AGENCY:

Federal Trade Commission.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Commission proposes to amend the Children's Online Privacy Protection Rule, consistent with the requirements of the Children's Online Privacy Protection Act. The proposed modifications are intended to respond to changes in technology and online practices, and where appropriate, to clarify and streamline the Rule. The proposed modifications, which are based on the FTC's review of public comments and its enforcement experience, are intended to clarify the scope of the Rule and/or strengthen its protection of personal information collected from children.

DATES:

Comments must be received by March 11, 2024.

ADDRESSES:

Interested parties may file a comment online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “COPPA Rule Review, Project No. P195404” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex E), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT:

Manmeet Dhindsa (202–326–2877) or James Trilling (202–326–3497), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission.

SUPPLEMENTARY INFORMATION:

I. Background

Congress enacted the Children's Online Privacy Protection Act (“COPPA” or “COPPA statute”), 15 U.S.C. 6501 et seq., in 1998. The COPPA statute directed the Federal Trade Commission (“Commission” or “FTC”) to promulgate regulations implementing COPPA's requirements. On November 3, 1999, the Commission issued its Children's Online Privacy Protection Rule, 16 CFR part 312 (“COPPA Rule” or “Rule”), which became effective on April 21, 2000.^[1] Section 6506 of the COPPA statute and § 312.11 of the initial Rule required that the Commission initiate a review no later than five years after the initial Rule's effective date to evaluate the Rule's implementation. The Commission commenced this mandatory review on April 21, 2005.^[2] After receiving and considering extensive public comment, the Commission determined in March 2006 to retain the COPPA Rule without change.^[3] In 2010, the Commission once again undertook a review of the COPPA Rule to determine whether the Rule was keeping pace with changing technology. After notice and comment, the Commission issued final amendments to the Rule, which became effective on July 1, 2013 (“2013 Amendments”).^[4]

The COPPA Rule imposes certain requirements on operators of websites ^[5] or online services directed to children under 13 years of age, and on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, “operators”). The Rule requires that operators provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13 years of age.^[6] Additionally, the Rule requires that operators must provide parents the opportunity to review the types or categories of personal information collected from their child, the opportunity to delete the collected information, and the opportunity to prevent further use or future collection of personal information from their child.^[7] The Rule also requires operators to keep personal information they collect from children secure, including by imposing retention and deletion requirements, and prohibits them from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities.^[8] The Rule contains a “safe harbor” provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule's protections.^[9]

The 2013 Amendments ^[10] revised the COPPA Rule to address changes in the way children use and access the internet, including through the increased use of mobile devices and social networking. In particular, the 2013 Amendments:

• Modified the definition of “operator” to make clear that the Rule covers an operator of a child-directed website or online service that integrates outside services—such as plug-ins or advertising networks—that collect personal information from the website's or online service's visitors, and expanded the definition of “website or online service directed to children” to clarify that those outside services are subject to the Rule where they have actual knowledge that they are collecting personal information directly from users of a child-directed website or online service;
• Permitted a subset of child-directed websites or online services that do not target children as their primary audience to differentiate among users, requiring them to comply with the Rule's obligations only as to users who identify as under the age of 13;
• Expanded the definition of “personal information” to include geolocation information; photos, videos and audio files containing a child's image or voice; and persistent identifiers that can be used to recognize a user over time and across different websites or online services;
• Streamlined the direct notice requirements to ensure that key information is presented to parents in a succinct “just-in-time” notice;
• Expanded the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;

• Created three new exceptions to the Rule's notice and consent requirements, including for the use of persistent identifiers for the support for the internal operations of a website or online service; Start Printed Page 2035

• Strengthened data security protections by requiring operators to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and required reasonable data retention and deletion procedures; and

• Strengthened the Commission's oversight of self-regulatory safe harbor programs.^[11]

On July 25, 2019, the FTC announced in the Federal Register that it was again undertaking a review of the COPPA Rule, noting that questions had arisen about the Rule's application to the educational technology (“ed tech”) sector, voice-enabled connected devices, and general audience platforms that host third-party child-directed content (“2019 Rule Review Initiation”).^[12] The Commission sought public comment on these and other issues in its 2019 Rule Review Initiation. In addition to its standard regulatory review questions to determine whether the Commission should retain, eliminate, or modify the COPPA Rule, the Commission asked whether the 2013 Amendments have resulted in stronger protections for children and whether the revisions have had any negative consequences. The Commission also posed specific questions about the Rule's provisions, including the Rule's definitions, notice and consent requirements, access and deletion rights, security requirements, and safe harbor provisions.

During the comment period, the Commission held a public workshop on October 7, 2019, to discuss in detail several of the areas where it sought public comment (“COPPA Workshop”).^[13] Specific discussion included such topics as application of the COPPA Rule to the ed tech sector, how the development of new technologies and business models have affected children's privacy, and whether the 2013 Amendments have worked as intended.

In response to the 2019 Rule Review Initiation, the Commission received more than 175,000 comments from various stakeholders, including industry representatives, video content creators, consumer advocacy groups, academics, technologists, FTC-approved COPPA Safe Harbor programs, members of Congress, and individual members of the public. While many of these comments expressed overall support for COPPA,^[14] the comments identified a number of areas where the Commission could provide additional clarification or guidance about the COPPA Rule's requirements. The comments also proposed a number of potential changes to the Rule.

Following consideration of the submitted public comments, viewpoints expressed during the COPPA Workshop, and the Commission's experience enforcing the Rule, the Commission proposes modifying most provisions of the Rule. Part II of this notice of proposed rulemaking (“NPRM”) discusses commenters' calls to expand the COPPA Rule's coverage by amending the definition of “website or online service directed to children” or by changing the Rule's actual knowledge standard. Part III of this NPRM discusses commenters' viewpoints on whether the Commission should permit general audience platforms that allow third parties to upload content to the platform to rebut the presumption that all users of uploaded child-directed content are children. Part IV addresses the Commission's proposed modifications to the Rule. Parts V–X provide information about requests for comment, the Paperwork Reduction Act, the Regulatory Flexibility Act, communications by outside parties to the Commissioners or their advisors, questions for the proposed revisions to the Rule, a list of subjects in the Rule, and the amended text of the Rule.

II. Comments on Expanding the COPPA Rule's Coverage

As part of its 2019 Rule Review Initiation, the Commission requested comment on questions regarding whether the Commission should revise the definition of “website or online service directed to children.” In response, the Commission received various comments regarding expanding the COPPA Rule's coverage by either amending the definition of “website or online service directed to children” or by changing the Rule's actual knowledge standard. This Part includes discussion of comments advocating for and against such expansions.

A. Amending the Definition of “Website or Online Service Directed to Children”

In its 2019 Rule Review Initiation, the Commission asked for comment on various aspects of the Rule's definition of “website or online service directed to children.” Among other questions, the Commission asked whether it should amend the definition to address websites and online services that do not include traditionally child-oriented activities but still have large numbers of child users.^[15]

Some commenters argued that the definition of “website or online service directed to children” should be modified to include sites and services with large numbers of children, those with a certain percentage of child users, or those that include child-attractive Start Printed Page 2036 content.^[16] For example, FTC-approved COPPA Safe Harbor program PRIVO asserted that general audience services with large numbers of children should be required to comply with COPPA, noting that “[s]ervices not targeted to children that have large numbers of children must be addressed as it can result in online harm to the child due to inherent privacy and safety risks.” ^[17] PRIVO further argued that the Commission should define thresholds for the number of child users at which COPPA's protections must be provided.^[18] Similarly, Common Sense Media encouraged the Commission to interpret the definition of “website or online service directed to children” to include “sites and services that attract, or are likely to be accessed by, disproportionate numbers of children.” ^[19]

