[Federal Register Volume 64, Number 143 (Tuesday, July 27, 1999)]
[Proposed Rules]
[Pages 40525-40528]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-19094]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 312
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Initial regulatory flexibility analysis.
-----------------------------------------------------------------------
SUMMARY: The Commission is publishing this initial regulatory
flexibility analysis to aid the public in commenting upon the small
business impact of its proposed rule implementing the Children's Online
Privacy Protection Act (``COPPA'' or ``the Act'').
DATES: Written comments must be submitted on or before August 6, 1999.
ADDRESSES: Written comments should be submitted to Secretary, Federal
Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW, Washington,
DC 20580. The Commission requests that commenters submit the original
plus five copies, if feasible. To enable prompt review and public
access, comments also should be submitted, if possible, in electronic
form, on either a 5\1/4\ or a 3\1/2\ inch computer disk, with a disk
label stating the name of the commenter and the name and version of the
word processing program used to create the document. (Programs based on
DOS or Windows are preferred. Files from other operating systems should
be submitted in ASCII text format.) Alternatively, the Commission will
accept comments submitted to the following e-mail address
kidsrule@ftc.gov>. Individual members of the public filing comments
need not submit multiple copies or comments in electronic form. All
submissions should be captioned: ``Children's Online Privacy Protection
Rule--IRFA Comment, P994504.'' Comments will be posted on the
Commission's Web site: http://www.ftc.gov>.
FOR FURTHER INFORMATION CONTACT:
Toby Milgrom Levin, (202) 326-3156, Loren G. Thompson, (202) 326-2049,
or Jill Samuels, (202) 326-2066, Division of Advertising Practices,
Bureau of Consumer Protection, Federal Trade Commission, 601
Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: This notice supplements the Commission's
initial notice of proposed rulemaking, 64 FR 22750 (Apr. 27, 1999), for
a Children's Online Privacy Protection Rule, 16 CFR part 312, to
implement the requirements of the Children's Online Privacy Protection
Act of 1998 (``the Act''), title XIII, Omnibus Consolidated and
Emergency Supplemental Appropriations Act, 1999, Pub. L. 105-277, 1112
Stat. 2681, ____ (Oct. 21, 1998). The Commission's notice of proposed
rulemaking did not include an initial regulatory flexibility analysis
pursuant to the Regulatory Flexibility Act (5 U.S.C. 603) based on a
certification that the proposed rule will not have a significant
economic impact on a substantial number of small entities (5 U.S.C.
605). See 64 FR 22761.
In the Notice of Proposed Rulemaking, the Commission concluded that
the proposed rule's requirements are expressly mandated by the COPPA.
In the Commission's view, the Act's requirements account for most, if
not, all of the economic impact of the proposed rule, and the
Commission's proposal adds little, if any, additional independent
compliance burden to the statutory requirements. For example, as
reiterated below, the proposed rule consistently incorporates the
overall ``performance'' standards set forth in the statute rather than
mandating any particular compliance method or approach. See 5 U.S.C.
603(c)(3). Moreover, certain provisions of the rule (e.g., definitions
taken directly from the statute, enforceability of rule by the
Commission and the states, severability of the rule's provisions) would
appear to have no material effect on the costs or burdens of compliance
under the rule for regulated entities, regardless of size. Thus, the
marginal cost, if any, that would be imposed by the rule on regulated
entities, including small entities, would not be substantial. Since the
Regulatory Flexibility Act does not require an initial (or final)
regulatory flexibility analysis when a ``rule'' will not have a
significant economic impact on a substantial number of small entities
(5 U.S.C. 605), such an analysis did not accompany the proposed rule.
Nonetheless, in its Notice of Proposed Rulemaking to implement the
COPPA, the Commission expressly invited public comment on the proposed
rule's effect on the costs, profitability, competitiveness of, and
employment in small entities to ensure that no significant economic
impact on a substantial number of small entities would be overlooked.
See 64 FR 22761.
