[Federal Register Volume 77, Number 151 (Monday, August 6, 2012)]
[Proposed Rules]
[Pages 46643-46653]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-19115]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 77, No. 151 / Monday, August 6, 2012 / 
Proposed Rules  

[[Page 46643]]



FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AB20


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Supplemental notice of proposed rulemaking; request for 
comment.

-----------------------------------------------------------------------

SUMMARY: The Commission is proposing to further modify the proposed 
definitions of personal information, support for internal operations, 
and Web site or online service directed to children, that the FTC has 
proposed previously under its Rule implementing the Children's Online 
Privacy Protection Act (``COPPA Rule''), and further proposes to revise 
the Rule's definition of operator. These proposed revisions, which are 
based on the FTC's review of public comments and its enforcement 
experience, are intended to clarify the scope of the Rule and 
strengthen its protections for children's personal information. The 
Commission is not adopting any final amendments to the COPPA Rule at 
this time and continues to consider comments submitted in response to 
its Notice of Proposed Rulemaking issued in September 2011.

DATES: Written comments must be received on or before September 10, 
2012.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``COPPA Rule Review, 16 
CFR Part 312, Project No. P104503'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/2012copparulereview, by following the instructions on the web-based 
form. If you prefer to file your comment on paper, mail or deliver your 
comment to the following address: Federal Trade Commission, Office of 
the Secretary, Room H-113 (Annex E), 600 Pennsylvania Avenue NW., 
Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Phyllis H. Marcus or Mamie Kresses, 
Attorneys, Division of Advertising Practices, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., 
Washington, DC 20580, (202) 326-2854 or (202) 326-2070.

SUPPLEMENTARY INFORMATION:

I. Background

    In September 2011, the FTC issued a Notice of Proposed Rulemaking 
setting forth proposed changes to the Commission's COPPA Rule. Among 
other things, the Commission proposed modifying the Rule's definition 
of personal information to include persistent identifiers and screen or 
user names other than where they are used to support internal 
operations, and Web site or online service directed to children to 
include additional indicia that a site or service may be targeted to 
children.\1\ The Commission received over 350 comments, a number of 
which addressed the proposed changes to these two definitions.\2\ After 
reviewing these comments, and based upon its experience in enforcing 
and administering the Rule, the Commission now proposes to modify the 
definition of operator, and proposes additional modifications to the 
definitions of Web site or online service directed to children, 
personal information, and support for internal operations.
---------------------------------------------------------------------------

    \1\ Id.
    \2\ Public comments in response to the Commission's September 
27, 2011, Federal Register document are located at http://www.ftc.gov/os/comments/copparulereview2011/. Comments have been 
numbered based upon alphabetical order. Comments are cited herein by 
commenter name, comment number, and, where applicable, page number.
---------------------------------------------------------------------------

    The Commission proposes modifying the definition of both operator 
and Web site or online service directed to children to allocate and 
clarify the responsibilities under COPPA when independent entities or 
third parties, e.g., advertising networks or downloadable software kits 
(``plug-ins''), collect information from users through child-directed 
sites and services. As described below, previous Commission statements 
suggested that the responsibility for providing notice to parents and 
obtaining verifiable parental consent to the collection of personal 
information from children rested entirely with the information 
collection entity and not with the child-directed site operator. The 
Commission now believes that the most effective way to implement the 
intent of Congress is to hold both the child-directed site or service 
and the information-collecting site or service responsible as covered 
co-operators. Sites and services whose content is directed to children, 
and who permit others to collect personal information from their child 
visitors, benefit from that collection and thus should be responsible 
under COPPA for providing notice to and obtaining consent from parents. 
Conversely, online services whose business models entail the collection 
of personal information and that know or have reason to know that such 
information is collected through child-directed properties should 
provide COPPA's protections.
    In addition, the Commission proposes to modify the previously 
proposed revised definition of Web site or online service directed to 
children to permit Web sites or online services that are designed for 
both children and a broader audience to comply with COPPA without 
treating all users as children. The Commission also proposes modifying 
the definition of screen or user name to cover only those situations 
where a screen or user name functions in the same manner as online 
contact information. Finally, the Commission proposes to modify the 
revised definition of support for internal operations and to modify the 
Rule's coverage of persistent identifiers as personal information.

II. Proposed Modifications to the Rule's Definitions (16 CFR 312.2)

A. Definition of Operator

    Public comments \3\ and the Commission's own enforcement experience 
\4\ highlight the need for the

[[Page 46644]]

Commission to clarify the responsibilities of child-directed properties 
that integrate independent social networking or other types of ``plug-
ins'' into their sites or services. These plug-ins often collect 
personal information directly from users of child-directed sites and 
services. Although the child-directed site or service benefits by 
incorporating the social networking or other information collection 
features of the plug-in, it generally has no ownership, control, or 
access to the personal information collected by the plug-in. In many 
ways, the plug-in scenario mirrors the current situation with child-
directed Web sites and advertising networks: the site determines the 
child-directed nature of the content, but the third-party advertising 
network collects persistent identifiers for tracking purposes, which 
could be considered personal information under the proposed revised 
Rule.
---------------------------------------------------------------------------

    \3\ See, e.g., AT&T (comment 8), at 3-4; CDT (comment 17), at 3-
6; CTIA (comment 32), at 16; Direct Marketing Association (comment 
37), at 7; Future of Privacy Forum (comment 55), at 3; Information 
Technology Industry Council (comment 70), at 3-4; Interactive 
Advertising Bureau (comment 73), at 7; and, Tech Freedom (comment 
159), at 12.
    \4\ See FTC staff closing letter to OpenFeint (``OpenFeint 
Letter''), available at http://www.ftc.gov/os/closings/120831openfeintclosingletter.pdf.
---------------------------------------------------------------------------

    COPPA defines operator in pertinent part, as

    (A) Any person who operates a Web site located on the Internet 
or an online service and who collects or maintains personal 
information from or about the users of or visitors to such Web site 
or online service, or on whose behalf such information is collected 
or maintained, where such Web site or online service is operated for 
commercial purposes, including any person offering products or 
services for sale through that Web site or online service, involving 
commerce * * *.\5\
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 6501(2). The Rule's definition of operator 
reflects the statutory language. See 16 CFR 312.2.

    In both the 1999 Notice of Proposed Rulemaking and the 1999 
Statement of Basis and Purpose, the Commission suggested that some 
retention of ownership, control, or access to the personal information 
collected was required to make a party an operator. The Commission 
stated that it would look to a variety of factors--ownership, control, 
financial and contractual arrangements, and the role of the site or 
service in data collection or maintenance--to establish whether an 
entity was covered by or subject to COPPA's regulatory obligations.\6\ 
The Commission also asserted that ``[w]here the Web site or online 
service merely acts as the conduit through which the personal 
information collected flows to another person or to another's Web site 
or online service, and the Web site or online service does not have 
access to the information, then it is not an operator under the 
proposed Rule.'' \7\
---------------------------------------------------------------------------

    \6\ 1999 Notice of Proposed Rulemaking and Request for Public 
Comment, 64 FR 22750, 22752 (Apr. 27, 1999), available at http://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf 
(``In determining who is the operator for purposes of the proposed 
Rule, the Commission will consider such factors as who owns the 
information, who controls the information, who pays for the 
collection or maintenance of the information, the pre-existing 
contractual relationships surrounding the collection or maintenance 
of the information, and the role of the Web site or online service 
in collecting and/or maintaining the information'').
    \7\ Id. The Commission reiterated this view in the 1999 
Statement of Basis and Purpose to the COPPA Rule (``1999 Statement 
of Basis and Purpose''), 64 FR 59888, 59891 (Nov. 3, 1999), 
available at http://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------

    At that time, the Commission did not foresee how easy and 
commonplace it would become for child-directed sites and services to 
integrate social networking and other personal information collection 
features into the content offered to their users, without maintaining 
ownership, control, or access to the personal data. Given these changes 
in technology, the Commission now believes that an operator of a child-
directed site or service that chooses to integrate into its site or 
service other services that collect personal information from its 
visitors should be considered a covered operator under the Rule. 
Although the child-directed site or service does not own, control, or 
have access to the information collected, the personal information is 
collected on its behalf. The child-directed site or service benefits 
from its use of integrated services that collect personal information 
because the services provide the site with content, functionality, and/
or advertising revenue.
    Therefore, the Commission proposes to revise the definition of 
operator to add a proviso stating:

    Personal information is collected or maintained on behalf of an 
operator where it is collected in the interest of, as a 
representative of, or for the benefit of, the operator.