However, other commenters opposed expanding the definition of “website or online service directed to children” in such ways.^[20] For example, The Toy Association opposed the adoption of a numerical or percentage audience threshold as a determinative factor in identifying child-directed websites or online services.^[21] Similarly, panelists during the COPPA Workshop noted that “[a]ttractive to children is very different from targeted to children,” ^[22] and that COPPA's statutory language is “child-directed” and not “child-attractive.” ^[23] Commenters raised additional concerns with expanding the definition to include sites and services that do not include child-oriented activities but have large numbers of children, including because such a change would be inconsistent with the statute,^[24] decrease online offerings for children,^[25] be unduly burdensome to operators of non-child-directed websites or online services,^[26] and lead to regulatory uncertainty.^[27] Some commenters also noted that this amendment would be unnecessary since the definition already includes “competent and reliable empirical evidence regarding audience composition” as a factor to consider in determining whether a site or service is directed to children.^[28]

During the Rule review that resulted in the 2013 Amendments, the Commission considered amending the definition of “website or online service directed to children” to cover sites or services that “[b]ased on the overall content of the website or online service, [are] likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population. . . .” ^[29] In response, the Commission received numerous comments raising concerns that such a standard was vague, potentially unconstitutional, and unduly expansive, and could lead to widespread age-screening and more intensive age verification across all websites and online services.^[30] In ultimately declining to adopt this standard, the Commission stated it did not intend to expand the reach of the Rule to include additional sites and services.

The Commission again declines to modify the Rule in this manner. The definition of “website or online service directed to children” includes a number of factors the Commission will consider in determining whether a particular website or online service is child-directed, including consideration of “competent and reliable empirical evidence regarding audience composition.” Because the Commission already considers the demographics of a website's or online service's user base in its determination, the Commission does not believe it is necessary to modify the definition.

Similarly, the Commission also previously considered amending the Rule to set forth that websites and online services with a specified percentage of child users would be considered directed to children. As part of the Rule review that led to the 2013 Amendments, the Institute for Public Representation recommended that the Commission amend the Rule so that a website per se should be deemed “directed to children” if audience demographics show that 20% or more of its visitors are children under age 13.^[31] The Commission determined not to adopt this as a per se legal standard, in part because the Commission noted that the definition of “website or online service directed to children” already positions the Commission to consider empirical evidence of the number of child users on a site.

While the Commission continues to believe that there are good reasons not to ground COPPA liability simply on an assessment of the percentage of a site's or service's audience that is under 13, the Commission would like to obtain additional comment on whether it should provide an exemption under which an operator's site or service would not be deemed child-directed if the operator undertakes an analysis of the site's or service's audience composition and determines that no more than a specific percentage of its users are likely to be children under 13. In particular, the Commission seeks comment on (1) whether the Rule should provide an exemption or other incentive to encourage operators to conduct an analysis of their sites' or services' user bases; (2) what the reliable means are by which operators can determine the likely ages of a site's or service's users; (3) whether and how the COPPA Rule should identify such means; (4) what the appropriate percentage of users should be to qualify for this potential exemption; ^[32] and (5) Start Printed Page 2037 whether such an exemption would be inconsistent with the COPPA Rule's multi-factor test for determining whether a website or online service, or a portion thereof, is directed to children.

B. Changing the COPPA Rule's “Actual Knowledge” Standard

In responding to the Commission's request for comment on the definition of “website or online service directed to children,” a number of commenters recommended that the Commission revise COPPA's actual knowledge standard by moving to a constructive knowledge standard.^[33] Namely, these commenters sought to bring within COPPA's jurisdiction those operators that have reason to know they may be collecting information from a child and those operators that willfully avoid gaining actual knowledge that they are collecting information from a child. Common Sense Media, for example, encouraged the Commission to broaden its view of “actual knowledge” to prevent the “willful disregard that children's personal[ ] information is being collected.” ^[34] Other commenters, referencing the California Consumer Privacy Act, similarly recommended that COPPA's actual knowledge standard should cover operators of general audience sites and services that ignore or willfully disregard the age of their users.^[35] Children's privacy advocate 5Rights Foundation further recommended that the Commission should consider current and historic audience composition evidence of both the specific service and similar services in determining whether an operator has met the actual knowledge standard.^[36]

A number of industry commenters opposed the Commission adopting a constructive knowledge standard. Several of these commenters pointed to the COPPA statute's language ^[37] and argued that the Commission lacks authority to change the actual knowledge standard.^[38] Others asserted that a constructive knowledge standard would result in operators collecting additional data from all users, including children, and might lead to a reduction in available online content because operators may decide to withdraw content intended for teenagers and young adults to avoid the risk of interacting with children.^[39] Additionally, the Association of National Advertisers stated that a constructive knowledge standard would conflict with the Commission's long-established position that operators are not obligated to investigate the age of their users ^[40] and would increase uncertainty about companies' potential COPPA obligations.^[41] Similarly, Engine, a non-profit policy organization, noted that moving from the “bright-line” standard of actual knowledge to a less clear constructive knowledge standard could disproportionately burden small companies and start-ups.^[42]

The Commission declines to change the Rule to bring operators of general audience sites and services under COPPA's jurisdiction based on constructive knowledge. As the Commission noted in 2011, Congress has already rejected a constructive knowledge approach with respect to COPPA. Specifically, the legislative history indicates that Congress originally drafted COPPA to apply to operators that “knowingly” collect personal information from children, a standard which would include actual, implied, or constructive knowledge.^[43] After consideration of witness testimony, however, Congress modified the knowledge standard in the final legislation to require “actual knowledge.” ^[44] This deliberate decision to reject the more expansive approach makes clear that Congress did not intend for the “actual knowledge” standard to be read to include the concept of constructive knowledge. The Commission rejected calls for a move to a lesser knowledge standard for general audience operators while considering the 2013 Amendments,^[45] and the Commission again declines to do so.^[46]

III. Comments on the Rebuttable Presumption

Operators of websites or online services directed to children that collect personal information from their users must comply with COPPA regardless of whether they have actual knowledge that a particular user is, in fact, a child. Accordingly, as a practical matter, operators of child-directed sites and services must presume that all users are children.^[47]

Through the 2013 Amendments, the Commission extended COPPA liability to operators that have actual knowledge Start Printed Page 2038 they are collecting personal information directly from the users of another website or online service that is child-directed.^[48] Under the Rule, such an operator “has effectively adopted that child-directed content as its own and that portion of its service may appropriately be deemed to be directed to children.” ^[49]

The Commission sought comments in its 2019 Rule Review Initiation on whether it should permit general audience platforms that allow third parties to upload content to the platform to rebut the presumption that all users of uploaded child-directed content are in fact children. In seeking comment on this issue, the Commission stated that absent actual knowledge that the uploaded content is child-directed, the platform operator is not responsible for complying with the Rule. Therefore, the FTC noted that the platform operator may have an incentive to avoid gaining knowledge about the nature of the uploaded content.^[50] The Commission asked whether allowing general audience platform operators to rebut this presumption, thereby allowing them to treat users under age 13 differently from older users, would incentivize platform operators to take affirmative steps to identify child-directed content and treat users of that content in accordance with the Rule. The Commission also asked about the types of steps platforms could take to overcome the presumption that all users of child-directed content are children.