In response, the Commission received comments suggesting, among
other things, that the Commission publish an initial regulatory
flexibility analysis
[[Page 40526]]
under the Regulatory Flexibility Act.\1\ While the Commission continues
to believe that such an analysis is not technically required, the
Commission has decided to publish the following analysis to provide
further information and opportunity for public comment on the small
business impact, if any, of the rule. The Commission notes that it has
already afforded a period of public comment on the proposed rule for
such comments, and will be conducting a public workshop on July 20,
1999, on the issue of obtaining parental consent under the rule. See 64
FR 34595 (June 28, 1999). The workshop will provide an additional
opportunity for public comment on how compliance with that particular
requirement might be achieved, while minimizing the potential impact of
the requirement on regulated entities, including small entities, to the
extent the Commission has any discretion on that issue. The July 30th
deadline for comments in response to the initial regulatory flexibility
analysis set forth below is scheduled to coincide with the close of the
comment period that will follow the public workshop described earlier.
---------------------------------------------------------------------------
\1\ See Comment No. 74 submitted by the Honorable George W.
Gekas and James M. Talent of the House of Representatives and
Comment No. 91 submitted by Jere W. Gover, Jennifer A. Smith, and
Eric E. Menge, Office of Advocacy, U.S. Small Business
Administration.
---------------------------------------------------------------------------
Description of the reasons that action by the agency is being
considered. The COPPA requires the Commission to promulgate this rule
not later than one year after the date of enactment of the Act. COPPA
Sec. 1303(b)(1).
Succinct statement of the objectives of, and legal basis for, the
proposed rule. To prohibit unfair and deceptive acts and practices in
connection with commercial websites' and online services' collection
and use of personal information from and about children by: (1)
Enhancing parental involvement in a child's online activities in order
to protect the privacy of children in the online environment; (2)
helping to protect the safety of children in online fora such as chat
rooms, home pages, and pen-pal services in which children may make
public postings of identifying information; (3) maintaining the
security of children's personal information collected online; and (4)
limiting the collection of personal information without parental
consent. The legal basis for the proposed rule is the COPPA.
Description of and, where feasible, an estimate of the number of
small entities to which the proposed rule will apply. In general, the
rule will apply to any commercial operator of an online service or
Internet website directed to children or a commercial operator of an
online service or Internet website who has actual knowledge that he or
she is collecting personal information from a child. See proposed Rule
Sec. 312.3 (general requirements). The rule does not apply to nonprofit
entities. See proposed Rule Sec. 312.2 (defining ``operator''). A
precise estimate of the number of small entities that fall within the
rule is not currently feasible because the definition of a website
directed to children turns on a number of factors that will require a
factual analysis on a case-by-case basis.\2\ The Commission seeks any
information or comment on these issues, as noted below.
---------------------------------------------------------------------------
\2\ The proposed Rule (Sec. 312.2) states that ``In determining
whether a commercial website or online service, or a portion
thereof, is targeted to children, the Commission will consider its
subject matter, visual or audio content, age of models, language or
other characteristics of the website or online service, as well as
whether advertising promoting or appearing on the website or online
service is directed to children.''
---------------------------------------------------------------------------
Description of the projected reporting, recordkeeping and other
compliance requirements of the proposed rule, including an estimate of
the classes of small entities that will be subject to the requirement
and the type of professional skills necessary for preparation of the
report or record. The statute and proposed rule do not directly impose
any ``reporting'' or ``recordkeeping'' requirements within the meaning
of the Paperwork Reduction Act, but would require that operators make
certain third-party disclosures to the public, i.e., provide parents
with notice of their privacy policies. See proposed Rule Secs. 312.3(a)
(notice on website or online service), 312.4(a), (b), & (c) (format and
contents of notice), 312.5(c)(3) & (4) (parental notification to obtain
consent), 312.6(a)(1) (parental notification of information being
collected on children). The Commission is seeking clearance from the
Office of Management & Budget (OMB) for these requirements and the
Commission's Supporting Statement submitted as part of that process is
being made available on the public record of this rulemaking.