    Neither the COPPA statute nor its legislative history make clear 
under what circumstances third-party data collection activities would 
be deemed to be conducted ``on an operator's behalf.'' Nor did the 
Commission previously define the phrase on whose behalf such 
information is collected or maintained in the COPPA Rule.
    Congress granted the FTC broad rulemaking authority under COPPA.\8\ 
The Commission's interpretation of the phrase on whose behalf is 
consistent both with its plain and common meaning \9\ and with the 
Commission's advocated position on the meaning of that phrase within 
the Telephone Consumer Protection Act, 47 U.S.C. 227, and the position 
it has urged the Federal Communications Commission to adopt in the 
implementing regulations, 47 CFR 64.1200.\10\
---------------------------------------------------------------------------

    \8\ Congress delegated to the FTC the authority to promulgate 
regulations that require operators covered by COPPA to: Provide 
online notice of their information practices; obtain verifiable 
parental consent for the collection, use, or disclosure of personal 
information from children; provide parents with a means to obtain 
such personal information and to refuse further collection; 
establish and maintain adequate confidentiality and security for 
children's personal information; and that prohibit conditioning a 
child's participation online on disclosing more personal information 
than is necessary. See 15 U.S.C. 6502(b).
    \9\ See Madden v. Cowen & Co., 576 F.3d 957, 974 (9th Cir. 
2009).
    \10\ See Comment of the Federal Trade Commission before the 
Federal Communications Commission, CG Docket No. 11-50 (2011), at 7, 
available at http://www.ftc.gov/os/2011/05/110516dishechostar.pdf 
(stating that the common dictionary definition of ``on behalf of'' 
means in an entity's ``interest,'' in its ``aid,'' or for its 
``benefit'').
---------------------------------------------------------------------------

    In the context of COPPA's requirements, an operator of a child-
directed site or service is in an appropriate position to give notice 
and obtain consent from parents where any personal information is being 
collected from its visitors on or through its site or service. The 
operator is in the best position to know that its site or service is 
directed to children and can control which plug-ins, software 
downloads, or advertising networks it integrates into its site. To 
interpret the COPPA statute's on whose behalf language more narrowly 
does not fully effectuate Congress's intent to insure that parents are 
consistently given notice and the opportunity to consent prior to the 
collection of children's personal information.

B. Definition of Web Site or Online Service Directed to Children

    In the September 2011 COPPA NPRM, the Commission proposed minor 
changes to the definition of Web site or online service directed to 
children to include additional indicia of child-directed Web sites and 
online services.\11\ The Commission now proposes additional 
modifications to this definition in order to: (1) Make clear that a Web 
site or online service that knows or has reason to know that it 
collects personal information from children through a child-directed 
Web site or online service is itself A``directed to children''; and (2) 
permit a Web site or online service that is designed for both children 
and a broader audience to comply with COPPA without having to treat all 
its users as children.
---------------------------------------------------------------------------

    \11\ See 2011 COPPA NPRM, 76 FR at 59814.

---------------------------------------------------------------------------

[[Page 46645]]

1. Operators Who Collect Personal Information Through Child-Directed 
Web Sites or Online Services
    As noted above, online services such as advertising networks or 
downloadable plug-ins often collect personal information from users 
through another's site or service, including properties directed to 
children.\12\ When operating on child-directed properties, that portion 
of these services could be deemed directed to children and the operator 
held strictly liable under COPPA. This position would be consistent 
with previous Commission statements that the Rule covers entities 
collecting information through child-directed sites. In its original 
April 1999 Notice of Proposed Rulemaking, the Commission stated that 
the definition of operator includes ``a person who collects or 
maintains [personal] information through another's Web site or online 
service.'' \13\ In the 1999 Statement of Basis and Purpose, in 
discussing the potential liability of network advertising companies, 
the Commission noted that ``[i]f such companies collect personal 
information directly from children who click on ads placed on Web sites 
or online services directed to children, then they will be considered 
operators who must comply with the Act, unless one of the exceptions 
applies.'' \14\
---------------------------------------------------------------------------

    \12\ This fact was highlighted in a recent Commission law 
enforcement investigation of OpenFeint, Inc., an online social 
gaming network available as a plug-in to mobile applications. See 
OpenFeint Letter, supra note 4.
    \13\ 1999 Notice of Proposed Rulemaking and Request for Public 
Comment, 64 FR 22750, 22752 (Apr. 27, 1999), available at http://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf.
    \14\ Statement of Basis and Purpose to the COPPA Rule, 64 FR 
59888, 59892 (Nov. 3, 1999), available at http://www.ftc.gov/os/1999/10/64Fr59888.pdf.
---------------------------------------------------------------------------

    Several commenters in response to the 2011 COPPA NPRM, however, 
state that operators of online services that are designed to be 
incorporated into another site or service should not be covered under 
COPPA's requirements when they appear on child-directed sites or 
services.\15\ For example, the Center for Democracy and Technology 
(``CDT'') states, ``[o]perators of analytics services, advertising 
networks, and social plug-ins that do not intentionally target their 
services to children should not have independent COPPA notice and 
consent obligations simply because a site directed to children has 
chosen to use their service.'' \16\
---------------------------------------------------------------------------

    \15\ See, e.g., CDT (comment 17), at 5; Facebook (comment 50), 
at 11; Future of Privacy Forum (comment 55), at 3; TechFreedom 
(comment 159), at 10-11.
    \16\ CDT (comment 17), at 5.
---------------------------------------------------------------------------

    The COPPA statute gives the Commission broad discretion to define 
Web site or online service directed to children. Congress provided only 
one limitation to that discretion:

    A commercial Web site or online service, or a portion of a 
commercial Web site or online service, shall not be deemed directed 
to children solely for referring or linking to a commercial Web site 
or online service directed to children by using information location 
tools, including a directory, index, reference, pointer, or 
hypertext link.\17\
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 6501(10).

    The Commission continues to believe that when an online service 
collects personal information through child-directed properties, that 
portion of the online service can and should be deemed directed to 
children, but only under certain circumstances. The Commission believes 
that the strict liability standard applicable to conventional child-
directed sites and services is unworkable for advertising networks or 
plug-ins because of the logistical difficulties such services face in 
controlling or monitoring which sites incorporate their online 
services. Accordingly, the Commission proposes to modify the definition 
of Web site or online service directed to children to include any 
operator who ``knows or has reason to know'' it is collecting personal 
information through a host Web site or online service directed to 
---------------------------------------------------------------------------
children. The proposed new paragraph is:

    Web site or online service directed to children means a 
commercial Web site or online service, or portion thereof, that:
* * * * *
    (d) knows or has reason to know that it is collecting personal 
information through any Web site or online service covered under 
paragraphs (a)-(c).