Relying on a variety of arguments, many consumer and privacy advocates opposed the notion of modifying the Rule to allow operators of general audience platforms to rebut the presumption that users of child-directed content uploaded to the platform by third parties are children. For example, a coalition of consumer organizations argued against allowing general audience platforms to rebut the presumption, pointing to the fact that families often share devices, accounts, and apps and that, as a result, many children likely access child-directed content while logged into a parent's account. Because of this, they argued that if the FTC modifies the presumption, “it would lead to widespread mislabeling of children as adults and large numbers of under-protected children.” ^[51] Other commenters echoed the concern that because users in a household may share devices that are persistently signed in, operators may incorrectly determine that a user is an adult.^[52]

Another commenter, while acknowledging the “perverse incentive” operators have to avoid gaining actual knowledge, raised concern about operators' ability to effectively establish which of their users are children.^[53] The commenter argued that, until operators are transparent about methods used to determine which users are children and such methods are deemed effective, permitting operators to rebut the presumption may result in children being treated as adults.^[54]

One commenter argued that, “in the vast majority of cases,” users of child-directed content are, in fact, children.^[55] This commenter further stated that allowing operators to rebut the presumption would prioritize allowing companies to engage in targeted advertising over ensuring that general audience platforms comply with COPPA.^[56] Another commenter noted that, despite the alleged existence of subcultures of adult viewership of kids' content, the adult viewership of such content is likely very small.^[57] The commenter further argued that protecting those adults' right to receive personalized advertising does not outweigh the risk of collecting personal data from children and tracking them online.^[58]

A number of State Attorneys General argued that modifying the Rule to allow rebuttal is unlikely to incentivize platforms to identify and police child-directed content.^[59] These commenters claimed that, even with the ability to rebut the presumption, platforms would have a greater incentive not to know about the presence of child-directed content because this would allow them to collect data for targeted ads from all users.^[60] Additionally, an FTC-approved COPPA Safe Harbor program argued that allowing rebuttal would “be complex and unfairly benefit large tech companies who may be the only companies with the wherewithal, rich customer data, and back-end infrastructure to meet the criteria for rebuttal.” ^[61]

On the other hand, a number of industry commenters supported allowing general audience platforms to rebut the presumption that all users of child-directed content are necessarily children. Google argued that rebuttal “with the appropriate safeguards, would allow those users to benefit from social engagement with the content and would allow content creators to benefit from increased monetization options, supporting continued investment in such content.” ^[62] Without the ability to rebut the presumption, Google argued that platforms must degrade adults' user Start Printed Page 2039 experience, including by preventing interactivity with other adults. Google also distinguished general audience platforms with third-party content from “static” child-directed websites intended for a single audience, noting that such platforms “have significant adult user bases that engage with traditionally child-directed content.” ^[63]

Other commenters made similar arguments. One trade association stated that some general audience platforms “have significant adult user bases” and feature child-directed content that may appeal to users of varying ages, such as crafting or science education content.^[64] It claimed that the audience presumption harms adult users of child-directed content by denying them the ability “to find community, learn, and discover new content.” ^[65] Another trade association noted that adults might want “to interact with child-directed content for a variety of reasons, including nostalgia or to find content suitable for their children or students.” ^[66]

A majority of the commenters that support modifying the Rule to permit rebuttal also recommended against the Commission proscribing specific means by which a general audience platform could rebut the presumption, calling instead for a flexible, standards-based approach that would allow platforms to employ a variety of measures to overcome the presumption. For example, citing “advancements in technology and age-screening,” one trade association recommended allowing rebuttal through reliance on a neutral age gate combined with additional steps to confirm identity, such as re-entry of a password.^[67] The commenter also suggested that the Commission allow industry to explore alternative methods such as fingerprint, voiceprint, or device PIN.^[68] Other commenters recommended similar flexibility in approach.^[69]

Many of the comments supporting rebuttal of the presumption also argued against tying rebuttal to a requirement that the platform investigate and identify child-directed content on the platform. These commenters asserted that such a requirement would change the Rule's actual knowledge standard to a constructive knowledge standard, which would “contravene [c]ongressional intent” ^[70] and impose an unreasonable burden on platforms that would chill investment into the production of child-directed content.^[71] One commenter cautioned that requiring the platform operators to identify whether uploaded content is child-directed could raise First Amendment concerns.^[72]

After reviewing the submitted comments, the Commission does not propose modifying the Rule to permit general audience platforms to rebut the presumption that all users of child-directed content are children. The Commission finds persuasive the concerns raised in the comments about the practicality of allowing operators of such platforms to rebut this presumption. In particular, the Commission believes that the reality of parents and children sharing devices, along with account holders remaining perpetually logged into their accounts, could make it difficult for an operator to distinguish reliably between those users who are children and those who are not.

The Commission recognizes that allowing platforms to rebut the presumption would permit additional forms of monetization and, in some instances, provide additional functionality and convenience for adults interacting with child-directed content. Such benefits, however, simply do not outweigh the important goal of protecting children's privacy. Moreover, as set forth in the Commission's 2019 Rule Review Initiation, the reason for considering whether to allow platforms to rebut the audience presumption was to create an incentive for them to “identify and police child-directed content uploaded by others.” ^[73] Many commenters supporting the addition of this rebuttal expressed strong opposition to such a duty, thereby undercutting the rationale for modifying the Rule.

Finally, through its recognition of the “mixed audience” category of websites and online services, the Commission essentially allows operators to rebut the presumption as to the users of a subset of child-directed sites and services that do not target children as their primary audience. For example, where third-party content on a platform is child-directed under the Rule's multi-factor test but the platform does not target children as its primary audience, the operator can request age information and provide COPPA protections only to those users who are under 13. The Commission believes the mixed audience category affords operators an appropriate degree of flexibility.^[74]

IV. Proposed Modifications to the Rule

As discussed in Part I, comments reflect overall support for COPPA and a recognition that it is an important and helpful tool for protecting children's online privacy. Additionally, many comments indicate support for the 2013 Amendments.^[75]

Despite this overall support, the Commission believes it is appropriate to modify a number of the Rule's provisions in light of the record developed through the 2019 Rule Review Initiation—including the COPPA Workshop and the large number of public comments received—as well as the FTC's two decades of experience enforcing the Rule. The Commission intends these modifications to update certain aspects of the Rule, taking into account technological and other relevant developments, and to provide additional clarity to operators on the Rule's existing requirements. Specifically, the Commission proposes modifying most provisions of the Rule, namely the following areas: Definitions; Notice; Parental Consent; Parental Right to Review; Confidentiality, Security, and Integrity of Children's Personal Information; Data Retention and Deletion; and Safe Harbor Programs. In addition, the Commission proposes minor modifications to the sections on Scope of Regulations and Voluntary Commission Approval Processes to address technical corrections.

Additionally, the Commission proposes some revisions to the Rule to address spelling, grammatical, and punctuation issues. For example, as noted above, the Commission proposes to modify § 312.1 regarding the scope of regulations, specifically to change the location of commas. Similarly, the Commission proposes amending the Rule to change the term “Web site” to “website” throughout the Rule, including in various definitions that use this term. This construction aligns with the COPPA statute's use of the term, as well as how that term is currently used in today's marketplace. This NPRM incorporates this proposed change in all instances in which the term “Web site” is used. The Commission does not intend for these proposed modifications to alter existing obligations or create new obligations under the Rule.

A. Definitions (16 CFR 312.2)

The Commission proposes to modify a number of the Rule's definitions in order to update the Rule's coverage and functionality and, in certain areas, to provide greater clarity regarding the Rule's intended application. The Commission proposes modifications to the definitions of “online contact information” and “personal information.” The Commission also proposes modifications to the definition of “website or online service directed to children,” including by adding a stand-alone definition for “mixed audience website or online service.” Additionally, the Commission proposes adding definitions for “school” and “school-authorized education purpose.” These two new definitions relate to the Rule's proposed new parental consent exception—a codification of longstanding Commission guidance by which operators rely on school authorization to collect personal information in limited circumstances rather than on parental consent. Finally, the Commission proposes modifications to the second paragraph of the definition of “support for the internal operations of the website or online service.”

1. Online Contact Information

Section 312.2 of the Rule defines “online contact information” as “an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat user identifier.” Online contact information is considered “personal information” under the Rule. Under certain parental consent exceptions, the Rule permits operators to collect online contact information from a child for certain purposes, such as initiating the process of obtaining verifiable parental consent, without first obtaining verifiable parental consent.

