as is 
reasonably necessary to fulfill the purpose for which the information 
was collected. The operator must delete such information using 
reasonable measures to protect against unauthorized access to, or use 
of, the information in connection with its deletion.
    7. Revise Sec.  312.11 to read as follows:


Sec.  312.11  Safe harbor programs.

    (a) In general. Industry groups or other persons may apply to the 
Commission for approval of self-regulatory program guidelines (``safe 
harbor programs''). The application shall be filed with the 
Commission's Office of the Secretary. The Commission will publish in 
the Federal Register a document seeking public comment on the 
application. The Commission shall issue a written determination within 
180 days of the filing of the application.
    (b) Criteria for approval of self-regulatory program guidelines. 
Proposed safe harbor programs must demonstrate that they meet the 
following performance standards:
    (1) Program requirements that ensure operators subject to the self-
regulatory program guidelines (``subject operators'') provide 
substantially the same or greater protections for children as those 
contained in Sec. Sec.  312.2 through 312.8, and Sec.  312.10.
    (2) An effective, mandatory mechanism for the independent 
assessment of subject operators' compliance with the self-regulatory 
program guidelines. At a minimum, this mechanism must include a 
comprehensive review by the safe harbor program, to be conducted not 
less than annually, of each subject operator's information policies, 
practices, and representations. The assessment mechanism required under 
this paragraph can be provided by an independent enforcement program, 
such as a seal program.
    (3) Disciplinary actions for subject operators' non-compliance with 
self-regulatory program guidelines. This performance standard may be 
satisfied by:
    (i) Mandatory, public reporting of any action taken against subject 
operators by the industry group issuing the self-regulatory guidelines;
    (ii) Consumer redress;
    (iii) Voluntary payments to the United States Treasury in 
connection with an industry-directed program for violators of the self-
regulatory guidelines;
    (iv) Referral to the Commission of operators who engage in a 
pattern or practice of violating the self-regulatory guidelines; or,
    (v) Any other equally effective action.
    (c) Request for Commission approval of self-regulatory program 
guidelines. A proposed safe harbor program's request for approval shall 
be accompanied by the following:
    (1) A detailed explanation of the applicant's business model, and 
the technological capabilities and mechanisms that will be used for 
initial and continuing assessment of subject operators' fitness for 
membership in the safe harbor program.
    (2) A copy of the full text of the guidelines for which approval is 
sought and any accompanying commentary;
    (3) A comparison of each provision of Sec. Sec.  312.2 through 
312.8, and Sec.  312.10 with the corresponding provisions of the 
guidelines; and,
    (4) A statement explaining: (i) how the self-regulatory program 
guidelines, including the applicable assessment mechanisms, meet the 
requirements of this part; and, (ii) how the assessment mechanisms and 
compliance consequences required under paragraphs (b)(2) and (b)(3) 
provide effective enforcement of the requirements of this part.
    (d) Reporting and recordkeeping requirements. Approved safe harbor 
programs shall:
    (1) Within one year after the effective date of the Final Rule 
amendments, and every eighteen months thereafter, submit a report to 
the Commission containing, at a minimum, the results of the independent 
assessment conducted under paragraph (b)(2), a description of any 
disciplinary action taken against any subject operator under paragraph 
(b)(3), and a description of any approvals of member operators' use of 
parental consent mechanism, pursuant to Sec.  312.5(b)(4);
    (2) Promptly respond to Commission requests for additional 
information; and,
    (3) Maintain for a period not less than three years, and upon 
request make available to the Commission for inspection and copying:
    (i) Consumer complaints alleging violations of the guidelines by 
subject operators;
    (ii) Records of disciplinary actions taken against subject 
operators; and
    (iii) Results of the independent assessments of subject operators' 
compliance required under paragraph (b)(2).
    (e) Post-approval modifications to self-regulatory program 
guidelines. Approved safe harbor programs must submit proposed changes 
to their guidelines for review and approval by the Commission in the 
manner required for initial approval of guidelines under paragraph 
(c)(2). The statement required under paragraph (c)(4) must describe how 
the proposed changes affect existing provisions of the guidelines.
    (f) Revocation of approval of self-regulatory program guidelines. 
The Commission reserves the right to revoke any approval granted under 
this Section if at any time it determines that the approved self-
regulatory program guidelines or their implementation do not meet the 
requirements of this part. Safe harbor programs that were approved 
prior to the publication of the Final Rule amendments must, within 60 
days of publication of the Final Rule amendments, submit proposed 
modifications to their guidelines that would bring them into compliance 
with such amendments, or their approval shall be revoked.
    (g) Operators' participation in a safe harbor program. An operator 
will be deemed to be in compliance with the requirements of Sec. Sec.  
312.2 through 312.8, and Sec.  312.10 if that operator complies with 
Commission-approved safe harbor program guidelines. In considering 
whether to initiate an investigation or bring an enforcement action 
against a subject operator for violations of this part, the Commission 
will take into account the history of the subject operator's 
participation in the safe harbor program, whether the subject operator 
has taken action to remedy such non-compliance, and whether the 
operator's non-compliance resulted in any one of the disciplinary 
actions set forth in paragraph (b)(3).


[[Page 59833]]


    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2011-24314 Filed 9-26-11; 8:45 am]
BILLING CODE 6750-01-P