    In choosing to use the phrase ``reason to know'' as part of the 
definition, the Commission is not imposing a duty on entities such as 
ad-networks or plug-ins to monitor or investigate whether their 
services are incorporated into child-directed properties; \18\ however, 
such sites and services will not be free to ignore credible information 
brought to their attention indicating that such is the case.
---------------------------------------------------------------------------

    \18\ The phrase ``reason to know'' does not impose a duty to 
ascertain unknown facts, but does require a person to draw a 
reasonable inference from information he does have. See Restatement 
(Second) of Agency Sec.  9 cmt. d (1958); Restatement (Second) of 
Torts Sec.  Sec.  12(1), 401 (1965). See also Novicki v. Cook, 946 
F.2d 938, 941 (D.C. Cir. 1991) (citing the Restatement (Second) of 
Agency); Alf v. Donley, 666 F. Supp. 2d 60, 67 (D.D.C. 2009) 
(following Novicki v. Cook); Feinerman v. Bernardi, 558 F. Supp. 2d 
36, 49 (D.D.C. 2008) (following Novicki v. Cook); Topliff v. Wal-
Mart Stores E. LP, 2007 U.S. Dist. LEXIS 20533, 200, CCH Prod. Liab. 
Rep. P17,728 (N.D.N.Y Mar. 22, 2007) (``the term `had reason to 
know' does not impose any duty to ascertain unknown facts, while the 
term `should have known' does impose such a duty).
---------------------------------------------------------------------------

    The Commission believes that this proposed modification to the 
definition of Web site or online service directed to children, along 
with the proposed revisions to the definition of operator that would 
hold the child-directed property to be a co-operator equally 
responsible under the Rule for the personal information collected by 
the plug-in or advertising network, will help ensure that operators in 
each position cooperate to meet their statutory duty to notify parents 
and obtain parental consent.
2. Web Sites and Online Services Directed to Children and Families
    As noted in its September 2011 NPRM, the current definition of Web 
site or online service directed to children is, at bottom, a totality 
of the circumstances test. In its comment, The Walt Disney Company 
argues that this definition does not adequately address the reality 
that Web sites or online services directed to children fall along a 
continuum, targeting or appealing to children in varying degrees. Under 
the Rule's current structure, regardless of where a site or service 
falls on this continuum, it must still treat all visitors as children. 
Disney argues that only sites falling at the extreme end of the 
``child-directed'' continuum should have to treat all of their users as 
children. It urges the Commission to adopt a system that would permit 
Web sites or online services directed to larger audiences, specifically 
those directed to children and families, to differentiate among users, 
requiring such sites and services to provide notice and obtain consent 
only for users who self-identify as under age 13.\19\
---------------------------------------------------------------------------

    \19\ The Walt Disney Co. (comment 170), at 5-6.
---------------------------------------------------------------------------

    The Commission finds merit in Disney's suggestion. In large 
measure, it reflects the prosecutorial discretion the Commission has 
applied in enforcing the Rule. The Commission has charged sites or 
services with being directed to children only where the Commission 
believed that children under age 13 were the primary audience.\20\ If 
the Commission believed the site merely was likely to attract 
significant numbers

[[Page 46646]]

of under 13 users, or had popular appeal with children (among others), 
the Commission has instead alleged that the operator had ``actual 
knowledge'' of collecting personal information from users who 
identified themselves as under 13.\21\ This enforcement approach 
recognizes the burden imposed on operators in having to obtain notice 
and consent for every user when most users may be over 13, as well as 
the burden and restrictions imposed on users over age 13 in being 
treated as young children.
---------------------------------------------------------------------------

    \20\ See United States v. Godwin, d/b/a skid-e-kids.com, No. 
1:11-cv-03846-JOF (N.D. Ga. Feb. 1, 2012) (alleging that defendant's 
skid-e-kids social networking Web site was directed to children); 
United States v. W3 Innovations, LLC, No. CV-11-03958 (N.D. Cal., 
filed Aug. 12, 2011) (alleging that defendants' ``Emily's'' apps 
were directed to children); United States v. Playdom, Inc., No. SA 
CV11-00724 (C.D. Cal., May 24, 2011) (alleging that Playdom's Pony 
Stars online virtual world was directed to children).
    \21\ See United States v. Iconix Brand Group, Inc., No. 09 Civ. 
8864 (S.D.N.Y, Nov. 5, 2009); United States v. Sony BMG Music 
Entertainment, No. 08 Civ. 10730 (S.D.N.Y., Dec. 15, 2008).
---------------------------------------------------------------------------

    As noted above, Congress gave the Commission broad discretion to 
define Web site or online service directed to children. The Commission 
now proposes to modify that definition to implement much of what Disney 
has proposed and to better reflect the prosecutorial discretion it has 
applied. The proposed revised definition is:

    Web site or online service directed to children means a 
commercial Web site or online service, or portion thereof, that:
    (a) Knowingly targets children under age 13 as its primary 
audience; or,
    (b) Based on the overall content of the Web site or online 
service, is likely to attract children under age 13 as its primary 
audience; or,
    (c) Based on the overall content of the Web site or online 
service, is likely to attract an audience that includes a 
disproportionately large percentage of children under age 13 as 
compared to the percentage of such children in the general 
population; provided however that such Web site or online service 
shall not be deemed to be directed to children if it: (i) Does not 
collect personal information from any visitor prior to collecting 
age information; and (ii) prevents the collection, use, or 
disclosure of personal information from visitors who identify 
themselves as under age 13 without first obtaining verifiable 
parental consent;
* * * * *
    The effect of the proposed changes would be that those sites and 
services at the far end of the ``child-directed'' continuum, i.e., 
those that knowingly target, or have content likely to draw, children 
under 13 as their primary audience, must still treat all users as 
children, and provide notice and obtain consent before collecting any 
personal information from any user. Those sites and services with 
child-oriented content appealing to a mixed audience, where children 
under 13 are likely to be an over-represented group, will not be deemed 
directed to children if, prior to collecting any personal information, 
they age-screen all users. At that point, for users who identify 
themselves as under 13, the site or service will be deemed to have 
actual knowledge that such users are under 13 and must obtain 
appropriate parental consent before collecting any personal information 
from them and must also comply with all other aspects of the Rule.
    The Commission recognizes that many children may choose to lie 
about their age. Nevertheless, the Commission believes the proposed 
revisions strike the correct balance. First, it has been the 
Commission's law enforcement experience, as demonstrated by its 
``actual knowledge'' cases, that many children do truthfully provide 
their age in response to an age screening question on mixed audience 
sites.\22\ Second, as noted above, as a matter of prosecutorial 
discretion, the Commission has not charged child-friendly mixed 
audience sites as being directed to children because of the burdens it 
imposes. Consequently, if those sites collected personal information 
without asking age, the Commission had little basis to allege that the 
operator had actual knowledge of any visitor's age. The proposed 
revisions will require operators of these child-friendly mixed audience 
sites to take an affirmative step to attain actual knowledge if they do 
not wish to treat all visitors as being under 13.
---------------------------------------------------------------------------

    \22\ See United States v. Iconix Brand Group, Inc.; and United 
States v. Sony BMG Music Entertainment, supra note 23.
---------------------------------------------------------------------------

C. Definition of Personal Information

1. Screen or User Names
    In the 2011 COPPA NPRM, the Commission proposed to define as 
personal information ``a screen or user name where such screen or user 
name is used for functions other than or in addition to support for the 
internal operations of the Web site or online service.'' \23\ This 
change was intended to address scenarios in which a screen or user name 
could be used by a child as a single credential to access multiple 
online properties, thereby permitting him or her to be directly 
contacted online, regardless of whether the screen or user name 
contained an email address.\24\
---------------------------------------------------------------------------

    \23\ 2011 COPPA NPRM, 76 FR at 59810.
    \24\ Id.
---------------------------------------------------------------------------

    Several commenters expressed concern that the Commission's screen-
name proposal would unnecessarily inhibit functions that are important 
to the operation of child-directed Web sites and online services. For 
example, commenters stated that many child-directed properties use a 
screen or user name in place of a child's real name in an effort to 
minimize data collection.\25\ Operators also use single screen names to 
allow children to sign on to a single online service that runs on 
multiple platforms, as well as to access related properties across 
multiple platforms.\26\ These commenters raised concerns that, with the 
limited carve-out for functions to support internal operations, 
operators might be precluded from using screen or user names within a 
Web site or online service, and would certainly be precluded from doing 
so across multiple platforms.
---------------------------------------------------------------------------