To improve the Rule's functionality, the Commission proposes amending this definition by adding “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the non-exhaustive list of identifiers that constitute “online contact information.” As discussed later in this Part, this modification would allow operators to collect and use a parent's or child's mobile phone number in certain circumstances, including in connection with obtaining parental consent through a text message.

Although the Commission did not raise the issue of adding mobile telephone numbers to the online contact information definition in its 2019 Rule Review Initiation, some commenters supported such a modification in discussing the Rule's parental consent requirement.^[76] One commenter noted that parents increasingly rely on telephone and cloud-based text messaging services,^[77] and another similarly noted that permitting parents to utilize text messages to provide consent would be more in sync with current technology and parental expectations.^[78] Commenters also stated that mobile communication mechanisms are more likely to result in operators reaching parents for the desired purpose of providing notice and obtaining consent, and that sending a text message may be one of the most direct and easily verifiable methods of contacting a parent.^[79] Further, one commenter posited that the chance of a child submitting his or her own mobile number in order to circumvent a valid consent mechanism is no greater than, for instance, a child submitting his or her own email address.^[80]

The Commission agrees that permitting parents to provide consent via text message would offer them significant convenience and utility. The Commission also recognizes that consumers are likely accustomed to using mobile telephone numbers for account creation or log-in purposes. For these reasons, the Commission is persuaded that operators should be able to collect parents' mobile telephone numbers as a method to obtain consent from the parent. Therefore, the Commission proposes adding mobile telephone numbers to the definition of “online contact information.”

Modifying the definition in this way, however, will also enable operators to collect and use a child's mobile telephone number to communicate with the child, including—under various parental consent exceptions—prior to the operator obtaining parental consent.^[81] The Commission does not seek to allow operators to use children's mobile telephone numbers to call them prior to the operator obtaining parental consent. Therefore, the Commission proposes including the qualifier “provided the operator uses it only to send a text message” to ensure that operators cannot call the child using the mobile telephone number, unless and until the operator seeks and obtains a parent's verifiable parental consent to do so.^[82]

This proposed modification is a departure from the position the Commission previously took when it declined to include mobile telephone numbers within the definition of “online contact information.” In discussing the 2013 Amendments, the Commission stated that the COPPA statute did not contemplate adding mobile telephone numbers as a form of online contact information, and therefore it determined not to include mobile telephone numbers within the definition.^[83] However, the Commission also stated at that time that the list of identifiers constituting online contact information was non-exhaustive and would encompass other substantially similar identifiers that permit direct contact with a person online.^[84] As part of the 2013 Amendments, the Commission revised the definition to include examples of such identifiers, and the Commission now believes that adding mobile telephone numbers to this list is appropriate.

Specifically, consumers today widely use over-the-top messaging platforms, which are platforms that utilize the internet instead of a carrier's mobile network to exchange messages. These platforms include Wi-Fi messaging applications, voice over internet protocol applications that have messaging features, and other messaging applications. Because a consumer's mobile telephone number is often used as the unique identifier through which a consumer can exchange messages through these over-the- top platforms, mobile telephone numbers permit direct contact with a person online, thereby meeting the statutory requirements for this definition.^[85]

When the Commission enacted the 2013 Amendments, the use of over-the-top messaging platforms was more nascent and growing in adoption. Today, the prevalent and widespread adoption of such messaging platforms allows consumers to use these platforms as their primary form of text messaging. Therefore, the Commission finds it appropriate to propose amending the definition of “online contact information” to include “an identifier such as a mobile telephone number provided the operator uses it only to send a text message.” The Commission welcomes comment on this proposed modification. In particular, the Commission is interested in understanding whether allowing operators to contact parents through a text message to obtain verifiable parental consent presents security risks to the recipient of the text message, especially if the parent would need to click on a link provided in the text message.

2. Personal Information

The COPPA statute defines “personal information” as individually identifiable information about an individual collected online, including, for example, a first and last name, an email address, or a Social Security number.^[86] The COPPA statute also includes within the definition “any other identifier that the Commission determines permits the physical or online contacting of a specific individual.” ^[87]

a. Biometric Data

The Commission proposes using its statutory authority to expand the Rule's coverage by modifying the Rule's definition of “personal information” to include “[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.” ^[88] The Commission believes this proposed modification is necessary to ensure that the Rule is keeping pace with technological developments that facilitate increasingly sophisticated means of identification.

The majority of comments addressing the question of whether to expand the Rule's definition of “personal information” supported the addition of biometric data.^[89] These commenters asserted that different types of biometric data can be used to contact specific individuals. For example, a coalition of consumer groups recommended adding biometric data, including genetic data, fingerprints, and retinal patterns, to the Rule's enumerated list of “personal information.” ^[90] These commenters cited consumer products' current use of biometrics to identify and authenticate users through such mechanisms as fingerprints and face scans.^[91] They also noted that while some types of personal information may be altered to protect privacy, biometric data collected today may be used to identify and contact specific children for the rest of their lives.^[92] Several other commenters also argued that the permanent and unalterable nature of biometric data makes it particularly sensitive.^[93] Additional commenters noted that many states have expanded the definition of personally identifiable information to include biometric data as have other federal laws and regulations, such as the Department of Education's Family Educational Rights and Privacy Act (“FERPA”) Regulations, 34 CFR 99.3.^[94]

A small number of commenters urged the Commission to proceed cautiously with respect to adding biometric data to the Rule's personal information definition. These commenters suggested that such an expansion could stifle innovation ^[95] or questioned whether biometric data allows the physical or online contacting of a specific individual.^[96] Some commenters also Start Printed Page 2042 recommended that, if the Commission does define biometric data as personal information, it should consider appropriate exceptions, for example, where the data enhances the security of a child-directed service ^[97] or the operator promptly deletes the data.^[98]

The Commission believes that, as with a photograph, video, or audio file containing a child's image or voice, biometric data is inherently personal in nature. Indeed, the Commission agrees with the many commenters ^[99] who argued that the personal, permanent, and unique nature of biometric data makes it sensitive, and the Commission believes that the privacy interest in protecting such data is a strong one.

And, as with some facial and voice recognition technologies, the Commission believes that biometric recognition systems are sufficiently sophisticated to permit the use of identifiers such as fingerprints and handprints; retina and iris patterns; genetic data, including a DNA sequence; and data derived from voice data, gait data, or facial data to identify and contact a specific individual either physically or online.

The Commission notes that the specific biometric identifiers that it proposes adding to the Rule's personal information definition are examples and not an exhaustive list. The Commission welcomes further comment on this proposed modification, including whether it should consider additional biometric identifier examples and whether there are appropriate exceptions to any of the Rule's requirements that it should consider applying to biometric data, such as exceptions for biometric data that has been promptly deleted.

b. Inferred and Other Data

In addition to biometric data, the Commission also asked for comment on whether it should expand the Rule's definition of “personal information” to include data that is inferred about, but not directly collected from, children, or other data that serves as a proxy for “personal information.” Several commenters recommended such an expansion.^[100] For example, one commenter stated that inferred data, including predictive behavior, is often incredibly sensitive and that even when it is supplied in the aggregate, can be easily re-identified.^[101] The commenter also noted that certain State laws include inferred data in their definitions of personally identifiable information.^[102] Another pointed to the ability of analysts to infer personal information that the Rule covers, such as an individual's geolocation, from data that currently falls outside the Rule's scope.^[103]

Commenters opposed to including inferred data stated that such an expansion would not be in accordance with the COPPA statute, which covers data collected “from” a child.^[104] Some commenters opposed to the inclusion of inferred data argued that inferred data does not permit the physical or online contacting of the child.^[105] Some commenters also expressed concern that adding inferred data would create ambiguity and hamper companies' abilities to provide websites and online services to children, would stifle new products and services, and may prohibit the practice of contextual advertising.^[106]

The Commission has decided not to propose including inferred data or data that may serve as a proxy for “personal information” within the definition. As several commenters correctly note, the COPPA statute expressly pertains to the collection of personal information from a child.^[107] Therefore, to the extent data is collected from a source other than the child, such information is outside the scope of the COPPA statute and such an expansion would exceed the Commission's authority. Inferred data or data that may serve as a proxy for “personal information” could fall within COPPA's scope, however, if it is combined with additional data that would meet the Rule's current definition of “personal information.” In such a case, the existing “catch-all” provision of that definition would apply.^[108]

c. Persistent Identifiers

In 2013, the Commission used its authority under 15 U.S.C. 6501(8)(F) to modify the Rule's definition of “personal information” to include persistent identifiers that can be used to recognize a user over time and across different websites or online services. Prior to that change, the Rule covered persistent identifiers only when they were combined with certain types of identifying information.^[109] As part of the 2019 Rule Review Initiation, the Commission asked for comment on whether this modification has resulted in stronger privacy protections for children. The Commission also asked whether the modification has had any negative consequences.

