AGENCY:

Federal Trade Commission.

ACTION:

Retention of rule without modification.

SUMMARY:

The Federal Trade Commission (“the Commission”) has completed its regulatory review of the Children's Online Privacy Protection Rule (“the COPPA Rule” or “the Rule”), which implements the Children's Online Privacy Protection Act of 1998. The Rule regulates how Web site operators and others may collect, use, and distribute personal information from children online. The Commission requested comment on the costs and benefits of the Rule and whether it should be retained without change, modified, or eliminated. The Commission also requested comment on the Rule's effect on: information practices relating to children; children's ability to obtain online access to information of their choice; and the availability of Web sites directed to children. Pursuant to this review, the Commission concludes that the Rule continues to be valuable to children, their parents, and Web site operators, and has determined to retain the Rule in its current form. This document discusses the comments received in response to the Commission's request for public comment and announces the Commission's decision to retain the Rule without modification.

DATES:

Effective Date: March 15, 2006.

FOR FURTHER INFORMATION CONTACT:

Karen Muoio, (202) 326-2491, Federal Trade Commission, 600 Pennsylvania Avenue NW., Mail Drop NJ-3212, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Introduction

Pursuant to Congressional direction and the Commission's systematic program of reviewing its rules and guides, in April 2005 the Commission issued a Federal Register Proposed Rule seeking public comment on the overall costs and benefits of the COPPA Rule and other issues related to the Rule (“April 2005 NPR”).^[1] In response, the Commission received 25 comments from various parties, including: trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers.^[2] As part of its review, the Commission also considered the 91 comments received in response to its January 14, 2005 Notice of Proposed Rulemaking (“January 2005 NPR”) on the Rule's sliding scale approach to obtaining verifiable parental consent.^[3]

In the April 2005 NPR, the Commission asked members of the public to comment on all aspects of the Rule and additionally posed twenty-one specific questions. The Commission requested comment on the general costs and benefits of the Rule, each specific provision of the Rule, prominent issues that have arisen since the inception of the Rule, and particular issues that Congress statutorily directed the Commission to evaluate. The April 2005 NPR also restated the questions pertaining to the sliding scale approach to obtaining verifiable parental consent that were posed in the January 2005 NPR, to give the public further opportunity to comment on that issue.

Commenters generally favored retaining the Rule without modification. In addition, although some commenters did not favor making the sliding scale approach permanent, they did not provide the Commission with sufficient data upon which to base a determination to eliminate or revise the sliding scale approach.

This document first describes the background and requirements of the Rule. It then summarizes the comments received regarding the costs and benefits of the Rule and whether it should be retained, eliminated, or modified. It finally explains the Commission's determination to retain the Rule without modification.^[4]

II. Description and Background of the Children's Online Privacy Protection Rule

On October 21, 1998, Congress enacted COPPA (15 U.S.C. 6501-6508), which prohibits certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet.^[5] Pursuant to COPPA's requirements, the Commission issued its final Rule implementing COPPA on November 3, 1999.^[6]

The Rule imposes requirements on operators of Web sites or online services directed to children under 13 years of age or that have actual knowledge that they are collecting personal information online from children under 13 years of age (collectively, “operators”).^[7] Among other things, the Rule requires operators to provide notice to parents and to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children under 13 years of age.^[8] “Verifiable parental consent” means that the consent method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.^[9]

When the Commission issued the Rule in 1999, it adopted a sliding scale approach to obtaining verifiable parental consent.^[10] Under such an approach, more reliable measures are required for parental consent if an operator intends to disclose a child's information to third parties or the public than if the operator only uses the information internally. The Commission adopted the sliding scale approach to address concerns that it was not yet feasible to require more technologically advanced methods of consent for internal uses of information. To reflect the expectation that this assessment could change, the sliding scale was scheduled to sunset in 2002. When public comment in 2002 indicated that changes in the technology had not occurred, the Commission extended the sliding scale approach three more years.^[11] In January 2005, the Commission sought public comment on whether to make the sliding scale approach permanent.^[12] Based on the comments received, the Commission determined that it would be appropriate to evaluate the sliding scale approach in the broader context of the current Rule review. Pending the outcome of the instant review, the Commission amended the Rule to extend the sliding scale approach.^[13]

In addition to requiring operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, the Rule requires operators to post a notice of their information practices online, provide parents with access to their children's information, and keep that information confidential and secure.^[14] It also prohibits operators from conditioning children's participation in an activity on the children providing more personal information than is reasonably necessary to participate in that activity.^[15] Further, the Rule provides a safe harbor for operators following Commission-approved self-regulatory guidelines, and instructions on how to get such guidelines approved.^[16]

Both the Act and the Rule require that the Commission initiate a review of the Rule, including requesting data on certain issues, within five years of the Rule's effective date, i.e., April 21, 2005.^[17] The Commission initiated its review on that date.^[18] The review also has been conducted pursuant to the Commission's systematic program of periodically reviewing its rules and guides.

III. Discussion of Comments and the Retention of the Rule Without Modification

A. Summary of Comments

The Commission received 25 comments in response to its April 2005 NPR on the overall Rule and 91 comments in response to its January 2005 NPR on the sliding scale approach to obtaining verifiable parental consent, for a total of 116 comments.^[19] The commenters included trade associations, Web site operators, privacy and educational organizations, COPPA safe harbor programs, and consumers.