    \25\ See National Cable & Telecommunications Association 
(comment 113), at 12 (``[A]llowing children to create a unique 
screen name and password at a Web site through a registration 
process without collecting any personally identifying information 
has allowed several leading children's Web sites to offer: 
personalized content (e.g., horoscopes, weather forecasts, 
customized avatars for game play), attribution (e.g., acknowledge 
for a high score or other achievement), as well as a way to express 
opinions and participate in online activities in an interactive 
fashion (e.g., jokes, stories, letters to the editor, polls, 
challenging others to gameplay, swapping digital collectibles, 
participating in monitored `chat' with celebrities''); The Walt 
Disney Co. (comment 170), at 21.
    \26\ See Direct Marketing Association (comment 37), at 17; 
Entertainment Software Association (comment 47), at 9; Scholastic 
(comment 144), at 12; Adam Thierer (comment 162), at 6; TRUSTe 
(comment 164), at 3; The Walt Disney Co. (comment 170), at 21-22.
---------------------------------------------------------------------------

    The Commission has long supported the data minimization purposes 
behind operators' use of screen and user names in place of individually 
identifiable information.\27\ Indeed, the proposed changes in paragraph 
(d) were not intended to preclude such uses. Moreover, after reading 
the comments, the Commission is persuaded of the benefits of utilizing 
single sign-in identifiers across sites and services, for example, to 
permit children seamlessly to transition between devices or platforms 
via a single screen or user name.\28\ The Commission therefore proposes 
that a screen or user name should be included within the definition of 
personal information only in those instances in which a screen or user 
name rises to the level of online contact information.\29\ In such 
cases, a screen or user name functions much like an email address, an 
instant messaging identifier, or ``or any other substantially similar 
identifier that permits direct contact with a person online.'' \30\

[[Page 46647]]

Therefore, the Commission proposes to modify paragraph (d) of the 
---------------------------------------------------------------------------
definition of personal information as follows:

    \27\  See 1999 Statement of Basis and Purpose, 64 FR at 59892.
    \28\ See Direct Marketing Association (comment 37), at 16-17; 
Entertainment Software Association (comment 47), at 9-10; Adam 
Thierer (comment 162), at 6; TRUSTe (comment 164), at 3-4; The Walt 
Disney Co. (comment 170), at 21-22.
    \29\ Id. at 59891, n.49 (``Another example of `online contact 
information' could be a screen name that also serves as an email 
address'').
    \30\ See 2011 COPPA NPRM, 76 FR at 59810 (proposed definition of 
online contact information).
---------------------------------------------------------------------------

    Personal information means individually identifiable information 
about an individual collected online, including:
* * * * *
    (d) A screen or user name where it functions in the same manner 
as online contact information, as defined in this Section;
* * * * *
2. Persistent Identifiers and Support for Internal Operations
    In the September 2011 COPPA NPRM, the Commission proposed changes 
to the definition of personal information that, among other things, 
would have included ``[a] persistent identifier, including but not 
limited to, a customer number held in a cookie, an Internet Protocol 
(IP) address, a processor or device serial number, or unique device 
identifier, where such persistent identifier is used for functions 
other than or in addition to support for the internal operations of the 
Web site or online service.'' \31\ The Commission also proposed to 
include in the definition of personal information ``identifiers that 
link the activities of a child across different Web sites or online 
services.'' \32\ As stated in the 2011 COPPA NPRM, these changes were 
intended to ``require parental notification and consent prior to the 
collection of persistent identifiers where they are used for purposes 
such as amassing data on a child's online activities or behaviorally 
targeting advertising to the child.'' \33\ By carving out exceptions 
for support for internal operations, the Commission stated it intended 
to exempt from COPPA's coverage the collection and use of identifiers 
for authenticating users, improving site navigation, maintaining user 
preferences, serving contextual advertisements, protecting against 
fraud or theft, or otherwise personalizing, improving upon, or securing 
a Web site or online service.\34\
---------------------------------------------------------------------------

    \31\ See 2011 COPPA NPRM, 76 FR at 59812 (proposed definition of 
personal information, paragraph (g)).
    \32\ Id. (proposed definition of paragraph (h)).
    \33\ Id.
    \34\ Id.
---------------------------------------------------------------------------

    The Commission received numerous comments on the proposed inclusion 
of persistent identifiers within the definition of personal 
information. Consumer advocacy organizations, including the Center for 
Digital Democracy (``CDD''), Consumers Union (``CU''), and the 
Electronic Privacy Information Center (``EPIC''), fully supported the 
proposal, finding that, increasingly, particular devices are associated 
with particular individuals, and the collection of identifiers permits 
direct contact with individuals online.\35\ In addition to these 
advocacy groups, nearly 200 individual consumers filed comments 
supporting the inclusion of IP address within the Rule's definition of 
personal information.
---------------------------------------------------------------------------

    \35\ See CU (comment 29), at 3; EPIC (comment 41), at 8; CDD 
(comment 71), at 29.
---------------------------------------------------------------------------

    By contrast, the overwhelming majority of the comments filed by Web 
site operators, industry associations, privacy experts, and 
telecommunications companies opposed the Commission's expansion of the 
definition of personal information to reach persistent identifiers, 
even with the limitation to activities other than or in addition to 
support for internal operations. Most of these commenters claimed that 
the collection of one or more persistent identifiers only permits 
online contact with a device and not with a specific individual.\36\ 
These commenters also expressed concern about the breadth and potential 
vagueness of the proposed paragraph (h) defining as personal 
information ``an identifier that links the activities of a child across 
different Web sites or online services.'' Among the concerns raised 
about (h) were the lack of clarity about the term ``different Web sites 
or online services,'' \37\ including whether this term is intended to 
cover identifiers collected by a single operator across multiple 
platforms \38\ or a child's activities within or between affiliated Web 
sites or online services.\39\
---------------------------------------------------------------------------

    \36\ See Computer and Communications Industry Association 
(comment 27), at 3-5; CTIA (comment 32), at 7-8; eBay (comment 40), 
at 5; Future of Privacy Forum (comment 55), at 2-3; Information 
Technology Industry Council (comment 70), at 3-4; Intel (comment 
72), at 4-6; IAB (comment 73), at 4-6; KidSafe Seal Program (comment 
81), at 6-7; TechAmerica (comment 159), at 3-5; Promotion Marketing 
Association (comment 133), at 10-12; TRUSTe (comment 164), at 4-6; 
Yahoo! (comment 180), at 7-8; Toy Industry Association (comment 
163), at 8-10.
    \37\ See IAB (comment 73), at 5; KidSafe Seal Program (comment 
81), at 9; Scholastic (comment 144), at 14; TRUSTe (comment 164), at 
5-6; The Walt Disney Co. (comment 170), at 20-21; WiredSafety 
(comment 177), at 11.
    \38\ See Scholastic (comment 144), at 14; TRUSTe (comment 164), 
at 5.
    \39\ See The Walt Disney Co. (comment 170), at 22.
---------------------------------------------------------------------------

    Several commenters urged the Commission to alter its approach to 
persistent identifiers to focus more directly on their use, or 
potential misuse, rather than on their collection.\40\ Moreover, 
several commenters maintained that the proposed definition of support 
for internal operations is too narrow to cover the very types of 
activities the Commission intended to permit, e.g., user 
authentication, improving site navigation, maintaining user 
preferences, serving contextual advertisements, and protecting against 
fraud or theft.\41\ Others raised concerns that it was unclear whether 
the collection of data within persistent identifiers for the purpose of 
performing site performance or functioning analyses, or analytics, 
would be included within the definition of support for internal 
operations.\42\
---------------------------------------------------------------------------