A number of commenters, citing a variety of reasons, argued that the amendment to include “stand-alone” persistent identifiers as personal information was incorrect or had caused harm. Several commenters claimed that persistent identifiers alone do not allow for the physical or online contacting of a child, and thus should not be included unless linked to other forms of personal information.^[110] Commenters also argued Start Printed Page 2043 that the persistent identifier modification harmed both operators and children. Specifically, some commenters pointed to operators' lost revenue from targeted advertising, which requires collection of persistent identifiers, and the resulting reduction of available child-appropriate content online due to operators' inability to monetize such content.^[111] One commenter stated that while the 2013 modification “served the widely held goal of excluding children from interest-based advertising,” it created uncertainty for operators' use of data for internal operations.^[112] The commenter suggested that the Commission consider exempting persistent identifiers used for internal operations from the Rule's deletion requirements.^[113]

In contrast, other commenters expressed strong support for the 2013 persistent identifier modification. For example, while acknowledging that it took time for the digital advertising industry to adapt to the new definition, one commenter described the 2013 modification as “wholly positive.” ^[114] The commenter also noted that the change recognized that unique technical identifiers might be just as personal as traditional identifiers such as name or address when used to contact, track, or profile users.^[115] The commenter stated that this change “laid the groundwork for many countries adopting this expanded definition of personal information in their updated privacy laws.” ^[116]

After reviewing the comments relevant to this issue, the Commission has decided to retain the 2013 modification including stand-alone persistent identifiers as “personal information.” The Commission is not persuaded by the argument that persistent identifiers must be associated with other individually identifiable information to permit the physical or online contacting of a specific individual. The Commission specifically addressed, and rejected, this argument during its discussion of the 2013 Amendments. There, the Commission rejected the claim that persistent identifiers only permit contact with a device. Instead, the Commission pointed to the reality that at any given moment a specific individual is using that device, noting that this reality underlies the very premise behind behavioral advertising.^[117] The Commission also reasoned that while multiple people in a single home often use the same phone number, home address, and email address, Congress nevertheless defined these identifiers as “individually identifiable information” in the COPPA statute.^[118] The adoption of similar approaches in other legal regimes enacted since the 2013 Amendments further supports the Commission's position.^[119]

Nor does the Commission find compelling the argument that the 2013 persistent identifier modification has caused harm by hindering the ability of operators to monetize online content through targeted advertising. One of the stated goals of including persistent identifiers within the definition of “personal information” was to prevent the collection of personal information from children for behavioral advertising without parental consent.^[120] After reviewing the comments, the Commission has determined that the privacy benefits of such an approach outweigh the potential harm, including the purported harm created by requiring operators to provide notice and seek verifiable parental consent in order to contact children through targeted advertising.^[121]

Moreover, it bears noting, as the Commission did in 2013, that the expansion of the personal information definition was coupled with a newly created exception that allows operators to collect persistent identifiers from children to provide support for the internal operations of the website or online service without providing notice or obtaining parental consent. One of these purposes is serving contextual advertising, which provides operators another avenue for monetizing online content. The Commission continues to believe that it struck the proper balance in 2013 when it expanded the personal information definition while also creating a new exception to the Rule's requirements.

3. School and School-Authorized Education Purpose

As discussed in Part IV.C.3.a., the Commission proposes codifying current guidance on ed tech ^[122] by adding an Start Printed Page 2044 exception for parental consent in certain, limited situations in which a school authorizes an operator to collect personal information from a child. The Commission also proposes adding definitions for “school” and “school-authorized education purpose,” terms that are incorporated into the functioning of the proposed exception and necessary to cabin its scope. Part IV.C.3.a. provides further discussion about these definitions.

4. Support for the Internal Operations of the Website or Online Service

As discussed in Part IV.A.2.c., the 2013 Amendments expanded the definition of “personal information” to include stand-alone persistent identifiers “that can be used to recognize a user over time and across different websites or online services.” ^[123] The 2013 Amendments balanced this expansion by creating an exception to the Rule's notice and consent requirements for operators that collect a persistent identifier for the “sole purpose of providing support for the internal operations of the website or online service.” ^[124] The Rule defines “support for the internal operations of the website or online service” to include a number of specified activities and provides that the information collected to perform those activities cannot be used or disclosed “to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.” ^[125]

A variety of commenters recommended modifying the definition of “support for the internal operations of the website or online service.” Multiple consumer and privacy advocates, academics, and one advertising platform called for the Commission to define “support for the internal operations” narrowly and thereby restrict the exception's use.^[126] For example, a coalition of consumer groups argued that the current definition is overly broad, too vague, and allows operators to avoid or minimize their COPPA obligations.^[127] These commenters cited the lack of clarity between data collection for permissible content personalization versus collection for impermissible behavioral advertising.^[128] To prevent operators from applying the exception too broadly, the coalition recommended a number of modifications to the definition, including limiting “personalization” to user-driven actions and to exclude methods designed to maximize user engagement.^[129]

Several commenters specifically recommended that the Commission exclude the practice of “ad attribution”—which allows the advertiser to associate a consumer's action with a particular ad—from the support for the internal operations definition.^[130] A group of State Attorneys General argued that ad attribution is unrelated to the activities enumerated in the definition and that the practice “necessarily involves `recogniz[ing] a user over time and across different [websites] or online services.' ” ^[131] Another commenter argued that companies should not be able to track children across online services to determine which ads are effective because the harm to privacy outweighs the practice's negligible benefit.^[132]

In contrast, many industry commenters recommended that the Commission expand the list of activities that fall under the support for the internal operations definition. With respect to ad attribution, these commenters generally cited the practical need of websites and online services that monetize through advertising to evaluate the effectiveness of ad campaigns or to measure conversion in order to calculate compensation for advertising partners.^[133] Some commenters characterized the practice as common and expected, and they argued that reducing the ability to monetize would result in the development of fewer apps and online experiences for children.^[134]

Several commenters stated that ad attribution already falls within the definition but supported a Rule modification to make this clear.^[135] One argued that the definition's prohibition on the collection of persistent identifiers for behavioral advertising “serves as a safeguard to assure that [attribution] is appropriately limited.” ^[136]

Commenters also recommended that a number of other practices should fall within the definition of “support for the internal operations of the website or online service.” These include additional ad measuring techniques,^[137] different types of personalization activities,^[138] product improvement,^[139] and fraud detection.^[140]

By expanding the definition of “personal information” to include stand-alone persistent identifiers, while at the same time creating an exception that allowed operators to collect such identifiers without providing notice and obtaining consent for a set of prescribed internal operations, the Commission struck an important balance between privacy and practicality in the 2013 Amendments.^[141] After careful consideration of the comments that addressed the Rule's support for the internal operations definition, the Commission does not believe that significant modifications to either narrow or expand the definition are necessary.

