[Federal Register Volume 84, Number 143 (Thursday, July 25, 2019)]
[Proposed Rules]
[Pages 35842-35847]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-15754]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084-AB20


Request for Public Comment on the Federal Trade Commission's 
Implementation of the Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission.

ACTION: Regulatory review; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') 
requests public comment on its implementation of the Children's Online 
Privacy Protection Act (``COPPA'' or ``the Act''), through the 
Children's Online Privacy Protection Rule (``COPPA Rule'' or ``the 
Rule'').

DATES: Written comments must be received on or before October 23, 2019. 
The Commission will hold a public workshop to review the COPPA Rule on 
October 7, 2019.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``COPPA Rule Review, 16 CFR part 312, Project No. 
P195404,'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based 
form. If you prefer to file your comment on paper, mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024.
    The workshop will be held at the Constitution Center, 400 7th 
Street SW, Washington, DC. It is free and open to the public, and 
members of the public who wish to participate but cannot attend can 
view a live webcast at ftc.gov.

FOR FURTHER INFORMATION CONTACT: Kristin Cohen (202-326-2276) or Peder 
Magee (202-326-3538), Division of Privacy and Identity Protection, 
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 
20580.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Commission typically reviews its Rules every ten years to 
ensure that they have kept up with changes in the marketplace, 
technology, and business models. Although the Commission's last COPPA 
Rule review ended in 2013, the Commission is conducting its ten-year 
review early because of questions that have arisen about the Rule's 
application to the educational technology sector, to voice-enabled 
connected devices, and to general audience platforms that host third-
party child-directed content. In addition to requesting comment on 
these issues, the Commission requests comment on the costs and benefits 
of the Rule, as well as on whether certain sections should be retained, 
eliminated, or modified. All interested persons are hereby given notice 
of the opportunity to submit written data, views, and arguments 
concerning the Rule.
    The COPPA Rule, issued pursuant to COPPA, 15 U.S.C. 6501, et seq., 
became

[[Page 35843]]

effective on April 21, 2000, and was revised on January 17, 2013. The 
Rule imposes certain requirements on operators of websites or online 
services directed to children under 13 years of age, and on operators 
of other websites or online services that have actual knowledge that 
they are collecting personal information online from a child under 13 
years of age (collectively, ``operators'').\1\ Among other things, the 
Rule requires that operators provide notice to parents and obtain 
verifiable parental consent prior to collecting, using, or disclosing 
personal information from children under 13 years of age. The Rule also 
requires operators to keep secure the information they collect from 
children and prohibits them from conditioning children's participation 
in activities on the collection of more personal information than is 
reasonably necessary to participate in such activities. Further, the 
Rule contains a ``safe harbor'' provision enabling industry groups or 
others to submit to the Commission for approval self-regulatory 
guidelines that would implement the Rule's protections.
---------------------------------------------------------------------------

    \1\ 16 CFR part 312.
---------------------------------------------------------------------------

II. Rule Review

    COPPA and Sec.  312.11 of the original Rule required the Commission 
to initiate a review no later than five years after the Rule's 
effective date to evaluate the Rule's implementation. The Commission 
commenced this mandatory review on April 21, 2005. After receiving and 
considering extensive public comment on the Rule, the Commission 
determined in March 2006 to retain the COPPA Rule without change.\2\ In 
2010, however, due to changes in the online environment for children, 
the Commission undertook an extensive Rule review, which culminated in 
the amendments to the Rule adopted on January 17, 2013.\3\ The online 
environment for children continues to evolve at a rapid pace, 
including, for example, the significant increase in education 
technology in the classroom and social media and platforms with third-
party content appealing to children. The Commission believes these 
changes warrant another reexamination of the Rule at this time.
---------------------------------------------------------------------------

    \2\ See 71 FR 13247 (Mar. 15, 2006).
    \3\ See 78 FR 3972 (Jan. 17, 2013).
---------------------------------------------------------------------------