    \40\ ``A straightforward way to regulate the ability of 
operators to target children with behavioral advertising would be to 
simply prohibit operators from engaging in the practice as it has 
previously been defined by the FTC. But the FTC instead focuses on 
the types of information operators collect rather than on how 
operators use the information.'' Future of Privacy Forum (comment 
55), at 2; see also VISA, Inc. (comment 168), at 2; WiredTrust 
(comment 177), at 11.
    \41\ See CTIA (comment 32), at 15; KidSafe Seal Program (comment 
81), at 6-7; Scholastic (comment 144), at 13; Toy Industry 
Association (comment 163), at 10; TRUSTe (comment 164), at 8; The 
Walt Disney Co. (comment 170), at 7; WiredSafety (comment 177), at 
13.
    \42\ Association for Competitive Technology (comment 5), at 5; 
CTIA (comment 32), at 14; Direct Marketing Association (comment 37), 
at 14-15; IAB (comment 73), at 4; NCTA (comment 113), at 15; 
Scholastic (comment 144), at 14; ; TechFreedom (comment 159), at 9-
10; Toy Industry Association (comment 163), at 7, 9; TRUSTe (comment 
164), at 5; WiredTrust (comment 177), at 11.
---------------------------------------------------------------------------

    In response to these concerns, the Commission is proposing revised 
language for the definitions regarding persistent identifiers and 
support for internal operations. The proposed revised language is 
intended to: (1) Address the concerns about the confusion caused by 
having two different sub-definitions dealing with persistent 
identifiers, paragraphs (g) and (h); and (2) provide more specificity 
to the types of activities that will be considered support for internal 
operations.
    The newly proposed definition regarding persistent identifiers is:

    Personal information means individually identifiable information 
about an individual collected online, including:
    (g) A persistent identifier that can be used to recognize a user 
over time, or across different Web sites or online services, where 
such persistent identifier is used for functions other than or in 
addition to support for the internal operations of the Web site or 
online service. Such persistent identifier includes, but is not 
limited to, a customer number held in a cookie, an Internet Protocol 
(IP) address, a processor or device serial number, or unique device 
identifier;
* * * * *
This proposal combines the two previous definitions into one and makes 
clear that an operator can only identify users over time or across Web 
sites for the enumerated activities set forth in the definition of 
support for internal operations.

[[Page 46648]]

    The newly proposed definition of support for internal operations 
is:

    Support for the internal operations of the Web site or online 
service means those activities necessary to: (a) Maintain or analyze 
the functioning of the Web site or online service; (b) perform 
network communications; (c) authenticate users of, or personalize 
the content on, the Web site or online service; (d) serve contextual 
advertising on the Web site or online service; (e) protect the 
security or integrity of the user, Web site, or online service; or 
(f) fulfill a request of a child as permitted by '' 312.5(c)(3) and 
(4); so long as the information collected for the activities listed 
in (a)-(f) is not used or disclosed to contact a specific individual 
or for any other purpose.

    This revision incorporates into the Rule many of the types of 
activities B user authentication, maintaining user preferences, serving 
contextual advertisements, and protecting against fraud or theft B that 
the Commission initially discussed as permissible in the 2011 COPPA 
NPRM.\43\ It would also specifically permit the collection of 
persistent identifiers for functions related to site maintenance and 
analysis, and to perform network communications, that many commenters 
view as crucial to their ongoing operations.\44\ The Commission notes 
the importance of the proviso at the end of the proposed definition: To 
be considered support for internal operations, none of the information 
collected may be used or disclosed to contact a specific individual, 
including through the use of behaviorally-targeted advertising, or for 
any other purpose.
---------------------------------------------------------------------------

    \43\ See 2011 COPPA NPRM, 76 FR at 59812.
    \44\ This proposed revised definition is consistent with the 
Commission's position in its recent privacy report that notice need 
not be provided to consumers regarding data practices that are 
sufficiently accepted or necessary for public policy reasons. See 
FTC, Protecting Consumer Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers, at 36, 38-40, 
available athttp://ftc.gov/os/2012/03/120326privacyreport.pdf.
---------------------------------------------------------------------------

III. Request for Comment

    The Commission invites interested persons to submit written 
comments on any issue of fact, law, or policy that may bear upon the 
proposals under consideration. Please include explanations for any 
answers provided, as well as supporting evidence where appropriate. 
After evaluating the comments, the Commission will determine whether to 
issue specific amendments.
    Comments should refer to ``COPPA Rule Review: FTC File No. 
P104503'' to facilitate the organization of comments. Please note that 
your comment B including your name and your state B will be placed on 
the public record of this proceeding, including on the publicly 
accessible FTC Web site, at http://www.ftc.gov/os/publiccomments.shtm. 
Comments must be received on or before September 10, 2012, to be 
considered by the Commission.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 10, 
2012. Write ``COPPA Rule Review, 16 CFR Part 312, Project No. P104503'' 
on your comment. Your comment B including your name and your state B 
will be placed on the public record of this proceeding, including, to 
the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, such as anyone's Social Security 
number, date of birth, driver's license number or other state 
identification number or foreign country equivalent, passport number, 
financial account number, or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't 
include competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you must follow the procedure explained in 
FTC Rule 4.9(c), 16 CFR 4.9(c).\45\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \45\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/2012copparulereview, by following the instructions on the web-based 
form. If this document appears at http://www.regulations.gov/#!home, 
you also may file a comment through that Web site.
    If you file your comment on paper, write ``COPPA Rule Review, 16 
CFR Part 312, Project No. P104503'' on your comment and on the 
envelope, and mail or deliver it to the following address: Federal 
Trade Commission, Office of the Secretary, Room H-113 (Annex E), 600 
Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your 
paper comment to the Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before September 10, 2012.\46\ You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------

    \46\ Questions for the public regarding proposed revisions to 
the Rule are found at Part VII, infra.
---------------------------------------------------------------------------

    Comments on any proposed recordkeeping, disclosure, or reporting 
requirements subject to review under the Paperwork Reduction Act should 
additionally be submitted to OMB. If sent by U.S. mail, they should be 
addressed to Office of Information and Regulatory Affairs, Office of 
Management and Budget, Attention: Desk Officer for the Federal Trade 
Commission, New Executive Office Building, Docket Library, Room 10102, 
725 17th Street NW.,Washington, DC 20503. Comments sent to OMB by U.S. 
postal mail, however, are subject to delays due to heightened security 
precautions. Thus, comments instead should be sent by facsimile to 
(202) 395-5167.

IV. Regulatory Flexibility Act

    The Regulatory Flexibility Act of 1980 (``RFA''), 5 U.S.C. 601 et 
seq., requires

[[Page 46649]]

a description and analysis of proposed and final rules that will have 
significant economic impact on a substantial number of small entities. 
The RFA requires an agency to provide an Initial Regulatory Flexibility 
Analysis (``IRFA'') with the proposed Rule, and a Final Regulatory 
Flexibility Analysis (``FRFA''), if any, with the final Rule.\47\ The 
Commission is not required to make such analyses if a Rule would not 
have such an economic effect.\48\
---------------------------------------------------------------------------

    \47\ See 5 U.S.C. 603-04.
    \48\ See 5 U.S.C. 605.
---------------------------------------------------------------------------

    As described below, the Commission anticipates that the proposed 
changes to the Rule addressed in this Revised COPPA NPRM will result in 
more Web sites and online services being subject to the Rule and to the 
Rule's disclosure, reporting, and compliance requirements. The 
Commission believes that a number of operators of Web sites and online 
services potentially affected by these revisions are small entities as 
defined by the RFA. It is unclear whether the Revised COPPA NPRM will 
have a significant economic impact on these small entities. Thus, to 
obtain more information about the impact of the Revised COPPA NPRM on 
small entities, the Commission has decided to publish the following 
IRFA pursuant to the RFA and to request public comment on the impact on 
small businesses of its Revised COPPA NPRM.