With respect to ad attribution, which generated significant commentary, the Commission believes the practice currently falls within the support for the internal operations definition. When it amended the definition in 2013, the Commission declined to enumerate certain categories of uses, including payment and delivery functions, optimization, and statistical reporting, in the Rule, stating that the definitional language sufficiently covered such functions as activities necessary to “ `maintain or analyze' the functions” of the website or service.^[142] The Commission believes that ad attribution, where a persistent identifier is used to determine whether a particular advertisement led a user to take a particular action, falls within various categories, such as the concept of “payment and delivery functions” and “optimization and statistical reporting.” When used as a tool against click fraud, ad attribution also falls within the category of “protecting against fraud or theft,” an activity that served as a basis for the Commission's creation of the support for the internal operations exception.^[143] That said, as the definition makes clear, the Commission would not treat ad attribution as support for the internal operations of the website or online service if the information collected to perform the activity is used or disclosed “to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.” ^[144]

The definition's use restriction is an important safeguard to help ensure that operators do not misuse the exception that allows them to collect a persistent identifier in order to provide support for the internal operations without providing notice and obtaining consent.^[145] The Commission appreciates the concerns expressed by some commenters that there is a lack of clarity in how operators implement the support for the internal operations exception and that certain operators may not comply with the use restriction. To increase transparency and to help ensure that operators follow the use restriction, the Commission proposes modifying the online notice requirements in § 312.4(d) to require any operator using the support for the internal operations exception to specifically identify the practices for which the operator has collected a persistent identifier and the means the operator uses to comply with the definition's use restriction.^[146]

With respect to the other proposed additions, the Commission does not believe additional enumerated activities are necessary. Other proposed additions—such as personalization, product improvement, and fraud prevention—are already covered.^[147] As the Commission noted in developing the 2013 Amendments, the Commission is cognizant that future technical innovation may result in additional activities that websites or online services find necessary to support their internal operations.^[148] Therefore, the Commission reminds interested parties that they may utilize the process permitted under § 312.12(b) of the Rule, which allows parties to request Commission approval of additional activities to be included within the support for the internal operations definition based on a detailed justification and an analysis of the activities' potential effects on children's online privacy.

Although the Commission does not find it necessary to modify the definition's enumerated activities, it does propose modifications to the definition's use restriction. Currently, the use restriction applies to each of the seven enumerated activities in the definition, and it states that information collected for those enumerated activities may not be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.^[149] However, certain of these activities likely necessarily require an operator to contact an individual, for example in order to “[f]ulfill a request of a child as permitted by §§ 312.5(c)(3) and (4).” ^[150] Therefore, the Commission proposes clarifying language to indicate that the information collected for these enumerated activities may be used or disclosed to carry out the activities permitted under the support for the internal operations exception.

In addition, the Commission proposes expanding its non-exhaustive list of use restrictions. The Commission agrees with commenters who argued that the support for the internal operations exception should not be used to allow operators to maximize children's engagement without verifiable parental consent. Therefore, the Commission proposes prohibiting operators that use this exception from using or disclosing personal information in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service. This proposed addition prohibits operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service, including by sending notifications to prompt the child to engage with the site or service, without verifiable parental consent.

The Commission welcomes comment on whether there are other engagement Start Printed Page 2046 techniques the Rule should address. The Commission also welcomes comment on whether and how the Rule should differentiate between techniques used solely to promote a child's engagement with the website or online service and those techniques that provide other functions, such as to personalize the child's experience on the website or online service.

5. Website or Online Service Directed to Children

The Commission proposes a number of changes to the definition of “website or online service directed to children.” Overall, the Commission does not intend these proposed changes to alter the definition substantively; rather, the changes will provide additional insight into and clarity regarding how the Commission currently interprets and applies the definition.

a. Multi-Factor Test

The first paragraph of the definition sets forth a list of factors the Commission will consider in determining whether a particular website or online service is child-directed. The Commission received a significant number of comments regarding the Rule's multi-factor test. Several industry commenters encouraged the FTC to continue relying on a multi-factor test to determine whether a site or service is directed to children, balancing both context ( e.g., intent to target children, promoted to children, and empirical evidence of audience) and content ( e.g., subject matter, animation, and child-oriented activities) factors.^[151] These commenters discouraged the FTC from relying on a single factor taken alone, arguing that a multi-factor evaluation allows flexibility and takes into account that some factors may be more or less indicative than others.^[152]

At the same time, commenters also recommended that the Commission reevaluate the test's existing factors, claiming that some are outdated and no longer seem indicative of child-directed websites or online services. For example, several industry members noted that content styles such as animation are not necessarily determinative of whether a service is child-directed.^[153] In addition, several industry members recommended that the FTC consider giving more weight to particular factors when determining whether a website or online service is directed to children or that it create a sliding scale for existing factors to provide more guidance for operators.^[154] For example, a number of commenters recommended that the Commission weigh more heavily operators' intended audience as opposed to empirical evidence of audience composition.^[155]

Several FTC-approved COPPA Safe Harbor programs suggested adding new factors to the Rule to help guide operators, including by adding an operator's self-categorization to third parties. One such program, for example, recommended considering marketing materials directed to third-party partners or advertisers, claiming that such materials can provide insights on the operator's target and users.^[156] Another supported consideration of “whether an operator self-categorizes its website or online service as child-directed on third[-]party platforms.” ^[157] A third FTC-approved COPPA Safe Harbor program recommended requiring operators to periodically analyze the demographics of their audience or users and to consider consumer inquiries and complaints.^[158]

Some commenters cautioned against relying on an operator's internal rating system or a third party's rating system as a factor.^[159] One such commenter argued that relying on operators' internal rating systems would potentially punish those that engage in good faith, responsible review activities and might violate section 230 of the Communications Decency Act.^[160] The commenter also argued that a third party's ratings do not constitute competent and empirical evidence regarding audience composition or evidence regarding the intended audience, and further argued that relying on such ratings increases an operator's risk of unexpected liability, particularly if the rating system may have been developed for a purpose unrelated to the COPPA Rule's factors.^[161]

The Commission continues to believe that the Rule's multi-factor test, which applies a “totality of the circumstances” standard, is the most practical and effective means for determining whether a website or online service is directed to children. The determination of whether a given site or service is child-directed is necessarily fact-based and requires flexibility as individual factors may be more or less relevant depending on the context. Moreover, a requirement that the Commission, in all cases, weigh more heavily certain factors could unduly hamper the Commission's law enforcement efforts. For example, it is Start Printed Page 2047 not hard to envision operators circumventing the Rule by claiming an “intended” adult audience despite the attributes and overall look and feel of the site or service appearing to be directed to children.^[162] Additionally, a rigid approach that prioritizes specific factors is unlikely to be nimble enough to address a site or service that changes its characteristics over time.

The Commission does not propose eliminating any of the existing factors or modifying how it applies the multi-factor test.^[163] However, the Commission proposes modifications to clarify the evidence the Commission will consider regarding audience composition and intended audience.