    In this document, the Commission poses its standard regulatory 
review questions to determine whether the Rule should be retained, 
eliminated, or modified. The Commission also asks whether the 2013 
revisions to the Rule have resulted in stronger protections for 
children and more meaningful parental control over the collection of 
personal information from children, and whether the revisions have had 
any negative consequences. It further poses specific questions about 
the existing sections of the Rule, including:
     Definitions,
     Requirement that operators post notices of their privacy 
practices,
     Methods of obtaining verifiable parental consent before 
collecting children's information,
     Security requirements,
     Parental right to review or delete children's information, 
and
     Safe harbor provisions.
    In addition to these questions, the Commission seeks comment on the 
application of the Rule to the educational technology sector, voice-
enabled connected devices, and general audience platforms that host 
child-directed third-party content. Specifically, the Commission 
requests comment on whether exceptions to parental consent are 
warranted for: (1) The use of education technology where the school 
provides consent for the collection of personal information from the 
child (see Question 23); or (2) the collection of audio files as a 
replacement for text, where the audio files are promptly deleted (see 
Question 24), in line with the enforcement policy statement issued by 
the Commission.\4\
---------------------------------------------------------------------------

    \4\ See Enforcement Policy Statement Regarding the Applicability 
of the COPPA Rule to the Collection and Use of Voice Recordings, 82 
FR 58076 (Dec. 8, 2017).
---------------------------------------------------------------------------

    Additionally, the Commission seeks comment on whether there are 
circumstances in which general audience platforms with third-party, 
child-directed content should be able to rebut the presumption that all 
users interacting with that content are children (see Question 25). If 
allowed to rebut this presumption, operators of general audience 
platforms could, in certain circumstances, collect personal information 
from users on their sites that they determine are age 13 or older.
    Finally, the Commission seeks comment on whether the COPPA Rule 
should be amended to better address websites and online services that 
may not meet the current definition of ``website or online service 
directed to children,'' but that have large number of child users (see 
Question 15). For example, should the definition of ``website or online 
service directed to children'' be amended, consistent with the statute, 
to cover these types of websites and, if so, what type of changes would 
be required? Are there other proposed amendments, consistent with the 
statute, for the Commission to consider to ensure children using these 
sites and services receive COPPA protections?

III. Questions Regarding the COPPA Rule

    The Commission invites members of the public to comment on any 
issues or concerns they believe are relevant or appropriate to the 
Commission's review of the COPPA Rule, and to submit written data, 
views, facts, and arguments addressing the Rule. All comments should be 
filed as prescribed in the ADDRESSES section of this document, and must 
be received by October 23, 2019. If your comment proposes any 
modifications to the Rule, please also address whether your proposed 
modification may conflict with the statutory provisions of COPPA and, 
if so, whether you propose seeking legislative changes to the Act. The 
Commission is particularly interested in comments addressing the 
following questions:

A. General Questions for Comment

    1. Is there a continuing need for the Rule as currently 
promulgated? Why or why not?
    a. Since the Rule was issued, have changes in technology, industry, 
or economic conditions affected the need for or effectiveness of the 
Rule?
    b. What are the aggregate costs and benefits of the Rule?
    c. Does the Rule include any provisions not mandated by the Act 
that are unnecessary or whose costs outweigh their benefits? If so, 
which ones and why?
    2. What effect, if any, has the Rule had on children, parents, or 
other consumers?
    a. Has the Rule benefited children, parents, or other consumers? If 
so, how?
    b. Has the Rule imposed any costs on children, parents, or other 
consumers? If so, what are these costs?
    c. What changes, if any, should be made to the Rule to increase its 
benefits, consistent with the Act's requirements? What costs would 
these changes impose?
    3. What impact, if any, has the Rule had on operators?
    a. Has the Rule provided benefits to operators? If so, what are 
these benefits?
    b. Has the Rule imposed costs on operators, including costs of 
compliance in time or monetary expenditures? If so, what are these 
costs?
    c. What changes, if any, should be made to the Rule to reduce the 
costs imposed on operators, consistent with the Act's requirements? How 
would these changes affect the Rule's benefits?