Of the 116 comments received, 68 were non-form letter comments from various entities and individuals. Approximately two-thirds of these 68 comments solely addressed the sliding scale approach.^[20] About one-third of Start Printed Page 13249them addressed other aspects of the Rule, in some cases also addressing the sliding scale approach.^[21]

Forty-eight commenters submitted a form letter opposing letting operators obtain verifiable parental consent through a reply to an e-mail alone, because this could allow children to forge their parents' consent. The form letter states, in pertinent part, that “Merely receiving an email from a parent's email address does not qualify as permission since it is possible for parents to not even be aware that an exchange has taken place and therefore allows companies to market to children without parental permission.” ^[22] In its original COPPA rulemaking, the Commission agreed, concluding “that e-mail alone does not satisfy the COPPA because it is easily subject to circumvention by children.” ^[23] Therefore, the Commission adopted the requirement in the Rule that operators must take an additional step to verify that it is, in fact, the parent sending the e-mail, a consent method commonly known as “e-mail plus.”^[24] Specifically, the operator must send the parent by e-mail, letter, or telephone call a confirmation of his or her consent.^[25]

No commenter stated that the Rule should be eliminated. To the contrary, almost all commenters advocated retaining the Rule in its current form ^[26] or adding to its requirements.^[27] Two commenters suggested excepting certain kinds of Web sites from the Rule's requirements,^[28] and one of the Rule's safe harbor programs suggested extending the protected status granted to safe harbor program participants.^[29] Some commenters requested clarification on particular aspects of the Rule.^[30]

On the specific issue of the sliding scale approach, unique commenters generally supported retaining it, with 34 unique comments submitted in favor of making it permanent ^[31] and nine unique comments submitted in favor of extending it for some period of time.^[32] Forty-eight form-letter comments opposed allowing receipt from a parent's e-mail address to qualify as permission but, as explained above, the Rule already requires more. Eleven unique commenters were against making permanent or extending the sliding scale approach ^[33] and four did not take a clear position.^[34]

B. General Comments on the Rule

The Commission's April 2005 NPR asked several questions about the implementation and necessity of the Rule as a whole. The NPR contained several standard Commission regulatory review questions about the costs and benefits of the Rule. The NPR also sought comments on three specific issues that Congress in the Act directed the Commission to evaluate.

1. The Costs and Benefits of the Rule

The Commission asked several general questions in the April 2005 NPR pertaining to the necessity and effectiveness of the Rule. The questions requested comment on how the Rule has affected children's online privacy and safety, whether the Rule is still needed, and how the Rule has affected consumers and operators. The Commission also requested comment on the Rule's effect on small businesses and whether the Rule is in conflict with other existing laws.

Commenters uniformly stated that the Rule has succeeded in providing greater protection to children's personal information online, that there is a continuing need for the Rule, and that the Rule should be retained.^[35] For example, in explaining the Rule's success in protecting children's privacy and safety online, one commenter stated that “COPPA has been very successful in improving the data collection practices and curtailing unscrupulous interactive marketing practices of commercial Web sites,” ^[36] while another said that “all indications are that COPPA and its implementing rules provide an important tool in protecting the privacy and safety of children using the Internet.” ^[37] Another commenter stated that the Rule has increased consumer awareness of privacy issues across the board while encouraging operators to respond creatively to the challenge of protecting children online.^[38]

As to the continuing need for the COPPA Rule, numerous commenters emphasized that the Rule provides operators with a clear set of standards to follow and that operators have received few, if any, complaints from parents about the standards and how they are implemented.^[39] One commenter described how the Rule's definite standards have fostered consumer and business confidence in the Internet.^[40] Moreover, operators stated that they have no complaints about the costs of complying with the Rule's requirements.^[41]

The Commission did not receive any comments specifically addressing the Rule's costs and benefits for small businesses or the Rule's overlap with other laws or regulations.

The Commission concludes that no modifications to the Rule are necessary on the basis of general comments submitted on the Rule and its costs and benefits.

2. COPPA-Mandated Issues

When Congress enacted COPPA, it included a provision requiring the Commission to evaluate and report on the implementation of the Rule five years after its effective date. Congress directed the Commission to evaluate three particular issues: (1) How the Rule has affected practices relating to the Start Printed Page 13250collection and disclosure of information relating to children online; (2) how the Rule has affected children's access to information of their choice online; and (3) how the Rule has affected the availability of Web sites or online services directed to children.^[42] Accordingly, the Commission specifically included questions about these issues in the April 2005 NPR.^[43]

Some commenters submitted views on the three issues, although none provided the Commission with related empirical data. Regarding the question of whether and, if so, how the Rule has affected practices relating to the collection, use, and disclosure of information relating to children online, three commenters (two operators of major Web sites and their trade association) provided specific and concrete examples of how the Rule has affected their own information practices concerning children.^[44] These commenters stated that the primary response of operators has been to limit the personal information they collect from children (by either not collecting any personal information or collecting only e-mail addresses) while developing innovative ways to offer the interactive online experiences children want. The commenters each described a wide variety of activities they offer at their Web sites that let children interact with the sites but require little or no information collection or disclosure.^[45]

These commenters also stated that the Rule's exceptions to prior verifiable parental consent for e-mail addresses are useful for providing children with safe online interactivity while preserving their Web sites' viability.^[46] The Rule sets forth five exceptions to its requirement that operators obtain verifiable parental consent before collecting a child's personal information. These exceptions allow operators to collect a child's online contact information (i.e., an e-mail address) ^[47] without obtaining prior parental consent and use that information only for certain specified purposes.^[48] In each instance, the Rule prohibits the operator from using the information for any other purpose.