Specifically, the Commission proposes adding a non-exhaustive list of examples of evidence the Commission will consider in analyzing audience composition and intended audience. The Commission agrees with those commenters that argued that an operator's marketing materials and own representations about the nature of its site or service are relevant. Such materials and representations can provide insight into the operator's understanding of its intended or actual audience and are thus relevant to the Commission's analysis. Additionally, the Commission believes that other factors can help elucidate the intended or actual audience of a site or service, including user or third-party reviews and the age of users on similar websites or services. Therefore, the Commission proposes adding “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services” as examples of evidence the Commission will consider. Because many of these examples can provide evidence as to both audience composition and intended audience, the Commission also proposes a technical fix to remove the comma between “competent and reliable empirical evidence regarding audience composition” and “evidence regarding the intended audience.”

b. Operators Collecting Personal Information From Other Websites and Online Services Directed to Children

The second paragraph of the definition of “website or online service directed to children” states “[a] website or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children.” ^[164] The Commission added this language in 2013, along with parallel changes to the definition of “operator,” in order “to allocate and clarify the responsibilities under COPPA” of third parties that collect information from users of child-directed sites and services.^[165] The changes clarified that the child-directed content provider is strictly liable when a third party collects personal information through its site or service, while the third party is liable only if it had actual knowledge that the site or service from which it was collecting personal information was child-directed.^[166]

Because the second paragraph of this definition specifies that the operator must have actual knowledge that it is collecting personal information “directly” from users of another site or service, the Commission is concerned that entities with actual knowledge that they receive large amounts of children's data from another site or service that is directed to children, without collecting it directly from the users of such site or service, may avoid COPPA's requirements. For example, the online advertising ecosystem involves ad exchanges that receive data from an ad network that has collected information from users of a child-directed site or service. In the same spirit of avoiding a loophole that led the Commission to amend the Rule in 2013, the Commission proposes modifying the current language by deleting the word “directly.” The Commission did not seek comment in the 2019 Rule Review Initiation on this aspect of the Rule's definition of “website or online service directed to children” and therefore welcomes comment on this proposed modification.

c. Mixed Audience

The 2013 Amendments established a distinction between child-directed sites and services that target children as a “primary audience” and those for which children are one of multiple audiences—so called “mixed audience” sites or services. Specifically, the Rule provides that a website or online service that meets the multi-factor test for being child-directed “but that does not target children as its primary audience, shall not be deemed directed to children” so long as the operator first collects age information and then prevents the collection, use, or disclosure of information from users who identify as younger than 13 before providing notice and obtaining verifiable parental consent.^[167] This allows operators of mixed audience sites or services to use an age-screen and apply COPPA protections only to those users who are under 13.

Although there appears to be general support for the mixed audience classification, a number of commenters cited confusion regarding its application and called on the Commission to provide additional clarity on where to draw the line between general audience, primarily child-directed, and mixed audience categories of sites and services.^[168] One commenter noted that the mixed audience definition is confusing and the language “shall not be deemed directed to children” Start Printed Page 2048 suggests that such sites or services are not within the definition of child-directed websites or online services.^[169] Others recommended the Commission use a specific threshold for making the determination or provide additional guidance based on the Rule's multi-factor test.^[170]

Commenters also questioned the effectiveness of age screening, with some arguing that children have been conditioned to lie about their age in order to circumvent age gates.^[171] Others expressed support for the current approach,^[172] and some warned against specifying proscriptive methods for age screening, as it could prevent companies from innovating new methods.^[173]

Through the 2013 Amendments, the Commission intended mixed audience sites and services to be a subset of the “child-directed” category of websites or online services to which COPPA applies. A website or online service falls under the mixed audience designation if it: (1) meets the Rule's multi-factor test for being child-directed; and (2) does not target children as its primary audience. Unlike other child-directed sites and services, mixed audience sites and services may collect age information and need only apply COPPA's protections to those users who identify as under 13. An operator falling under this mixed audience designation may not collect personal information from any visitor until it collects age information from the visitor. To the extent the visitor identifies themselves as under age 13, the operator must provide notice and obtain verifiable parental consent before collecting, using, and disclosing personal information from the visitor.^[174]

To make its position clearer, the Commission proposes adding to the Rule a separate, stand-alone definition for “mixed audience website or online service.” This definition provides that a mixed audience site or service is one that meets the criteria of the Rule's multi-factor test but does not target children as the primary audience.^[175]

The proposed definition also provides additional clarity on the means by which an operator of a mixed audience site or service can determine whether a user is a child. First, the Commission agrees with the comments that recommend it allow operators flexibility in determining whether a user is a child. To that end, the proposed definition allows operators to collect age information or use “another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child,” reflecting a standard used elsewhere in the Rule.^[176] Although currently collecting age information may be the most practical means for determining that a user is a child, the proposed definition allows operators to innovate and develop additional mechanisms that do not rely on a user's self-declaration.^[177]

Additionally, consistent with long-standing staff guidance,^[178] the proposed mixed audience definition specifically requires that the means used for determining whether a visitor is a child “be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.” This, for instance, would prevent operators from suggesting to users that certain features will not be available for users who identify as younger than 13.

To further clarify the obligations of an operator of a mixed audience site or service, the Commission also proposes amending paragraph (3) of the definition of “website or online service directed to children” by stating that such operators shall not be deemed directed to children with regard to any visitor not identified as under 13.

B. Notice (16 CFR 312.4)

The Commission proposes a number of modifications to the Rule's direct notice and online notice provisions.

1. Direct Notice to the Parent (Paragraph (b))

Section 312.4(b) requires operators to make reasonable efforts to ensure that parents receive direct notice of an operator's practices with respect to the collection, use, or disclosure of children's information. The Commission proposes adding references to “school” in § 312.4(b) to cover the situation in which an operator relies on authorization from a school to collect information from a child and provides the direct notice to the school rather than to the child's parent. As discussed in Part IV.C.3.a., the Commission is proposing to add an exception to the Rule's parental consent requirement where an operator, in limited contexts, obtains authorization from a school to collect a child's personal information. For purposes of authorization, “school” includes individual schools as well as local educational agencies and State educational agencies, as those terms are defined under Federal law.^[179]

Just as notice is necessary for a parent to provide informed and meaningful consent, a school must also obtain information about an operator's data Start Printed Page 2049 collection and use practices before authorizing collection. Therefore, as part of the proposed school authorization exception, an operator must make reasonable efforts to ensure that the school receives the notice that the operator would otherwise provide to a child's parent.

2. Content of the Direct Notice (Paragraph (c))

Section 312.4(c) details the content of the direct notice required where an operator avails itself of one of the Rule's exceptions to prior parental consent set forth in § 312.5(c)(1)–(8). The Commission proposes several modifications to § 312.4(c). The first is to delete the reference to “parent” in the § 312.4(c) heading. This modification is to accommodate the proposed new § 312.4(c)(5), which specifies the content of the direct notice where an operator relies on school authorization to collect personal information.

Next, the Commission proposes modifying language in § 312.4(c)(1) and a number of its paragraphs. As currently drafted, this section sets forth the required content of direct notice when an operator collects personal information in order to initiate parental consent under the parental consent exception listed in § 312.5(c)(1). The Commission proposes revising the heading of § 312.4(c)(1) by adding the phrase “for purposes of obtaining consent, including . . .” after “[c]ontent of the direct notice to the parent” and before “under § 312.5(c)(1).” This change would clarify that this direct notice requirement applies to all instances in which the operator provides direct notice to a parent for the purposes of obtaining consent, including under § 312.5(c)(1).

In its current form, § 312.4(c)(1) presumes that an operator has collected a parent's online contact information and, potentially, the name of the child or parent. However, operators are free to use other means to initiate parental consent, including those that do not require collecting online contact information. For example, an operator could use an in-app pop-up message that directs the child to hand a device to the parent and then instructs a parent to call a toll-free number. The modification is intended to clarify that even where the operator does not collect personal information to initiate consent under § 312.5(c)(1), it still must provide the relevant aspects of the § 312.4(c)(1) direct notice to the parent.

Because the Commission's proposed changes to § 312.4(c)(1) would expand the scope of when an operator must provide this direct notice, the Commission proposes modifications to indicate that §§ 312.4(c)(1)(i) and newly-numbered 312.4(c)(1)(vii) may not be applicable in all instances.^[180] Additionally, because §§ 312.4(c)(1)(i) and newly-numbered 312.4(c)(1)(vii) apply to scenarios in which an operator is obtaining parental consent under the parental consent exception provided in § 312.5(c)(1), the Commission proposes making minor modifications to those sections to align language with that exception. Specifically, that exception permits operators to collect a child's name or online contact information prior to obtaining parental consent, and the proposed notice would require the operator to indicate when it has collected a child's name or online contact information.