[[Page 35844]]

    4. How many small businesses are subject to the Rule? What costs 
(types and amounts) do small businesses incur in complying with the 
Rule? How has the Rule otherwise affected operators that are small 
businesses? Have the costs or benefits of the Rule changed over time 
with respect to small businesses? What about small businesses that 
control and process large sets of data? What regulatory alternatives, 
if any, would decrease the Rule's burden on small businesses, 
consistent with the Act's requirements?
    5. Does the Rule overlap or conflict with any other federal, state, 
or local government laws or regulations? How should these overlaps or 
conflicts be resolved, consistent with the Act's requirements?
    a. Are there any unnecessary regulatory burdens created by 
overlapping jurisdiction? If so, what can be done to ease the burdens, 
consistent with the Act's requirements?
    b. Are there any gaps where no federal, state, or local government 
law or regulation has addressed a problematic practice relating to 
children's online privacy? Could or should any such gaps be remedied by 
a modification to the Rule?
    6. Has the Rule affected practices relating to the collection and 
disclosure of information relating to children online? If so, how?
    7. Has the Rule affected children's ability to access information 
of their choice online? If so, how?
    8. Has the Rule affected the availability of websites or online 
services directed to children? If so, how?
    a. Has the number or type of websites or online services directed 
to children changed since the Rule became effective? If so, how? Did 
the Rule cause these changes?
    b. Approximately how many new websites and online services are 
created each year that are directed to children?

B. Definitions

    9. Do the definitions set forth in Sec.  312.2 of the Rule 
accomplish COPPA's goal of protecting children's online privacy and 
safety?
    10. Are the definitions in Sec.  312.2 clear and appropriate? If 
not, how can they be improved, consistent with the Act's requirements?
    11. The 2013 COPPA Rule amendments made several modifications to 
the definitions under the Rule, including to the terms ``Collects or 
collection,'' ``Online contact information,'' ``Operator,'' ``Personal 
information,'' ``Support for the internal operations of the website or 
online service,'' and ``website or online service directed to 
children.'' Have these revised definitions resulted in stronger 
protections for children's online privacy and safety? Have they had any 
negative consequences that require revision?
    12. The 2013 revised COPPA Rule amended the definition of 
``Personal information'' to include, among other items, a ``persistent 
identifier that can be used to recognize a user over time and across 
different websites or online services.'' Has this revision resulted in 
stronger privacy protection for children? Has it had any negative 
consequences?
    13. Should the Commission consider further revision to the 
definition of ``Personal information''? Are there additional categories 
of information that should be expressly included in this definition, 
such as genetic data, fingerprints, retinal patterns, or other 
biometric data? What about personal information that is inferred about, 
but not directly collected from, children? What about other data that 
serve as proxies for personal information covered under this 
definition? Does this type of information permit the physical or online 
contacting of a specific individual?
    14. Should the definition of ``Support for the internal operations 
of the website or online service'' be modified? Are there practices in 
addition to behavioral targeting and profiling that should be expressly 
excluded from the definition? Should additional activities be expressly 
permitted under the definition? For example, should the definition 
expressly include advertising attribution? Advertising attribution is 
the method used to determine whether a particular advertisement led the 
user to take a particular step, such as downloading an app.
    15. Does Sec.  312.2 correctly articulate the factors to consider 
in determining whether a website or online service is directed to 
children? Do any of the current factors need to be clarified? Are there 
additional factors that should be considered? For example, should the 
definition be amended, consistent with the statute, to better address 
websites and online services that do not include traditionally child-
oriented activities, but that have large numbers of child users? If so, 
what types of changes to the definition should be considered? Are there 
other proposed amendments, consistent with the statute, for the 
Commission to consider to ensure children using these types of websites 
and online services receive COPPA protections?
    16. Has the 2013 addition, found in part (3) of the definition of 
``website or online service directed to children,'' which permits those 
sites that do not target children as their primary audience to age 
screen users, resulted in stronger protections for children's privacy? 
Should the Rule be more specific about the appropriate methods for 
determining the age of users?
    17. What are the implications for COPPA enforcement raised by 
technologies such as interactive television, interactive gaming, 
chatbots, or other similar interactive media?

C. Notice

    18. Section 312.4 of the Rule sets out the requirements for the 
content and delivery of operators' notices of their information 
practices with regard to children.
    a. Are the requirements in this Section clear and appropriate? If 
not, how can they be improved? Should the Rule, for example, more 
clearly state that an operator's direct notice should include not just 
the types of personal information collected, but also how the operator 
intends to use the personal information that is collected? Should the 
Rule require the notice to include information about the categories of 
third parties, such as advertisers, that may make use of the 
information collected? The Rule's direct notice requirement found in 
Sec.  312.4(c) presupposes that the operator has collected the parent's 
online contact information. Should the Rule more clearly state the 
content of direct notices where the operator does not collect a 
parent's online contact information?
    b. Should the notice requirements be clarified or modified in any 
way to reflect changes in the types or uses of children's information 
collected by operators or changes in communications options available 
between operators and parents?