The commenters highlighted two of the exceptions as particularly useful in providing interactive content to children. The first of these exceptions lets operators collect a child's e-mail address to respond once to a child's specific request, such as to answer a question (e.g., homework help) or to provide other information (e.g., when a new product will be on sale).^[49] The operator does not need to provide notice to the parents or obtain parental consent, so long as it deletes the child's e-mail address upon responding. The second noted exception lets an operator collect the e-mail addresses of the child and his or her parent so that the operator can respond more than once to a child's specific request, such as to subscribe the child to an electronic newsletter.^[50] Here, the operator must provide notice to the parent before contacting the child a second time and give the parent an opportunity to opt out of the repeated contact. Commenters stated that these two exceptions help them to provide safe, interactive, and fun children's content.^[51]

The second statutorily mandated question was whether and, if so, how the Rule has affected children's ability to access information online. Most commenters stated that the Rule's requirements have struck an appropriate balance between protecting children's personal information online and preserving their ability to access content.^[52] One commenter stated that the Rule has “unfairly limited student access to educational sites.” ^[53] In contrast, another commenter noted that, in her experience as a teacher, children have been able to access online educational content without revealing their personal information and that her students “have not faced a problem because of COPPA.” ^[54] In addition, in the educational context, teachers often can act on behalf of parents to provide consent for purposes of COPPA.^[55]

The final statutorily mandated question concerned the Rule's effect on the availability of Web sites directed to children. Many commenters indicated that they have been successful in operating popular and viable children's Web sites in the five years since the Rule's effective date.^[56] One commenter, however, suggested that the Rule's requirements could have caused at least a few smaller children's Web sites to fail.^[57] However, this commenter also acknowledged that, given the failure of innumerable Web sites for multiple reasons during the dot-com bust of 2000, it would be difficult to single out the Rule as the cause. No commenters submitted empirical data showing the Rule's direct impact on the availability of Web sites directed to children. Accordingly, the record does not indicate that the cost of complying with COPPA has decreased the number of children's Web sites.^[58]

The Commission concludes that no modifications to the Rule are necessary on the basis of the comments submitted in response to the three COPPA-mandated questions.

C. Comments Pertaining to Specific Rule Provisions ⁵⁹

1. Section 312.2: Definitions

Section 312.2 defines various terms used in the Rule.^[60] The Commission Start Printed Page 13251requested comment on whether the definitions contained in this section are effective, clear, and appropriate, and whether any improvements or additions should be made. In particular, the Commission asked whether the Rule correctly articulates the factors to consider in determining whether a Web site is directed to children and whether the term “actual knowledge” is sufficiently clear.^[61]

No comments were submitted on the general effectiveness of the Rule's definitions section, but the Commission received some comments concerning the terms “website or online service directed to children” and “actual knowledge.” The term “website or online service directed to children” is defined specifically in COPPA and the Rule itself,^[62] while “actual knowledge” is discussed in the Rule's Statement of Basis and Purpose and later Commission guidance.^[63] Overall, most commenters stated that the terms are sufficiently clear,^[64] although two suggested that the Commission continue to refine the terms through enforcement actions or other guidance.^[65]

a. “Website or Online Service Directed to Children”

The Rule specifically defines the term “website or online service directed to children” as “a commercial website or online service, or portion thereof, that is targeted to children.” ^[66] The Rule further provides that, in determining whether a Web site or online service is “targeted to children,” the Commission will consider several factors. These factors include subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or child-oriented activities or incentives.^[67] The Rule's Statement of Basis and Purpose states that the Commission, in making its determination, will consider “the overall character of the site—and not just the presence or absence of one or more factors.” ^[68] Commenters representing numerous Web site operators stated that the language of the Rule and discussion in the Rule's Statement of Basis and Purpose provide effective and clear guidance for determining whether a Web site is directed to children.^[69]

Two commenters suggested that the Commission clarify, through additional guidance, when a Web site is considered to be directed to children under the Rule. The first commenter suggested adding several design elements to the Rule's list of factors the Commission will consider, including color, non-textual content, interactivity, navigational tools, and advertisements.^[70] The Commission believes that the existing factors set forth in the Rule already encompass these suggested additions. For example, the Rule's definition expressly provides that the Commission will consider advertising appearing on or promoting the Web site or service.^[71] The Rule also provides that the Commission will consider a site's visual and audio content, language and other characteristics of the site, and any child-oriented activities or incentives.^[72] The Commission therefore concludes it is unnecessary to modify the Rule's definition of a Web site or online service directed to children.

A second commenter suggested it might be instructive to incorporate into the Rule the analysis that Commission staff set forth in a recent letter denying a petition for law enforcement action filed concerning the Amazon Web site, http://www.amazon.com.^[73] The letter, published on the petitioner's Web site,^[74] analyzes the Amazon Web site using the factors set forth in the Rule for determining whether a Web site is directed to children. The commenter suggested that incorporating the analysis into the Rule would clarify how the Commission determines whether other Web sites are directed to children. The letter does provide one example of how the Commission staff has applied the Rule's factors in analyzing whether a particular Web site was directed to children. However, the Commission does not believe that the general factors in the Rule need to be modified in light of the FTC staff's application of these factors in that specific instance.

b. “Actual Knowledge”

The Commission also asked whether the term “actual knowledge” is sufficiently clear. The Rule's requirements apply to operators of Web sites other than those directed to children (sometimes referred to as “general audience Web sites”) if such operators have “actual knowledge” that they are collecting or maintaining personal information from children.^[75] The Rule's Statement of Basis and Purpose explains that a general audience Web site operator has the requisite actual knowledge if it “learns of a child's age or grade from the child's registration or a concerned parent * * * .” ^[76] It may have the requisite knowledge if it asks age, grade, or other age-identifying questions.^[77] Subsequent to the Rule's issuance, the Commission staff posted guidance on the FTC Web site clarifying that a general audience Web site operator does not obtain actual knowledge of a child's age “[i]f a child posts personal information on a general audience site, but doesn't reveal his or her age * * *” ^[78] In addition, the guidance provides that the operator would not have actual knowledge if a child posts his or her age in a chat room on the site, but no one at the operator sees or is alerted to the post.^[79]

Most commenters stated that the Rule's Statement of Basis and Purpose and subsequent guidance have made the term “actual knowledge” sufficiently clear and no modification to the Rule is necessary.^[80] For example, one commenter states “the Commission's guidance clarifying that asking for age or date of birth information or similar questions through which the Web site would learn the ages of specific visitors[] provides clear criteria for Web Start Printed Page 13252sites to determine their obligations.” ^[81] One commenter did suggest, however, that the Commission continue to clarify the term in the context of additional enforcement actions.^[82] The Commission concludes that no modifications to the Rule are necessary on the basis of these comments.

c. Age Screening and Age Falsification

General audience Web sites or those directed to teenagers may attract a substantial number of children under the age of 13. Although such Web sites are not directed at children under 13, operators of such sites must comply with the Rule to the extent that they have “actual knowledge” that visitors are under 13.