A. Description of the Reasons That Agency Action Is Being Considered

    As described in Part I above, in September 2011, the Commission 
issued a Notice of Proposed Rulemaking setting forth proposed changes 
to the Commission's COPPA Rule. Among other things, the Commission 
proposed modifying the Rule's definitions of personal information to 
include persistent identifiers and screen or user names other than 
where they are used to support internal operations, and Web site or 
online service directed to children to include additional indicia that 
a site or service may be targeted to children. The Commission received 
over 350 comments on the proposed changes, a number of which addressed 
the proposed changes to these two definitions. After reviewing these 
comments, and based upon its experience in enforcing and administering 
the Rule, the Commission now proposes additional modifications to the 
definitions of personal information, support for internal operations, 
and Web site or online service directed to children, and also proposes 
to modify the definition of operator.

B. Succinct Statement of the Objectives of, and Legal Basis for, the 
Additional Proposed Modifications to the Rule's Definitions

    The objectives of the additional proposed modifications to the 
Rule's definitions are to update the Rule to ensure that children's 
online privacy continues to be protected, as directed by Congress, even 
as new online technologies evolve, and to clarify existing obligations 
for operators under the Rule. The legal basis for the proposed 
amendments is the Children's Online Privacy Protection Act, 15 U.S.C. 
6501 et seq.

C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Modifications to the Rule's Definitions Will Apply

    The proposed modifications to the Rule's definitions will affect 
operators of Web sites and online services directed to children, as 
well as those operators that have actual knowledge that they are 
collecting personal information from children. The proposed Rule 
amendments will impose costs on entities that are ``operators'' under 
the Rule.
    The Commission staff is unaware of any empirical evidence 
concerning the number of operators subject to the Rule. However, based 
on the public comments received and the modifications proposed here, 
the Commission staff estimates that approximately 500 additional 
operators may newly be subject to the Rule's requirements and that 
there will be approximately 125 new operators per year for a 
prospective three-year period.
    Under the Small Business Size Standards issued by the Small 
Business Administration, ``Internet publishing and broadcasting and web 
search portals'' qualify as small businesses if they have fewer than 
500 employees.\49\ The Commission staff now estimates that 
approximately 85-90% of operators potentially subject to the Rule 
qualify as small entities; this projection is revised upward from the 
Commission's prior estimate of 80% set forth in the 2011 COPPA NPRM to 
take into account the growing market for mobile applications, many of 
which may be subject to the proposed revised Rule. The Commission staff 
bases this revised higher estimate on its experience in this area, 
which includes its law enforcement activities, discussions with 
industry members, privacy professionals, and advocates, and oversight 
of COPPA safe harbor programs. The Commission seeks comment and 
information with regard to the estimated number or nature of small 
business entities on which the proposed Rule would have a significant 
economic impact.
---------------------------------------------------------------------------

    \49\ See U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes, available at http://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf.
---------------------------------------------------------------------------

D. Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements

    The proposed amended Rule would impose reporting, recordkeeping, 
and other compliance requirements within the meaning of the Paperwork 
Reduction Act, as set forth in Part II of this Notice of Proposed 
Rulemaking. Therefore, the Commission is submitting the proposed 
revised modifications to the Rule's definitions to OMB for review 
before issuing a final rule.
    The proposed revised modifications to the Rule's definitions likely 
would increase the number of operators subject to the proposed revised 
Rule's recordkeeping, reporting, and other compliance requirements. In 
particular, the proposed revised definition of operator will 
potentially cover additional child-directed Web sites and online 
services that choose to integrate other services that collect personal 
information from visitors. Similarly, the proposed addition of 
paragraph (d) to the definition of Web site or online service directed 
to children, which clarifies that the Rule covers a Web site or online 
service that knows or has reason to know it is collecting personal 
information through any Web site or online service directed to 
children, will potentially cover additional Web sites and online 
services. These proposed improvements to the Rule may entail some added 
cost burden to operators, including those that qualify as small 
entities. However, the proposed addition of paragraph (c) to the 
definition of Web site or online service directed to children, and the 
proposed modifications to the definitions of personal information and 
support for internal operations, may offset the added burdens discussed 
above, by potentially decreasing certain operators' recordkeeping, 
reporting, and other compliance requirements.
    The estimated burden imposed by these proposed modifications to the 
Rule's definitions is discussed in the Paperwork Reduction Act section 
of this document, and there should be no difference in that burden as 
applied to small businesses. While the Rule's compliance obligations 
apply equally to all entities subject to the Rule, it is unclear 
whether the economic burden

[[Page 46650]]

on small entities will be the same as or greater than the burden on 
other entities. That determination would depend upon a particular 
entity's compliance costs, some of which may be largely fixed for all 
entities (e.g., Web site programming) and others that may be variable 
(e.g., choosing to operate a family friendly Web site or online 
service), and the entity's income or profit from operation of the Web 
site or online service (e.g., membership fees) or from related sources 
(e.g., revenue from marketing to children through the site or service). 
As explained in the Paperwork Reduction Act section, in order to comply 
with the Rule's requirements, operators will require the professional 
skills of legal (lawyers or similar professionals) and technical (e.g., 
computer programmers) personnel. As explained earlier, the Commission 
staff estimates that there are approximately 500 additional Web site or 
online services that would newly qualify as operators under the 
proposed modifications to the Rule's definitions, that there will be 
approximately 125 new operators per year for a three-year period, and 
that approximately 85-90% of all such operators would qualify as small 
entities under the SBA's Small Business Size standards. The Commission 
invites comment and information on these issues.

E. Identification of Other Duplicative, Overlapping, or Conflicting 
Federal Rules

    The Commission has not identified any other federal statutes, 
rules, or policies that would duplicate, overlap, or conflict with the 
proposed Rule. The Commission invites comment and information on this 
issue.

F. Description of Any Significant Alternatives to the Proposed 
Modifications to the Rule's Definitions

    In drafting the proposed modifications to the Rule's definitions, 
the Commission has attempted to avoid unduly burdensome requirements 
for entities. The Commission believes that the proposed modifications 
will advance the goal of children's online privacy in accordance with 
COPPA. For each of the proposed modifications, the Commission has taken 
into account the concerns evidenced by the record to date. On balance, 
the Commission believes that the benefits to children and their parents 
outweigh the costs of implementation to industry.
    The Commission has considered, but has decided not to propose, an 
exemption for small businesses. The primary purpose of COPPA is to 
protect children's online privacy by requiring verifiable parental 
consent before an operator collects personal information. The record 
and the Commission's enforcement experience have shown that the threats 
to children's privacy are just as great, if not greater, from small 
businesses or even individuals than from large businesses.\50\ 
Accordingly, an exemption for small businesses would undermine the very 
purpose of the statute and Rule.
---------------------------------------------------------------------------

    \50\ See, e.g., United States v. RockYou, Inc., No. 3:12-cv-
01487-SI (N.D. Cal., entered Mar. 27, 2012); United States v. 
Godwin, No. 1:11-cv-03846-JOF (N.D. Ga., entered Feb. 1, 2012); 
United States v. W3 Innovations, LLC, No. CV-11-03958 (N.D. Cal., 
filed Aug. 12, 2011); United States v. Industrious Kid, Inc., No. 
CV-08-0639 (N.D. Cal., filed Jan. 28, 2008); United States v. 
Xanga.com, Inc., No. 06-CIV-6853 (S.D.N.Y., entered Sept. 11, 2006); 
United States v. Bonzi Software, Inc., No. CV-04-1048 (C.D. Cal., 
filed Feb. 17, 2004); United States v. Looksmart, Ltd., Civil Action 
No. 01-605-A (E.D. Va., filed Apr. 18, 2001); United States v. 
Bigmailbox.Com, Inc., Civil Action No. 01-606-B (E.D. Va., filed 
Apr. 18, 2001).
---------------------------------------------------------------------------

    While the proposed modifications to the Rule's definitions 
potentially will increase the number of Web site and online service 
operators subject to the Rule, the Rule continues to provide regulated 
entities with the flexibility to select the most appropriate, cost-
effective, technologies to achieve COPPA's objective results. For 
example, the proposed new definition of support for internal operations 
is intended to provide operators with the flexibility to conduct their 
information collections in a manner they choose consistent with 
ordinary operation, enhancement, or security measures. Moreover, the 
proposed changes to Web site or online service directed to children 
would provide greater flexibility to family friendly sites and services 
in developing mechanisms to provide the COPPA protections to child 
visitors.
    The Commission seeks comments on ways in which the Rule could be 
modified to reduce any costs or burdens for small entities.