D. Parental Consent

    19. Section 312.5 of the Rule requires operators to obtain 
verifiable parental consent before collecting, using, or disclosing 
personal information from children, including consent to any material 
change to practices to which the parent previously consented. This 
Section further requires operators to make reasonable efforts to obtain 
this consent, and the efforts must be reasonably calculated to ensure 
that the person providing consent is the child's parent, taking into 
consideration available technology.
    a. Has the consent requirement been effective in protecting 
children's online privacy and safety?
    b. What data exist on: (1) Operators' use of parental consent 
mechanisms; (2)

[[Page 35845]]

parents' awareness of the Rule's parental consent requirements; or (3) 
parents' response to operators' parental consent requests?
    20. Section 312.5(b)(2) of the Rule provides a non-exhaustive list 
of approved methods to obtain verifiable parental consent, including: 
Providing a consent form to be signed by the parent and returned to the 
operator; requiring a parent to use a credit card, debit card, or other 
online payment system in connection with a monetary transaction; having 
a parent call a toll-free number staffed by trained personnel; having a 
parent connect to trained personnel via video-conference; and verifying 
a parent's identity by checking a form of government-issued 
identification against databases of such information. In addition, 
pursuant to the process set forth in Sec.  312.12(a), the Commission 
has approved the use of knowledge-based authentication \5\ and facial 
recognition technology.\6\ Section 312.5(b)(2) also sets forth a 
mechanism that operators can use to obtain verifiable parental consent 
for uses of information other than ``disclosures'' (the ``email plus 
mechanism''). The email plus mechanism permits the use of an email 
coupled with additional steps to provide assurances that the person 
providing consent is the parent, including sending a confirmatory email 
to the parent following receipt of consent or obtaining a postal 
address or telephone number from the parent and confirming the parent's 
consent by letter or telephone call.
---------------------------------------------------------------------------

    \5\ See Letter to Imperium, LLC (Dec. 23, 2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf.
    \6\ See Letter to Jest8 Limited (Trading as Riyo) (Nov. 18, 
2015), https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf.
---------------------------------------------------------------------------

    a. To what extent are operators using each of the enumerated 
methods? Please provide as much specific data as possible, including 
the costs and benefits associated with each method described.
    b. Are there additional methods to obtain verifiable parental 
consent, based on current or emerging technological changes, which 
should be added to Sec.  312.5 of the Rule? What are the costs and 
benefits of these additional methods?
    c. Should any of the currently enumerated methods to obtain 
verifiable parental consent be removed from the Rule? If so, please 
explain which one(s) and why.
    d. Should the Commission consider any changes to the Rule to 
encourage the development of new methods of parental consent?

E. Exceptions to Verifiable Parental Consent

    21. COPPA and Sec.  312.5(c) of the Rule set forth eight exceptions 
to the prior parental consent requirement. Are the exceptions in Sec.  
312.5(c) clear and appropriate? If not, how can they be improved, 
consistent with the Act's requirements?
    22. Should the Commission consider additional exceptions to 
parental consent, consistent with the Act's requirements?
    23. In the Statement of Basis and Purpose to the 1999 COPPA Rule, 
the Commission noted that the Rule ``does not preclude schools from 
acting as intermediaries between operators and schools in the notice 
and consent process, or from serving as the parents' agent in the 
process.'' \7\ Since that time, there has been a significant expansion 
of education technology used in classrooms. Should the Commission 
consider a specific exception to parental consent for the use of 
education technology used in the schools? Should this exception have 
similar requirements to the ``school official exception'' found in the 
Family Educational Rights and Privacy Act (``FERPA''),\8\ and as 
described in Protecting Student Privacy While Using Online Educational 
Services: Requirements and Best Practices? \9\ If the Commission were 
to amend the COPPA Rule to include such an exception:
---------------------------------------------------------------------------