Some operators of such Web sites choose to screen visitors to determine whether they are under 13. This practice, popularly referred to as “age-screening,” started with Web sites directed to teenagers and is now used by many general audience Web sites that may appeal to children. Some general audience Web sites appear to use age-screening to reject children's registration requests, thus providing children with an incentive to falsify their age to gain access. The FTC staff has issued guidance regarding how operators of teen-directed Web sites can obtain age information from their visitors without encouraging age falsification.^[83]

The Commission asked if there was evidence that a substantial number of children were falsifying age information in response to age-screening on general audience Web sites and, if so, whether the Rule should be modified to address this problem. The Commission received five comments concerning age-screening. Two commenters stated that some children falsify their age to register on Web sites that screen for age, but provided no empirical information as to how frequently this occurs.^[84] Other commenters stated that age falsification is not a problem in practice, especially when Web sites follow Commission staff guidance and request age information in a neutral manner, then set session cookies to prevent children from later changing their age.^[85] One commenter suggested that attempting to regulate online age falsification would be unrealistic, because there is no way to prevent certain children from falsifying their age.^[86] Instead, commenters stressed that following Commission staff guidance on age-screening remains a reasonable practice for teen or general audience site operators seeking to comply with the Rule.^[87] The Commission has concluded that no changes to the Rule are needed in response to operators' age-screening practices.

d. Other Definitions

Few comments were submitted about the definitions of other terms used in the Rule. Two commenters suggested that the term “internal use” is not adequately defined.^[88] The Rule does not define the term “internal use,” but it does define “disclosure” to include releasing personal information collected from a child, except to a person providing internal support for the operations of the Web site.^[89] The Rule also explicitly provides that persons providing internal support cannot use the information for any other purpose.^[90] The Rule's Statement of Basis and Purpose further explains that “support for the internal operations of the Web site” can include providing technical support, servers, or services such as chat and e-mail.^[91]

The commenters that asked that “internal use” of information be defined specifically sought clarification as to whether sharing information among corporate affiliates constitutes an internal use or a disclosure. The Rule's Statement of Basis and Purpose explains that determining whether an operator's sharing of information with another entity is an internal use or a disclosure depends on the receiving entity's relationship to the information. Sharing information with another entity can constitute an internal use of the information only if it is solely to facilitate internal support services for the operator and the entity does not use the information for any other purpose.^[92] Sharing for any other use, whether or not the other entity is a corporate affiliate, constitutes a disclosure.^[93] The Commission concludes that no modification to the Rule is necessary.

Another commenter suggested that the Commission expand the Rule's definition of “operator” to include individuals operating noncommercial Web sites and nonprofit entities operating Web sites.^[94] COPPA expressly applies only to operators of Web sites and online services “operated for commercial purposes” and excludes “any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).” ^[95] The Rule includes the statutory language of COPPA,^[96] so the Commission cannot modify the definition.

Finally, one commenter sought clarification of certain statutory terms set forth in COPPA, such as “online contact information,” “personal information,” “retrievable form,” and “recontact.” ^[97] To provide businesses and consumers with additional guidance, the Commission has provided more specific articulations of some of COPPA's statutory terms in the Rule and the Rule's Statement of Basis and Purpose. For example, the commenter asked the Commission to clarify whether certain types of information not specifically listed in COPPA's definition of “personal information,” such as IP addresses, unique identifiers, birthdates, or photographs, do constitute “personal information.” The Rule's definition of “personal information” includes “a persistent identifier * * * associated with individually identifiable information” as well as a photograph when combined with other information that permits contacting the individual.^[98] The Commission concludes that no Start Printed Page 13253additional clarification of the particular terms identified by this commenter is necessary.

For the reasons discussed above, the Commission concludes that no modifications to the Rule's current definitions are necessary.

2. Section 312.4: Notice

Section 312.4 of the Rule requires operators to provide notice of their information practices to parents. These notices must inform parents about their information practices, including what information they collect from children online, how they use the information, and their disclosure practices for such information. The Commission requested comment on whether the notice requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it.

Two commenters submitted comments on the Rule's notice provision. The first commenter noted the importance of providing parents with contact information for the operator, so they can discuss and attempt to resolve any concerns with the operator.^[99] The commenter did not seek any changes to the Rule's notice provision.

The second commenter stated that it was unclear whether the Rule requires a general audience Web site operator with actual knowledge that it has collected personal information from a child to post a privacy notice on its site.^[100] Section 312.4(b) of the Rule sets forth the requirements for posting a privacy notice on a Web site, including which operators must post a privacy notice online.^[101] According to the Rule, “an operator of a Web site or online service directed to children must post a link to a notice of its information practices with regard to children * * *” ^[102] In addition, “[a]n operator of a general audience website or online service that has a separate children's area or site must post a link to a notice of its information practices with regard to children* * *.” ^[103] The Rule therefore does not otherwise require that operators post privacy notices, including general audience site operators that have actual knowledge that they have collected personal information from children. For the above reasons, the Commission concludes that no modification to the Rule's notice requirement is necessary.