The statute and proposed rule also contain a number of compliance
requirements not subject to the Paperwork Reduction Act, including but
not limited to obtaining verifiable parental consent to collect
personal information from children, Sec. 312.5(b); allowing parents to
have the opportunity to review and make changes to information provided
by their children, Sec. 312.6; and developing and implementing methods
for maintaining the confidentiality, security, and integrity of
personal information collected from children, Sec. 312.8. These
statutorily mandated obligations do not require operators to file
reports or maintain records within the meaning of the Paperwork
Reduction Act, although the Commission recognizes that there are
potential compliance costs associated with these requirements. As noted
above, the only class of small entities that would be subject to the
above-described compliance requirements would be commercial operators
of websites or online services directed to children or those commercial
operators who have actual knowledge that they are collecting
information from children, as discussed earlier.
Since the rule does not directly mandate ``reporting'' or
``recordkeeping'' within the meaning of the Paperwork Reduction Act,
the rule does not require professional skills for the preparation of
``reports'' or ``records'' under that Act. The statute and rule do
require that certain third-party disclosures (i.e., privacy policy
notices) may initially require professional attorney and computer
programmer time to develop and post. For purposes of its Supporting
Statement to OMB under the Paperwork Reduction Act, the Commission
estimated approximately 60 hours per site (83% attorney hours, 17%
programmer hours) in the first year and six hours per web site in
subsequent years. However, the Commission as noted below, seeks further
comment on the actual costs or expenditures, if any, of developing and
posting the required privacy policy notices, and the extent to which
these costs may differ or vary for small entities. (See the Supporting
Statement submitted by the Commission to OMB at http://www.ftc.gov/os/
1999/9906/childprivsup>) It is important to note, however, that the
Commission anticipates that any expenditures for professional attorney
or programmer time may be significantly reduced or eliminated if
websites avail themselves of software or other compliance tools or kits
that make it easier and less costly to meet the rule's notice
requirements. A number of industry groups have already developed
privacy policy toolkits which are available online as part of their
self-regulatory efforts in the privacy area. The Commission seeks
further comment on this issue.
Certain of the statute's and rule's other non-Paperwork Reduction
Act requirements may require some clerical or computer programmer time
for compliance. For example, an employee may be required to review
parental
[[Page 40527]]
responses to the operator's requests for consent. Depending on the
method chosen by the operator to seek parental consent, some employee
training may be required, e.g., training an employee manning a toll-
free telephone number to recognize whether a child or adult is on the
line. Similar skills would be required of employees responsible for
handling requests from parents who want to review the information
provided by their children. Finally, computer programming and security
expertise will be required to ensure that the operator maintains the
confidentiality, security, and integrity of the data collected from
children. Because the Commission currently has no basis on which to
determine the number of hours required to conduct such tasks and as
these requirements are not subject to the Paperwork Reduction Act, the
Commission has not attempted here to provide an estimate in terms of
burden hours, but is instead seeking reliable information and comment
on costs and burdens for small entities.
Identification, to the extent practicable, of all relevant Federal
rules that may duplicate, overlap or conflict with the proposed rule.
The Commission is unaware of any duplicative, overlapping, or
conflicting Federal rules. As noted below, the Commission seeks
comments and information about any such rules, as well as any other
state, local, or industry rules or policies that require website
operators and online services to implement business practices (e.g.,
notification, parental consent, security measures, etc.) that would
comply with the requirements of the Commission's proposed rule.
Description of any significant alternative to the proposed rule
that accomplish the stated objectives of applicable statutes and that
minimize any significant economic impact of the proposed rule on small
entities, including alternatives considered, such as: (1) establishment
of differing compliance or reporting requirements or timetables that
take into account the resources available to small entities; (2)
clarification, consolidation, or simplification of compliance and
reporting requirements under the rule for such small entities; (3) use
of performance rather than design standards; (4) any exemption from
coverage of the rule, or any part thereof, for such small entities.
Under the proposed rule, subject operators will be free to choose one
or more methods to achieve the goals of the rule based on their
individual business models and needs. In many instances the proposed
rule utilizes a performance standard to permit as much flexibility as
possible for website operators to comply with the rule. For example,
proposed Rule Sec. 312.4(b) minimizes the burden on website operators
and online service providers by permitting the notice to be posted by
providing ``links'' to notices, rather than requiring complete texts of
the notice, on each ``page'' or other location(s) where personal
information is collected from children. Likewise, the requirements for
parental notice (proposed Rule Sec. 312.4(c)) are flexible and open-
ended for all entities, not just small entities, requiring simply that
the operator make ``reasonable efforts, taking into account available
technology, to ensure'' that notice reaches parents. See also proposed
Rule Sec. 312.5 regarding parental consent.