    \7\ 65 FR 59888, 59903 (Nov. 3, 1999).
    \8\ Such requirements would, for example: Prohibit operators 
from using personal information without the school official's 
consent; limit operators' use of information to the specified 
educational purpose and no other commercial purpose; ensure that the 
school maintains control of the information, including the right to 
review, correct, and delete the information; and prohibit operators 
from disclosing the information to third parties.
    \9\ See U.S. Department of Education, Privacy Technical 
Assistance Center, Protecting Student Privacy While Using Online 
Educational Services: Requirements and Best Practices, https://tech.ed.gov/wp-content/uploads/2014/09/Student-Privacy-and-Online-Educational-Services-February-2014.pdf (2014).
---------------------------------------------------------------------------

    a. Should the Rule specify who at the school can provide consent?
    b. Should operators be able to use the personal information 
collected from children to improve the product? Should operators be 
able to use the personal information collected from children to improve 
other educational or non-educational products? Should de-identification 
of the personal information be required for such uses? Is de-
identification of such personal information effective at preventing re-
identification? What kinds of specific technical, administrative, 
operational or other procedural safeguards have proved effective at 
preventing re-identification of de-identified data? Are there instances 
in which de-identified information has been sold or hacked and then re-
identified?
    c. Should parents be able to request deletion of personal 
information collected by operators under such an exception?
    d. Should an operator require the school to notify the parent of 
the operator's information practices and, if so, how should the school 
provide such notice?
    e. Should such an exception result in a preemption of state laws? 
If so, would that result negatively affect children's privacy?
    f. Should the scope of the school's authority to consent be limited 
to defined educational purposes? Should such purposes be defined, and 
if so, how? Should operators seeking consent in the school setting be 
prohibited from using information for particular purposes, such as 
marketing to students or parents?
    24. In 2017, the Commission issued an enforcement policy statement 
addressing the use of audio files containing a child's voice.\10\ The 
Commission explained that it would not take an enforcement action 
against an operator for not obtaining parental consent before 
collecting an audio file with a child's voice when the audio file is 
collected solely as a replacement for written words, such as to perform 
a search, so long as the audio file is held for a brief time and used 
only for that purpose. Should the Commission amend the Rule to 
specifically include such an exception? If the Commission were to 
include such an exception, should an operator be able to de-identify 
these audio files and use them to improve its products? If so, for how 
long should operators be permitted to retain such de-identified audio 
files? Is de-identification of audio files effective at preventing re-
identification? Are there specific technical, administrative, 
operational or other procedural safeguards that have proved effective 
at preventing re-identification of de-identified data? Are there 
instances in which de-identified information has been sold or hacked 
and then re-identified?
---------------------------------------------------------------------------

    \10\ See Enforcement Policy Statement Regarding the 
Applicability of the COPPA Rule to the Collection and Use of Voice 
Recordings, 82 FR 58076 (Dec. 8, 2017).
---------------------------------------------------------------------------

    25. In some circumstances, operators of general audience platforms 
do not

[[Page 35846]]

have COPPA liability for their collection of personal information from 
users of child-directed content on their platform uploaded by third 
parties, absent the platforms' actual knowledge that the content is 
directed to children. Operators of such platforms therefore may have an 
incentive to avoid gaining actual knowledge of the presence of child-
directed content on their platform. To encourage such platforms to take 
steps to identify and police child-directed content uploaded by others, 
should the Commission make modifications to the COPPA Rule? For 
example, should such platforms that identify and police child-directed 
content be able to rebut the presumption that all users of the child-
directed third-party content are children thereby allowing the platform 
to treat under and over age 13 users differently? \11\ Given that most 
users of a general audience platform are adults, there may be a greater 
likelihood that adults are viewing or interacting with child-directed 
content than on traditional child-directed sites. In considering this 
issue, the Commission specifically requests comment on the following:
---------------------------------------------------------------------------