3. Section 312.5: Verifiable Parental Consent

a. General Issues

Section 312.5 of the Rule requires operators to obtain verifiable parental consent before collecting, using, or disclosing any personal information from children, including making any material change to information practices to which the parent previously consented. The Commission requested comment on whether the consent requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to the requirement. The Commission further asked whether it is reasonable for an operator to use a credit card to verify a parent's identity. The Commission also offered an additional opportunity for the public to comment on the Rule's sliding scale approach to obtaining verifiable parental consent.

1. Parental Opt-Out From Disclosure to Third Parties

One commenter asked how operators that provide online communication services such as e-mail accounts, bulletin boards, and chat rooms can comply with Section 312.5(a)(2) of the Rule.^[104] This section mandates that parents must be given the option to allow an operator to collect a child's personal information (such as by registering a child for an e-mail or chat account) but not disclose the information collected to third parties.^[105] The commenter noted that the Rule defines “disclosure” to include “making personal information collected * * * publicly available in identifiable form,” such as through an e-mail account or chat room.^[106] Specifically, the commenter contended that “a parent cannot realistically consent only to the use of his or her child's personal information and not to the disclosure of such information by these [online communications] services.”^[107]

Commission staff guidance addresses this point. “The Rule only requires parental choice as to disclosures to third parties. You don't have to offer parents choice regarding the collection of personal information necessary for chat or a message board; but prior parental consent is still required before permitting children to participate in chat rooms or message boards that enable them to make their personal information publicly available.” ^[108] For example, when an e-mail provider obtains verifiable parent consent for registering a child for an e-mail account, the operator must let the parent opt out from any disclosures, by the operator, of information collected during the registration process. The Commission concludes that no modification to the Rule is required.

2. Using a Credit Card To Obtain Verifiable Parental Consent

The Rule sets forth a nonexclusive list of approved methods to obtain verifiable parental consent, including the use of a credit card in connection with a transaction.^[109] In light of reports that companies are marketing credit cards to minors,^[110] the Commission specifically requested comment on the continued use of credit cards as a means of obtaining verifiable parental consent.

The majority of commenters on this issue stated that even if a small percentage of children may possess credit cards, using a credit card with a transaction is a reasonable and trustworthy method to obtain verifiable parental consent.^[111] No information was submitted demonstrating to what extent credit cards are issued to children under 13.^[112] Commenters, however, emphasized that granting credit requires the formation of a legally enforceable contract between the creditor and the debtor, which has resulted in credit cards being issued almost exclusively to adults.^[113] Moreover, even if credit cards are being issued to children under 13, the same principles of contract law would require the credit cards to be linked to a supervisory adult's account.^[114] Through this link, parents can set controls on and monitor the account, ensuring that the children cannot use the credit cards without permission.^[115]

In addition, the Rule's requirement that the credit card be used in connection with a transaction provides Start Printed Page 13254extra reliability because parents obtain a transaction record that gives them additional notice of the consent provided.^[116] Parents thus are notified of the purported consent, and can withdraw it if improperly given.^[117] The Commission is satisfied that no change in circumstances has invalidated using a credit card with a transaction to obtain verifiable parental consent.^[118]

One commenter requested clarification on whether the Rule would permit using a credit card to obtain verifiable parental consent without a concomitant transaction.^[119] The Rule provides: “Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.” ^[120] Some methods can confirm that the credit card number provided is consistent with numbers that issuers assign to their credit cards, but this does not provide reasonable assurance that the number provided is for an actual credit card. Other methods can confirm that the credit card number is the number of an actual credit card, but does not provide reasonable assurance that the card belongs to the child's parent. The Commission therefore concludes that these methods are not reasonably calculated to ensure that it was the parent who provided consent. In addition, unless the operator conducts a transaction in connection with the consent, no record is formed notifying the parent of the purported consent and offering an opportunity to revisit that consent.^[121] The Commission concludes that no modification is warranted to the Rule provision treating the use of a credit card in connection with a transaction as one method of obtaining verifiable parental consent.^[122]

3. The E-Mail Exceptions to Prior Parental Consent

The Commission next requested comment on the Rule's exceptions to prior parental consent (the “e-mail exceptions” to prior parental consent). In limited circumstances, COPPA and Section 312.5(c) of the Rule allow operators to collect the online contact information of the child, and sometimes parent, before obtaining verifiable parental consent.^[123] Such circumstances include when the operator seeks to obtain parental consent, wants to respond once to a child's specific request (such as a homework help question), or wants to respond multiple times to a child's specific request (such as an electronic newsletter).^[124]

Two commenters stated that the e-mail exceptions are useful in allowing operators to continue to provide interactive content to children online. One stated: “The ability to use COPPA's ‘e-mail exceptions’ to parental consent has enabled us to offer meaningful children's content and preserve the interactivity of the medium, while still protecting privacy.” ^[125] The commenter noted that the e-mail exceptions enable not only online activities popular with children, such as contests, online newsletters, and electronic postcards, but also sending direct notices and requests for consent to parents.^[126]

Another commenter suggested that the Rule should prohibit operators from collecting any information from children, even just an e-mail address, without parental consent. However, the commenter neither provided any basis for eliminating the e-mail exceptions nor offered any alternative way to provide direct notice and obtain parental consent.^[127] The Commission concludes for these reasons that no modification to the e-mail exceptions to prior parental consent is necessary.

b. The Sliding Scale Approach To Obtaining Verifiable Parental Consent

In its April 2005 FRN, the Commission gave the public an additional opportunity to comment on the Rule's sliding scale approach to obtaining verifiable parental consent. The Rule provides that “[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.” ^[128] Prior to issuing the Rule, the Commission studied extensively the state of available parental consent technologies.^[129] In July 1999, the Commission held a workshop on parental consent, which revealed that more reliable electronic methods of verification were not widely available or affordable.^[130]