V. Paperwork Reduction Act

    The existing Rule contains recordkeeping, disclosure, and reporting 
requirements that constitute ``information collection requirements'' as 
defined by 5 CFR 1320.3(c) under the OMB regulations that implement the 
Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq. OMB has 
approved the Rule's existing information collection requirements 
through July 31, 2014 (OMB Control No. 3084-0117).
    The proposed modifications to the Rule's definitions would change 
the definitions of operator and Web site or online service directed to 
children, potentially increasing the number of operators subject to the 
Rule. However, the proposed modifications to the definitions of 
personal information and support for internal operations may offset 
these added burdens by potentially decreasing certain operators' 
recordkeeping, reporting, and other compliance requirements. Thus, the 
Commission is providing PRA burden estimates for the proposed 
modifications, set forth below.
    The Commission invites comments on: (1) Whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information shall 
have practical utility; (2) the accuracy of the FTC's estimate of the 
burden of the proposed collection of information; (3) ways to enhance 
the quality, utility, and clarity of the information to be collected; 
and (4) ways to minimize the burden of collecting information.

Estimated Additional Annual Hours Burden

A. Number of Respondents

    Commission staff estimates that there will be approximately 500 
existing operators of Web sites or online services that likely will be 
newly covered as a result of the modifications proposed herein. This 
projected number is based upon the Commission staff's expectation that 
altering the definitions of operator and Web site or online service 
directed to children will expand the pool of covered operators. Other 
proposed modifications, however, should offset some of this potential 
expansion. Specifically, these offsets include clarification of the 
definition of support for internal operations and the carve-out from 
the definition of Web site or online service directed to children of 
family friendly sites and services that take particular measures. The 
Commission also anticipates that some operators of Web sites or online 
services will make adjustments to their information collection 
practices so that they will not be collecting personal information from 
children, as defined by the proposed revised Rule.
    Further, Commission staff estimates that 125 additional new 
operators per year (over a prospective three-year PRA clearance period 
\51\) will be covered by the Rule through the proposed modifications. 
This is incremental to the previously cleared FTC estimates of 100 new 
operators per year for the current Rule.
---------------------------------------------------------------------------

    \51\ Under the PRA, agencies may seek a maximum of three years' 
clearance for a collection of information. 44 U.S.C. 3507(g).

---------------------------------------------------------------------------

[[Page 46651]]

B. Recordkeeping Hours

    The proposed modifications to the Rule's definitions will not 
impose incremental recordkeeping requirements on operators.

C. Disclosure Hours

(1) New Operators' Disclosure Burden
    Under the existing OMB clearance for the Rule, the FTC has 
estimated that new operators will each spend approximately 60 hours to 
craft a privacy policy, design mechanisms to provide the required 
online privacy notice and, where applicable, direct notice to parents 
in order to obtain verifiable consent. Several commenters noted that 
this 60-hour estimate failed to take into account accurate costs of 
compliance with the Rule.\52\ None of these commenters, however, 
provided the Commission with empirical data or specific evidence on the 
number of hours such activities require. Thus, the Commission does not 
have sufficient information at present to revise its earlier hours 
estimate. Applying this estimate of 60 hours per new operator to the 
above-stated estimate of 125 new operators yields an estimated 7,500 
additional disclosure hours, cumulatively.
---------------------------------------------------------------------------

    \52\ See Nancy Savitt (comment 142), at 1; NCTA (comment 113), 
at 23-24.
---------------------------------------------------------------------------

(2) Existing Operators' Disclosure Burden
    The proposed modifications to the Rule's definitions will not 
impose incremental disclosure time per entity, but, as noted above, 
would result in an estimated 500 additional existing operators that 
would be covered by the Rule. These entities will have a one-time 
burden to re-design their existing privacy policies and direct notice 
procedures that would not carry over to the second and third years of 
prospective PRA clearance. The Commission estimates that an existing 
operator's time to make these changes would be no more than that for a 
new entrant crafting its online and direct notices for the first time, 
i.e., 60 hours. Annualized over three years of PRA clearance, this 
amounts to 20 hours ((60 hours + 0 + 0) / 3) per year. Aggregated for 
the estimated 500 existing operators that would be newly subject to the 
Rule, annualized disclosure burden would be 10,000 hours.

D. Reporting Hours

    The proposed modifications to the Rule's definitions will not 
impose incremental reporting hours requirements.

E. Labor Costs

(1) Recordkeeping
    None.
(2) Disclosure
    The Commission staff assumes that the time spent on compliance for 
new operators and existing operators that would be newly covered by the 
Rule's proposed modifications would be apportioned five to one between 
legal (lawyers or similar professionals) and technical (e.g., computer 
programmers, software developers, and information security analysts) 
personnel.\53\ Moreover, based on Bureau of Labor Statistics compiled 
data, FTC staff assumes for compliance cost estimates a mean hourly 
rate of $180 for legal assistance and $42 for technical labor 
support.\54\
---------------------------------------------------------------------------

    \53\ See 76 FR 7211, 7212-7213 (Feb. 9, 2011); 76 FR 31334, 
31335 n. 1 (May 31, 2011) (FTC notices for renewing OMB clearance 
for the COPPA Rule).
    \54\ The estimated rate of $180 per hour is roughly midway 
between Bureau of Labor Statistics (BLS) mean hourly wages for 
lawyers ($62.74) in the most recent annual compilation available 
online and what Commission staff believes more generally reflects 
hourly attorney costs ($300) associated with Commission information 
collection activities. The estimate of mean hourly wages of $42 is 
based on an average of the salaries for computer programmers, 
software developers, information security analysts, and web 
developers as reported by the Bureau of Labor Standards. See 
National Occupational and Wages--May 2011, available at http://www.bls.gov/news.release/archives/ocwage_03272012.pdf.
---------------------------------------------------------------------------

    Thus, for the estimated 125 additional new operators per year, 
7,500 cumulative disclosure hours would be composed of 6,250 hours of 
legal assistance and 1,250 hours of technical support. Applied to 
hourly rates of $180 and respectively. $42, respectively, associated 
labor costs for the 125 additional new operators potentially subject to 
the proposed amendments would be $1,177,500.
    Similarly, for the estimated 500 existing operators that would be 
newly covered by the proposed definitional changes, 10,000 cumulative 
disclosure hours would consist of 8,333 hours of legal assistance and 
1,667 hours for technical support. Applied at hourly rates of $180 and 
$42, respectively, associated labor costs would total $1,569,954. Thus, 
cumulative labor costs for new and existing operators that would be 
additionally subject to the Rule through the proposed amendments would 
be $2,747,454.
(3) Reporting
    None.

F. Non-Labor/Capital Costs

    None.

VI. Communications by Outside Parties to the Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding, from any 
outside party to any Commissioner or Commissioner's advisor, will be 
placed on the public record. See 16 CFR 1.26(b)(5).

VII. Questions for the Proposed Revisions to the Rule

    The Commission is seeking comment on various aspects of the 
proposed Rule, and is particularly interested in receiving comment on 
the questions that follow. These questions are designed to assist the 
public and should not be construed as a limitation on the issues on 
which public comment may be submitted in response to this notice. 
Responses to these questions should cite the numbers and subsection of 
the questions being answered. For all comments submitted, please submit 
any relevant data, statistics, or any other evidence upon which those 
comments are based.