    \11\ See 78 FR 3972, 3984 (Jan. 17, 2013) (``The Commission 
retains its longstanding position that child-directed sites or 
services whose primary target audience is children must continue to 
presume all users are children and to provide COPPA protections 
accordingly.'').
---------------------------------------------------------------------------

    a. Would allowing these types of general audience platforms to 
treat over and under age 13 users differently encourage them to take 
affirmative steps to identify child-directed content generated by third 
parties and treat it in accordance with COPPA?
    b. Would allowing such a rebuttal of the presumption that all users 
are children in this context require a Rule change? If so, would such a 
Rule change be consistent with the Act?
    c. If the Commission were to allow such a rebuttal of the 
presumption that all users of this content are children, what factors 
should it consider in determining whether the presumption has been 
rebutted? What methods could a general audience platform use to 
effectively rebut the presumption that all users of the third-party 
child-directed content are children?
    d. Could a general audience platform hosting third-party, child-
directed content effectively rebut this presumption by doing the 
following:
    i. Taking measures reasonably calculated to identify child-directed 
content generated by third parties for commercial purposes;
    ii. Permitting users that identify themselves through a neutral age 
gate to create an account on the platform;
    iii. Taking measures reasonably calculated, in light of available 
technology, to ensure that if personal information is to be collected 
from a user accessing child-directed content, the user is the person 
who created an account and identified as being 13 or older, and not a 
child in the household, such as through periodic authentication; and
    iv. Providing clear and conspicuous notice at the time the user is 
interacting with child-directed content of its information collection 
practices, and separately communicating those information practices 
through out-of-band notices, such as through online contact information 
provided as part of the account creation process?
    The Commission seeks comment on whether these measures, or any 
others, could effectively rebut the presumption that all users of this 
child-directed content are children, and also on the ways in which an 
operator could implement these measures.
    e. What, if any, risk is presented by permitting general audience 
sites to rebut the presumption that all users of child-directed content 
are children? Would it prove challenging to reliably distinguish 
between a parent and a child who accesses content while logged in to a 
parent's account? In considering whether to permit general audience 
sites to rebut the presumption, should the Commission consider costs 
and benefits unrelated to privacy, such as whether children may be 
exposed to age-inappropriate content if they are treated as an adult?

F. Right of a Parent To Review or Have Personal Information Deleted

    26. Section 312.6(a) of the Rule requires operators to give 
parents, upon their request: (1) A description of the specific types of 
personal information collected from children; (2) the opportunity to 
refuse to permit the further use or collection of personal information 
from the child and to direct the deletion of the information; and (3) a 
means of reviewing any personal information collected from the child. 
In the case of a parent who wishes to review the personal information 
collected from the child, Sec.  312.6(a)(3) of the Rule requires 
operators to provide a means of review that ensures that the requestor 
is a parent of that child (taking into account available technology) 
and is not unduly burdensome to the parent.
    a. To what extent are parents exercising their rights under Sec.  
312.6(a)(1) to obtain from operators a description of the specific 
types of personal information collected from children?
    b. To what extent are parents exercising their rights under Sec.  
312.6(a)(2) to refuse to permit the further use or collection of 
personal information from the child and to direct the deletion of the 
information?
    c. To what extent are parents exercising their rights under Sec.  
312.6(a)(3) to review any personal information collected from the 
child?
    d. Do the costs and burdens to operators or parents differ 
depending on whether a parent seeks a description of the information 
collected, access to the child's information, or to have the child's 
information deleted?
    e. Is it difficult for operators to ensure, taking into account 
available technology, that a requester seeking to review the personal 
information collected from a child is a parent of that child?
    f. Do operators use different processes or procedures to respond to 
parents who exercise rights under Sec.  312.6(a)? Which processes or 
procedures are easiest for parents to use? Which are the most 
difficult? Do any mechanisms exist to facilitate the exercise of these 
rights with more than one operator at a time?
    g. Where operators serve as service providers to schools, should 
parents be able to request the operators to delete personal information 
collected by them that are education records, such as grades or test 
scores?
    h. Are the requirements of Sec.  312.6 clear and appropriate? If 
not, how can they be improved, consistent with the Act's requirements?

G. Prohibition Against Conditioning a Child's Participation on 
Collection of Personal Information

    27. COPPA and Sec.  312.7 of the Rule prohibit operators from 
conditioning a child's participation in an activity on disclosing more 
personal information than is reasonably necessary to participate in 
such activity.
    a. Do operators take this requirement into account when shaping 
their online offerings to children?
    b. Has the prohibition been effective in protecting children's 
online privacy and safety?
    c. Is Sec.  312.7 of the Rule clear and appropriate? If not, how 
could it be improved, consistent with the Act's requirements?