In determining to adopt the sliding scale approach in 1999, the Commission balanced the costs imposed by the method of obtaining parental consent and the risks associated with the intended uses of information.^[131] Because of the limited availability and affordability of the more reliable methods of obtaining consent—including electronic methods of verification—the Commission found that these methods should be required only when obtaining consent for uses of information posing the greatest risks to children, such as chat, e-mail accounts, and message boards.^[132] Accordingly, the Commission implemented the sliding scale approach, noting that it would “provide[] operators with cost-effective options until more reliable electronic methods became available and affordable, while providing parents with the means to protect their children.” ^[133]

The sliding scale approach allows an operator, when collecting personal information only for its internal use, to obtain verifiable parental consent through an e-mail from the parent, so long as the e-mail is coupled with additional steps. Such additional steps include: obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call, or sending a delayed confirmatory e-mail to the parent after receiving consent.^[134] The purpose of the additional steps is to provide greater assurance that the person providing the consent is, in fact, the parent.

In contrast, for uses of personal information that involve disclosing the information to the public or third parties, the Rule requires operators to use more reliable methods of obtaining verifiable parental consent. These methods include: using a print-and-send form that can be faxed or mailed back to the Web site operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key Start Printed Page 13255technology; and using e-mail accompanied by a PIN or password obtained through one of the above methods.^[135] As noted in the Rule's Statement of Basis and Purpose, these more reliable methods of obtaining parental consent are justified because “the record shows that disclosures to third parties are among the most sensitive and potentially risky uses of children's personal information.” ^[136]

When it issued the Rule, the Commission anticipated that the sliding scale approach would be necessary only in the short term because more reliable methods of obtaining verifiable parental consent would become widely available and affordable.^[137] Accordingly, the approach originally was set to expire two years after the Rule went into effect.^[138] However, when public comment in 2002 revealed that the expected progress in available technology had not occurred, the Commission extended the approach three more years.^[139]

With the sliding scale approach set to expire on April 21, 2005, the Commission again sought comment on it in its January 2005 NPR.^[140] The NPR noted that the expected progress in available technology apparently still had not transpired and requested comment on a proposed amendment making the sliding scale approach a permanent feature of the Rule. The Commission also requested comment on: (1) The current and anticipated availability and affordability of more secure electronic mechanisms or infomediaries for obtaining parental consent; (2) the effect of the sliding scale approach on the incentive to develop and deploy more secure electronic mechanisms; (3) the effect of the sliding scale approach on operators' incentives to disclose children's personal information to third parties or the public; and (4) any evidence the sliding scale approach is being misused or not working effectively.

The vast majority of the commenters responding to the NPR stated that the development and deployment of secure electronic verification technologies did not appear to be on the horizon. However, because some commenters questioned the effectiveness of and need for the sliding scale approach, the Commission decided it would be beneficial to accept additional comments during the regulatory review comment period. To allow for such additional comments, the Commission eliminated the sliding scale approach's sunset date from the Rule, thereby extending the approach.^[141]

Having reviewed the comments submitted in response to the January 2005 NPR and the April 2005 NPR, the Commission concludes that more secure electronic mechanisms and infomediary services for obtaining verifiable parental consent are not yet widely available at a reasonable cost. The Commission therefore has decided to extend the sliding scale approach indefinitely, while continuing to monitor technological developments. As discussed below, the Commission believes that this flexible approach will allow parents and operators to continue to rely on a familiar and efficient tool and allow the Rule to reflect changes in technology.

1. The Availability and Cost of More Secure Methods of Verification

a. Electronic Verification Technology

Most of the commenters that specifically addressed the sliding scale approach stated that secure electronic mechanisms have not developed to the point where they are widely available and affordable.^[142] In addition, the anticipated date for the development and deployment of such technologies on a widespread and affordable basis cannot be predicted with any reasonable certainty.^[143] For example, the Software & Information Industry Association, the principal and worldwide trade association of the software code and digital content industry, stated that:

In reviewing developments over the last several years, there are no clear signals that the anticipated verification technology—technology that must be low-cost, widely deployed and acceptable to consumer end users—is likely to be economically and widely available in the consumer market in the foreseeable future.^[144]

The comments received suggest that extending the sliding scale approach will not discourage technological innovation or undermine the global development of secure electronic verification technologies.^[145] One commenter noted that the sliding scale approach does not prevent companies from using secure electronic technologies now or in the future.^[146] Although three commenters suggested that extending the sliding scale approach may discourage the development of secure verification technologies, none explained how or to what extent children's privacy and parental consent issues would have such an effect.^[147]

Several commenters discussed the state of electronic verification technology in detail and noted the lack of widely available, cost effective, and consumer friendly verification technologies.^[148] In particular, commenters discussed how digital signatures, digital certificates, public key infrastructure, P3P, and other electronic technologies have not developed as anticipated.^[149] For example, the Motion Picture Association of America (“MPAA”) said that “the range of digital signature technologies are either too costly for consumers (e.g., biometric verification systems), not able to confirm the identity of users (e.g., P3P), or not widely deployed (e.g., encryption key systems).” ^[150] The MPAA further stated that encryption key technology is only effective at confirming which computer has transmitted consent and cannot independently identify whether the user is a parent or a child.^[151] No commenters presented evidence that the state of these technologies—or their usefulness in obtaining parental consent—has improved since the inception of the Rule.