Definition of On Whose Behalf Such Information Is Collected or 
Maintained

    1. The Commission proposes to revise the definition of operator to 
indicate that personal information is collected or maintained on behalf 
of an operator where it is collected in the interest of, as a 
representative of, or for the benefit of, the operator.
    a. Is the proposed language sufficiently clear to cover Web sites 
or online services where they permit the collection of personal 
information by parties such as advertising networks, providers of 
downloadable software kits, or ``social plug-ins''?
    b. Do the proposed requirements of this provision provide 
sufficient guidance and clarity for an operator who does not otherwise 
collect personal information from children?
    c. Is the proposed language sufficiently narrow to exclude entities 
that merely provide access to the Internet without providing content or 
collecting information from children?
    d. Does the proposed language present any practical or technical 
challenges for implementation by the operator? If so, please describe 
such challenges in detail.

Definition of Web Site or Online Service Directed to Children

    2. The Commission proposes to identify four categories of Web sites 
or online services directed to children (paragraphs (a)-(d)). Does the 
proposed revised definition adequately capture all

[[Page 46652]]

instances where a Web site or online service may be directed to 
children?
    3. Is the newly proposed paragraph (c) within the definition of Web 
site or online service directed to children sufficiently clear to 
provide guidance to an operator as to when the operator is permitted to 
screen users for age and is required to comply with COPPA?
    4. The Commission proposes to cover as a Web site or online service 
directed to children an operator who knows or has reason to know that 
it is collecting personal information through a child-directed site or 
service (paragraph (d)).
    a. Is the ``knows or has reason to know'' standard appropriate in 
this case? Should the standard be broadened, or should it be narrowed, 
in any way?
    b. What are the costs and benefits to operators, parents, and 
children of the proposed revisions?
    c. Does the proposed language present any practical or technical 
challenges for implementation by the operator? If so, please describe 
such challenges in detail.
    5. Is there currently technology in use or available that would 
enable Web sites or online services to publicly signal (through code or 
otherwise) that they are sites or services ``directed to children''? 
What are the costs and benefits of the voluntary use of such 
technology?

Definition of Personal Information

Screen or User Names
    6. The Commission proposes revising the definition of personal 
information to include screen or user name where it functions in the 
same manner as online contact information, i.e., where it acts as an 
identifier that permits direct contact with a person online. Are there 
any other instances not identified by the Commission in which a screen 
or user name can be used to contact a specific child?
Persistent Identifiers and Support for Internal Operations
    7. The Commission proposes to combine the sub-definitions of 
personal information in proposed paragraphs (g) and (h) covering 
persistent identifiers, and to broaden the definition of support for 
internal operations.
    a. Is the proposed language sufficiently clear?
    b. What are the costs and benefits to operators, parents, and 
children of the proposed revisions?
    c. Do the proposed revisions present any practical or technical 
challenges for implementation by the operator? If so, please describe 
such challenges in detail.

Paperwork Reduction Act

    8. The Commission solicits comments on whether the changes to the 
definitions (Sec.  312.2) constitute ``collections of information'' 
within the meaning of the Paperwork Reduction Act. The Commission 
requests comments that will enable it to:
    a. Evaluate whether the proposed collections of information are 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    b. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collections of information, including the validity of the 
methodology and assumptions used;
    c. Enhance the quality, utility, and clarity of the information to 
be collected; and,
    d. Minimize the burden of the collections of information on those 
who must comply, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology.

VIII. Proposed Revisions to the Rule

List of Subjects in 16 CFR Part 312

    Children, Communications, Consumer protection, Electronic mail, 
Email, Internet, Online service, Privacy, Record retention, Safety, 
Science and technology, Trade practices, Web site, Youth.

    For the reasons discussed above, the Commission proposes to amend 
part 312 of Title 16, Code of Federal Regulations, as follows:

PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE

    1. The authority citation for part 312 continues to read as 
follows:

    Authority: 15 U.S.C. 6501-6508.

    2. Amend Sec.  312.2 by revising the definitions of operator, 
personal information, and Web sites or online services directed to 
children, and by adding after the definition of personal information a 
new definition of support for internal operations of the Web site or 
online service, to read as follows:


Sec.  312.2  Definitions.

* * * * *
    Operator means any person who operates a Web site located on the 
Internet or an online service and who collects or maintains personal 
information from or about the users of or visitors to such Web site or 
online service, or on whose behalf such information is collected or 
maintained, or offers products or services for sale through that Web 
site or online service, where such Web site or online service is 
operated for commercial purposes involving commerce:
    (a) Among the several States or with 1 or more foreign nations;
    (b) In any territory of the United States or in the District of 
Columbia, or between any such territory and
    (1) Another such territory, or,
    (2) Any State or foreign nation; or,
    (c) Between the District of Columbia and any State, territory, or 
foreign nation. This definition does not include any nonprofit entity 
that would otherwise be exempt from coverage under Section 5 of the 
Federal Trade Commission Act (15 U.S.C. 45).


Personal information is collected or maintained on behalf of an 
operator where it is collected in the interest of, as a representative 
of, or for the benefit of, the operator.
* * * * *
    Personal information means individually identifiable information 
about an individual collected online, including:
    (a) A first and last name;
    (b) A home or other physical address including street name and name 
of a city or town;
    (c) Online contact information as defined in this Section;
    (d) A screen or user name where it functions in the same manner as 
online contact information, as defined in this Section;
    (e) A telephone number;
    (f) A Social Security number;
    (g) A persistent identifier that can be used to recognize a user 
over time, or across different Web sites or online services, where such 
persistent identifier is used for functions other than or in addition 
to support for the internal operations of the Web site or online 
service. Such persistent identifier includes, but is not limited to, a 
customer number held in a cookie, an Internet Protocol (IP) address, a 
processor or device serial number, or unique device identifier;
    (h) A photograph, video, or audio file where such file contains a 
child's image or voice;
    (i) Geolocation information sufficient to identify street name and 
name of a city or town; or,
    (j) Information concerning the child or the parents of that child 
that the operator collects online from the child and combines with an 
identifier described in this definition.
    Support for the internal operations of the Web site or online 
service means those activities necessary to: (a)

[[Page 46653]]

Maintain or analyze the functioning of the Web site or online service; 
(b) perform network communications; (c) authenticate users of, or 
personalize the content on, the Web site or online service; (d) serve 
contextual advertising on the Web site or online service; (e) protect 
the security or integrity of the user, Web site, or online service; or 
(f) fulfill a request of a child as permitted by Sec. Sec.  312.5(c)(3) 
and (4); so long as the information collected for the activities listed 
in (a)-(f) is not used or disclosed to contact a specific individual or 
for any other purpose.
* * * * *
    Web site or online service directed to children means a commercial 
Web site or online service, or portion thereof, that:
    (a) Knowingly targets children under age 13 as its primary 
audience; or,
    (b) based on the overall content of the Web site or online service, 
is likely to attract children under age 13 as its primary audience; or,
    (c) based on the overall content of the Web site or online service, 
is likely to attract an audience that includes a disproportionately 
large percentage of children under age 13 as compared to the percentage 
of such children in the general population; provided however that such 
Web site or online service shall not be deemed to be directed to 
children if it: (i) Does not collect personal information from any 
visitor prior to collecting age information; and (ii) prevents the 
collection, use, or disclosure of personal information from visitors 
who identify themselves as under age 13 without first obtaining 
verifiable parental consent; or,
    (d) knows or has reason to know that it is collecting personal 
information through any Web site or online service covered under 
paragraphs (a)-(c).


In determining whether a commercial Web site or online service, or a 
portion thereof, is directed to children, the Commission will consider 
its subject matter, visual content, use of animated characters or 
child-oriented activities and incentives, music or other audio content, 
age of models, presence of child celebrities or celebrities who appeal 
to children, language or other characteristics of the Web site or 
online service, as well as whether advertising promoting or appearing 
on the Web site or online service is directed to children. The 
Commission will also consider competent and reliable empirical evidence 
regarding audience composition, and evidence regarding the intended 
audience. A commercial Web site or online service, or a portion 
thereof, shall not be deemed directed to children solely because it 
refers or links to a commercial Web site or online service directed to 
children by using information location tools, including a directory, 
index, reference, pointer, or hypertext link.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2012-19115 Filed 8-3-12; 8:45 am]
BILLING CODE 6750-01-P