H. Confidentiality, Security, and Integrity of Personal Information

    28. Section 312.8 of the Rule requires operators to establish and 
maintain reasonable procedures to protect the confidentiality, 
security, and integrity of personal information collected from a child, 
and to release children's personal

[[Page 35847]]

information only to service providers and third parties who are capable 
of maintaining the confidentiality, security, and integrity of the 
personal information, and who provide assurances that they will do so.
    a. Have operators implemented sufficient safeguards to protect the 
confidentiality, security, and integrity of personal information 
collected from a child?
    b. Is Sec.  312.8 of the Rule clear and adequate? If not, how could 
it be improved, consistent with the Act's requirements? Should the Rule 
include more specific information security requirements, for example to 
require encryption of certain personal information?

I. Safe Harbors

    29. Section 312.11(g) of the Rule provides that an operator will be 
deemed in compliance with the Rule's requirements if the operator 
complies with Commission-approved self-regulatory guidelines (the 
``safe harbor'' process).
    a. Has the safe harbor process been effective in enhancing 
compliance with the Rule?
    b. Should the criteria for Commission approval of a safe harbor 
program currently enumerated in Sec.  312.11(b) be modified in any way? 
To what extent should the Commission consider the financial structure 
and incentives of organizations operating safe harbors? Is there any 
evidence that the corporate structure of a safe harbor program impacts 
its effectiveness? Should the Commission consider applying any 
restrictions on the types of organizations that may operate safe 
harbors?
    c. Should Sec.  312.11(g) of the Rule, regarding the Commission's 
discretion to initiate an investigation or bring an enforcement action 
against an operator participating in a safe harbor program, be 
clarified or modified in any way?
    d. Should any other changes be made to the criteria for approval of 
self-regulatory guidelines, consistent with the Act's requirements?
    e. Should the Commission consider any changes to the safe harbor 
monitoring process, including any changes to promote greater 
transparency?
    f. Should the Rule include factors for the Commission to consider 
in revoking approval for a safe harbor program?

IV. Request for Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before October 23, 
2019. Write ``COPPA Rule Review, 16 CFR part 312, Project No. 
P195404,'' on the comment. Your comment, including your name and your 
state, will be placed on the public record of this proceeding, 
including, to the extent practicable, on the https://www.regulations.gov website.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comment online. To make sure that the Commission considers your 
online comment, you must file it at https://www.regulations.gov by 
following the instructions on the web-based form.
    If you file your comment on paper, write ``COPPA Rule Review, 16 
CFR part 312, Project No. P195404,'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
B), Washington, DC 20024. If possible, please submit your paper comment 
to the Commission by courier or overnight service.
    Because your comments will be placed on the publicly accessible 
website, https://www.regulations.gov, you are solely responsible for 
making sure that your comment does not include any sensitive personal 
information, such as your or anyone else's Social Security number, date 
of birth, driver's license number or other state identification number 
or foreign country equivalent, passport number, financial account 
number, or credit or debit card number. You are also solely responsible 
for making sure that your comment does not include any sensitive health 
information, such as medical records or other individually identifiable 
health information. In addition, your comment should not include any 
``[t]rade secret or any commercial or financial information which . . . 
is privileged or confidential''--as provided in Section 6(f) of the 
Federal Trade Commission Act (``FTC Act''), 15 U.S.C. 46(f), and FTC 
Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in particular 
competitively sensitive information such as costs, sales statistics, 
inventories, formulas, patterns, devices, manufacturing processes, or 
customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comments to be withheld from 
the public record. Your comment will be kept confidential only if the 
FTC General Counsel grants your request in accordance with the law and 
the public interest. Once your comment has been posted publicly at 
www.regulations.gov--as legally required by FTC Rule 4.9(c)--we cannot 
redact or remove your comment from the FTC website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule 4.9(c), and the General Counsel grants the request.
    Visit the FTC website to read this Notice and the news release 
describing it. The FTC Act and other laws that the Commission 
administers permit the collection of public comments to consider and 
use in this proceeding as appropriate. The Commission will consider all 
timely and responsive public comments that it receives on or before 
October 23, 2019. For information on the Commission's privacy policy, 
including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-15754 Filed 7-24-19; 8:45 am]
BILLING CODE 6750-01-P