The United States Internet Service Provider Association, which represents major Internet service providers and network providers, explained that widespread public key infrastructure solutions have not developed due to the lack of an appropriate legal regime: “there is no easily identifiable certification authority that will take on the liability for verifying identities in an open, public system.” ^[152] The group also stated that reliable public key solutions are difficult to achieve because “certification standards are insufficiently developed and precise to assure reliable interoperability of the various subtly different implementations of a given standard Start Printed Page 13256* * * that inevitably appear in the open Internet environment.” ^[153]

The Platform for Privacy Preferences Project (“P3P”), developed by the World Wide Web Consortium, is a technology that enables Web sites to express their privacy practices in a standard, machine-readable format. P3P-enabled browsers can “read” privacy practices automatically and compare them to a consumer's own set of privacy preferences. The technology is designed to give consumers a simple, automated way to gain more control over the use of their personal information on Web sites they visit.^[154] While P3P technology can offer individuals more control over how their personal information is used or disclosed online, it is not employed widely by consumers.^[155] Even if it were widely used, the automated P3P platform would not facilitate the notice and consent required by COPPA. To give verifiable parental consent under COPPA, a parent must be informed about specific information and then provide an appropriate form of verifiable parental consent. P3P cannot ensure either that a parent has been informed or that the person providing consent is the child's parent. Moreover, parents' privacy preferences for themselves might not be the same as for their children.

Other commenters agreed that digital signature, digital certificate, and other digital verification technologies are not currently viable options for obtaining parental consent because they have not developed sufficiently and are not widely accessible to consumers.^[156] One commenter also noted that the cost of these technologies may be prohibitive for both businesses and consumers to use in obtaining parental consent.^[157]

Finally, commenters also noted that, to the extent these electronic verification technologies have improved, the advances have been in business-to-business, not business-to-consumer, applications.^[158] For example, digital signature and digital certificate technologies, which can provide reliable electronic verification of a signer's identity, are sometimes employed in commercial transactions, but have not advanced to the point of being a viable alternative for obtaining verifiable parental consent.^[159] Public key infrastructure solutions, which provide a means for encrypting and decrypting information, also seem to be marketed almost exclusively for business-to-business applications.^[160]

b. The Availability and Cost of Infomediary Services

Commenters likewise submitted information about whether infomediary services are widely available and affordable. Infomediary services act as middlemen in obtaining verifiable parental consent for Web sites and can offer options such as driver's license and social security number verification. Several commenters noted that infomediary services to facilitate obtaining verifiable parental consent are not widely available and affordable.^[161]

One commenter, Privo Inc., an infomediary service recently approved as a COPPA safe harbor program, stated that such services are already widely available at a reasonable cost, but cited only one example, itself.^[162] Privo's comment did not indicate how many clients have used its service, although another commenter stated that it has used Privo's service.^[163] This commenter expressed support for Privo's registration process; however, it did not contend that infomediary services are otherwise widely available.^[164]

The comments received did not demonstrate that infomediary services are affordable or would be widely used. Privo's comment did not provide any information about the start-up and monthly costs for operators that use its service, although it stated that it “currently does not charge more than $1 per verification, and often much less.” ^[165] Other commenters, in contrast, stated that the costs of obtaining verifiable parental consent through more verifiable means, like infomediary services, are higher than what many small and medium-size operators can afford to pay.^[166] Moreover, one commenter stated that parents are willing to grant consent to an operator with a recognizable brand name, but would be unlikely to “embrace infomediary technology” because it involves granting consent to an entity with which the parents have little or no experience.^[167] Consequently, the Commission finds that more secure electronic verification technologies and infomediary services to facilitate obtaining parental consent do not appear to be, currently or foreseeably, widely available at a reasonable cost.^[168]

2. The Effectiveness of the Sliding Scale Approach

The Commission concludes that, over the course of five years, the sliding scale approach has proven to be an effective method for protecting children's privacy without hindering the development of children's online content.^[169] Several commenters noted that there have been few complaints by parents about the sliding scale approach.^[170] Although some commenters suggested that the e-mail plus mechanism, permitted for internal use of information collected from children, is unreliable, they did not provide any examples where children's privacy has been violated.^[171] One commenter was concerned that operators may not understand that an additional follow-up step is required in addition to the consent e-mail itself.^[172]

Some comments received in response to the January 2005 NPR suggested that making the sliding scale approach permanent may foster the development of appropriate children's online content.^[173] These commenters noted that the sliding scale approach enables Web sites to provide interactive content for children without requiring operators to institute more costly parental consent mechanisms that could have the unintended effect of reducing children's Start Printed Page 13257content on the Internet.^[174] The commenters suggested that making the sliding scale approach permanent may encourage companies to make the types of investments in children's content that they may have hesitated to make in the past given the temporary nature of the sliding scale approach.^[175]

Nearly all commenters agreed that use of the sliding scale approach is justified because collecting children's personal information only for internal use continues to present a low risk to children.^[176] Even when an operator obtains consent through the e-mail plus mechanism, such information is protected because the operator must comply with the Rule's mandate to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of that information.^[177] In addition, commenters noted that disclosing children's personal information continues to pose a greater risk to children than keeping it internal.^[178] Some commenters stated that the low cost of the e-mail plus mechanism will encourage operators to not disclose children's information to third parties,^[179] which furthers one of COPPA's stated goals of protecting children's online safety.^[180] Two commenters even suggested that, given the lesser risks posed by operators' internal uses of information, the Commission should eliminate the prior parental consent requirement for such operators and require them only to provide parents with direct notice and an opportunity to opt-out of the maintenance and use of their child's information.^[181]

The Commission concludes that the effectiveness of the sliding scale approach warrants its continued use without modification.

3. The Commission's Decision To Extend the Sliding Scale on an Indefinite Basis

Several commenters argued that the sliding scale approach should be made permanent rather than extending it for a finite period of time. They stressed the benefits of greater regulatory certainty, including providing a consistent standard that operators can rely on in deciding how to structure their activities and encouraging investments in children's content with some assurance about the law's requirements for parental consent mechanisms.^[182] Some commenters additionally noted that many operators have made significant investments in implementing the sliding scale and that abandoning the regime without an equally viable, cost-effective alternative may adversely affect these companies, particularly the small ones.^[183]

Based on the public comments received, and its own experience in administering the Rule, the Commission concludes that the risk to children's privacy from an operator collecting personal information only for its internal use remains relatively low. The Commission also determines that more secure electronic technologies and infomediary services that might be used to obtain parental consent for internal use of personal information from children are not widely available at a reasonable cost. Further, the Commission concludes that the sliding scale approach has worked well and its continued use may foster the development of children's online content.