Although these rules impose some costs, it is important to
recognize that the requirements of notice, consent, access and security
are mandated by the COPPA itself. Although the Commission has sought to
minimize the burden on all businesses, including small entities, by
incorporating the statute's flexible ``performance'' standards, the
Commission does not have the discretion to provide for exemptions from
the COPPA based on size of the operator. Likewise, the proposed rule
attempts to clarify, consolidate, and simplify the statutory
requirements for all entities, including small entities, but the
Commission has little discretion, if any, to mandate different
compliance methods or schedules for small entities that might ``take
into account the resources available to small entities'' but not comply
with the statutory requirements. For example, the COPPA requires the
posting of privacy policies by websites and online services before
information is collected from children and a waiver for small entities
of that prior notice requirement (e.g., by permitting notice after the
fact) would be inconsistent with the statutory mandate. See COPPA, Pub.
L. No. 105-277, Sec. 1303(b)(1)(A) (i) and (ii).
Nevertheless, the Commission is seeking to address the variability
of online businesses and to devise performance standards to allow for
flexibility and innovation to achieve compliance with the mandated
COPPA protections. Throughout the rulemaking proceeding, the Commission
has made every effort to gather information regarding the economic
impact of the COPPA's parental notice and consent requirements on all
operators, including small entities. Thus, the Federal Register notice
announcing the proposed rule included a number of questions for public
comment regarding the costs and benefits associated with these key
requirements with respect to small entities.
In addition, the agenda for the July 20th public workshop includes
topics designated to elicit economic impact information, particularly
as it would affect small businesses. The workshop will examine a wide
range of mechanisms to implement parental consent so as to obtain a
rich record of how operators, including small entities, can comply with
the statutory requirement.
Questions for Comment To Assist Regulatory Flexibility Analysis
1. Please provide comment on any or all of the provisions in the
proposed rule with regard to (a) the impact of the provision(s)
(including any benefits and costs), if any, and (b) what alternatives,
if any, the Commission should consider, as well as the costs and
benefits of those alternatives, paying specific attention to the effect
of the rule on small entities in light of the above analysis. In
particular, please provide the above information with regard to the
following sections of the proposed rule:
a. The requirement that notice be placed on the website,
Sec. 312.4(b);
b. The requirement that notice be provided to parents,
Sec. 312.4(c);
c. The requirement that operators obtain verifiable parental
consent, Sec. 312.5;
d. The requirement that parents be allowed to review and correct
personal information provided by their children, Sec. 312.6;
e. The requirement that operators take steps to ensure the
confidentiality, safety, and integrity of the information provided to
them, Sec. 312.8; and
f. Any other requirement not mentioned above.
Costs to ``implement and comply'' with the rule include
expenditures of time and money for: any employee training; attorney,
computer programmer, or other professional time; preparing relevant
materials; processing materials, including, for example, processing
parental consent materials or requests for access to information; and
recordkeeping.
2. Please describe ways in which the rule could be modified to
reduce any costs or burdens for small entities consistent with the
COPPA's mandated requirements.
3. Please describe whether and how technological developments (such
as the development and implementation of digital signatures) could
reduce the costs of implementing and complying with the rule for small
entities or other operators.
[[Page 40528]]
4. Please provide any information quantifying the economic benefits
to website operators of collecting personal information from or about
children, including any information showing: advertising revenues based
in part upon the number of children registered at a site; revenue
derived from the sale or rental of children's personal or aggregate
information to others; efficiencies resulting from marketing to a
targeted audience; or revenue resulting from designing a customized and
appealing site.
5. Please identify all relevant Federal, state or local rules that
may duplicate, overlap or conflict with the proposed rule. In addition,
please identify any industry rules or policies that require website
operators and online services to implement business practices (e.g.,
notification, parental consent, security measures, etc.) that would
already comply with the requirements of the Commission's proposed rule.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 99-19094 Filed 7-26-99; 8:45 am]
BILLING CODE 6750-01-M