In light of the unpredictability of technological advancement and the benefits of decreasing regulatory uncertainty, the Commission has determined to retain the sliding scale indefinitely while it continues to evaluate developments. As one commenter noted, nothing precludes the Commission from revisiting the issue at an appropriate point in the future.^[184] If warranted by future developments, the Commission will seek comment on amending the Rule to change the sliding scale mechanism.

4. Section 312.6: Parental Access

Section 312.6 of the Rule requires operators to give a parent, upon request: (1) A description of the types of personal information collected from children (e.g., “We collect full name and e-mail address from children”); (2) the opportunity for the parent to refuse to permit the further use or collection of personal information from his or her child and direct the deletion of the information; and (3) a means of reviewing any actual personal information collected from his or her child (e.g., “We have collected the following information from your child: Mary Smith, msmith@domain.com”). The Commission asked if these requirements are effective, if their benefits outweigh their costs, and what changes, if any, should be made.

The Commission received one comment related to a parent's right to direct the operator to delete the child's personal information.^[185] The commenter indicated that operators may want to retain children's personal information in certain situations, ranging from private contractual obligations to active law enforcement investigations, irrespective of a parent's direction to delete the information.^[186] The commenter then suggested that the Commission should draft a list of exceptions to the Rule's deletion requirement to address these situations.^[187]

COPPA mandates, and the Rule requires, that operators satisfy three requests when made by parents upon “proper identification.” ^[188] First, operators must provide parents with a description of the types of information collected from children.^[189] Second, operators must provide parents with “the opportunity at any time to refuse to permit the operator's further use or maintenance in retrievable form” of their child's personal information.^[190] Third, operators must provide parents with the actual information collected from their child.^[191] Without a change in the Act, the Commission cannot adopt the exceptions from the parental deletion requirement the commenter advocated.^[192] The Commission also is not aware of information sufficient to justify recommending that Congress amend the Act to create such exceptions.

The commenter also requested that the Commission clarify why operators must verify the identity of a purported parent before disclosing his or her child's personal information, but not verify the identity of a purported parent Start Printed Page 13258before deleting the information.^[193] In drafting the Rule, the Commission carefully considered what level of identification would be appropriate for these two requirements. Erroneously disclosing a child's actual personal information to a purported parent poses a high risk to that child's privacy because the purported parent receives the actual personal information of the child.^[194] In contrast, erroneously deleting a child's actual personal information poses a lower risk because the purported parent never receives the information.^[195] The Commission thus concluded that the former, but not the latter, situation warrants verifying the purported parent's identity.^[196] After reconsideration, the Commission concludes that no modification to this requirement is warranted.

5. Section 312.7: Prohibition Against Conditioning a Child's Participation on the Collection of More Personal Information Than Is Necessary

Section 312.7 of the Rule prohibits operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in that activity. The Commission asked whether this prohibition is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The Commission received one comment addressing this provision of the Rule. The commenter raised no concerns and cited this provision as one way in which the Rule has “succeeded in providing more privacy protections and safeguards for both children and their parents.” ^[197] The Commission concludes that no changes to this provision are warranted.

6. Section 312.8: Confidentiality, Security, and Integrity of Personal Information Collected From a Child

Section 312.8 of the Rule requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child. The Commission asked whether this requirement is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. The FTC also specifically asked if the term “reasonable procedure” is sufficiently clear. The Commission received no comments addressing this provision of the Rule. The FTC concludes that no modifications to this requirement are necessary.

7. Section 312.10: Safe Harbors

Section 312.10 of the Rule provides that an operator will be deemed in compliance if the operator complies with Commission-approved self-regulatory guidelines. The Commission asked if this “safe harbor” approach is effective, if its benefits outweigh its costs, and what changes, if any, should be made to it. In addressing the Rule's safe harbor provision, commenters uniformly lauded the part played by COPPA safe harbors in making successful the Commission's effort to protect children's online safety and privacy.^[198] In addition, one commenter stated that the COPPA safe harbors “are an important educational resource on children's privacy issues, and serve to heighten awareness of children's privacy issues more generally.” ^[199] Another commenter said, “the Safe Harbor program demonstrates the benefits of a self-regulatory scheme and mechanism for industry to maintain high standards with limited government intervention.” ^[200]

One commenter, a COPPA safe harbor, suggested that the Commission encourage greater participation in COPPA safe harbor programs by amending the Rule to provide that “membership in good standing in a Commission-approved safe harbor program is an affirmative defense to an enforcement action” under COPPA.^[201] As this commenter recognized, the Rule already provides that operators “in compliance” with an approved safe harbor program “will be deemed to be in compliance” with the Rule and the Commission will consider an operator's participation in a safe harbor program in determining whether to open an investigation or file an enforcement action, and what remedies to seek.^[202] The commenter did not provide any evidence demonstrating that these current incentives to participate in safe harbor programs are inadequate. The Commission thus concludes that no changes to the safe harbor provision are necessary.

IV. Conclusion

For the foregoing reasons, the Commission has determined to retain the Children's Online Privacy Protection Rule without modification.

List of Subjects in 16 CFR Part 312

• Communications
• Computer technology
• Consumer protection
• Infants and Children
• Privacy
• Reporting and recordkeeping requirements
• Safety
• Science and technology
• Trade practices
• Youth

Footnotes