The Commission also proposes adding a new paragraph (iv) to require that operators sharing personal information with third parties identify the third parties as well as the purposes for such sharing, should the parent provide consent. This new paragraph (iv) will also require the operator to state that the parent can consent to the collection and use of the child's information without consenting to the disclosure of such information, except where such disclosure is integral to the nature of the website or online service.^[181] For example, such disclosure could be integral if the website or online service is an online messaging forum through which children necessarily have to disclose their personal information, such as online contact information, to other users on that forum. The Commission believes that this information will enhance parents' ability to make an informed decision about whether to consent to the collection of their child's personal information. In order to minimize the burden on operators, and to maintain the goal of providing parents with a clear and concise direct notice, the proposed modification allows operators to disclose the categories of third parties with which the operator shares data rather than identifying each individual entity. The Commission welcomes further comment on whether information regarding the identities or categories of third parties with which an operator shares information is most appropriately placed in the direct notice to parents required under § 312.4(c) or in the online notice required under § 312.4(d).

Additionally, the Commission proposes a number of clarifying changes. First, the Commission proposes clarifying that the information at issue in the first clause of § 312.4(c)(1)(ii) is “personal information.” ^[182] Second, in § 312.4(c)(1)(iii), the Commission proposes clarifying that the direct notice must include how the operator intends to use the personal information collected from the child. For example, to the extent an operator uses personal information collected from a child to encourage or prompt use of the operator's website or online service such as through a push notification, such use must be explicitly stated in the direct notice. Additionally, the Commission further proposes to change the current use of “or” to “and” to indicate that the operator must provide all information listed in § 312.4(c)(1)(iii). Lastly, the Commission also proposes removing the term “additional” from § 312.4(c)(1)(iii) because this paragraph no longer applies solely to instances in which the operator collects the parent's or child's name or online contact information.

In addition to the proposed modifications to § 312.4(c)(1), the Commission proposes adding § 312.4(c)(5) to identify the content of the direct notice an operator must provide when seeking to obtain school authorization to collect personal information.^[183] While tailored to the school context, the requirements in this new provision generally track the proposed modifications to § 312.4(c)(1).^[184]

3. Notice on the Website or Online Service (Paragraph (d))

The Commission proposes two additions to the Rule's online notice requirement. These additions pertain to an operator's use of the exception for prior parental consent set forth in § 312.5(c)(7) and the proposed exception set forth in new proposed § 312.5(c)(9).^[185] The Commission also proposes certain modifications to the Rule's existing online notice requirements.

First, the Commission proposes adding a new paragraph, § 312.4(d)(3), which would require operators that collect a persistent identifier under the support for the internal operations exception in § 312.5(c)(7) to specify the particular internal operation(s) for which the operator has collected the persistent identifier and describe the means it uses to ensure that it does not use or disclose the persistent identifier to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website or online service, or for any other purpose, except as permitted by the support for the internal operations exception.^[186]

Currently, an operator that collects a persistent identifier pursuant to § 312.5(c)(7) is not required to provide notice of the collection. The Commission finds merit in the concerns expressed by some commenters about a lack of transparency in how operators implement the support for the internal operations exception and the extent to which they comply with the exception's restrictions.^[187] The Commission believes that the proposed disclosure requirements will provide additional clarity into the use of § 312.5(c)(7), will enhance operator accountability, and will function as an important tool for monitoring COPPA compliance.

Second, as discussed in Part IV.C.3.b., the Commission proposes a new parental consent exception, codifying its law enforcement policy statement regarding the collection of audio files.^[188] Consistent with this codification, the Commission also proposes a new § 312.4(d)(4) requiring that an operator that collects audio files pursuant to the new § 312.5(c)(9) exception describe how the operator uses the audio files and to represent that it deletes such files immediately after responding to the request for which the files were collected.

The Commission also proposes a number of other modifications to the Rule's online notice requirements. Specifically, the Commission proposes modifying § 312.4(d)(2) to require additional information regarding operators' disclosure practices and operators' retention policies.^[189] As discussed earlier, the Commission believes that this information will enhance parents' ability to make an informed decision about whether to consent to the collection of their child's personal information. The Commission notes that the COPPA Rule's online notice provision requires that operators describe how they use personal information collected from children.^[190] For example, to the extent an operator uses personal information collected from a child to encourage or prompt use of the operator's website or online service such as through a push notification, such use must be explicitly stated in the online notice. The Commission also proposes adding “if applicable” to current § 312.4(d)(3) (which would be redesignated as § 312.4(d)(5)) in order to acknowledge that there may be situations in which a parent cannot review or delete the child's personal information.^[191]

Lastly, the Commission proposes to delete the reference to “parent” in the § 312.4(d) introductory text. This proposal is to align with the Commission's new proposed direct notice requirement to accommodate the proposed new school authorization exception found in § 312.5(c)(10).

4. Additional Notice on the Website or Online Service Where an Operator Has Collected Personal Information Under § 312.5(c)(10) (New Paragraph § 312.4(e))

The Commission also proposes adding a separate online notice provision applicable to operators that obtain school authorization to collect personal information from children pursuant to the proposed exception set forth in § 312.5(c)(10). These disclosures are in addition to the requirements of § 312.4(d). The Commission believes these proposed disclosures will convey important information to parents regarding the limitations on an operator's use and disclosure of personal information collected under the school authorization exception, and the school's ability to review that information and request the deletion of such information.^[192]

C. Parental Consent (16 CFR 312.5)

The verifiable parental consent requirement, in combination with the notice provisions, is a fundamental component of the COPPA Rule's ability to protect children's privacy. The Rule requires operators to obtain verifiable parental consent before they collect, use, or disclose a child's personal information.^[193] Operators must make “reasonable efforts to obtain verifiable parental consent” and any parental consent method “must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.” ^[194] Although the Rule sets forth a non-exhaustive list of methods that the Commission has recognized as meeting this standard, the Commission encourages operators to develop their own consent mechanisms provided they meet the “reasonably calculated standard” required by § 312.5(b)(1). In addition to the enumerated consent mechanisms listed in § 312.5(b)(2), § 312.5(c) provides several exceptions pursuant to which an operator may collect limited personal information without first obtaining parental consent and, in some cases, without providing notice.

The Commission requested comment in its 2019 Rule Review Initiation on the efficacy of the Rule's consent requirements, including whether the Commission should add to the list of approved methods and whether there are ways to encourage the development of new consent methods. The Commission also requested comment on whether the Commission should consider additional exceptions to the consent requirement, including with respect to the collection of audio files Start Printed Page 2051 containing a child's voice and in the educational context where a school authorizes the operator to collect personal information.

The Commission proposes modifying the Rule's consent requirements in a number of ways. First, the Commission proposes requiring the operator to obtain separate verifiable parental consent before disclosing personal information collected from a child. The Commission also proposes modifying the consent method set forth in § 312.5(b)(2)(ii) and incorporating into the Rule two previously approved consent mechanisms submitted through the § 312.12(a) voluntary process. Lastly, the Commission proposes modifying the parental consent exceptions set forth in § 312.5(c)(4), (6), and (7) and adding exceptions for where an operator relies on school authorization and for the collection of audio files that contain a child's voice.

1. General Requirements (Paragraph (a))

Section 312.5(a)(1) provides that an operator must obtain verifiable parental consent before collecting, using, or disclosing personal information from a child. While the Commission does not propose modifications to this paragraph, it seeks to make a clarification. This requirement applies to any feature on a website or online service through which an operator collects personal information from a child. For example, if an operator institutes a feature that prompts or enables a child to communicate with a chatbot or other similar computer program that simulates conversation, the operator must obtain verifiable parental consent before collecting any personal information from a child through that feature. While the Commission is not proposing modifications to this paragraph, it welcomes comment on it.

Section 312.5(a)(2) currently states that “[a]n operator must give the parent the option to consent to the collection and use of the child's information without consenting to disclosure of his or her personal information to third parties.” The Commission proposes bolstering this requirement by adding that operators must obtain separate verifiable parental consent for disclosures of a child's personal information, unless such disclosures are integral to the nature of the website or online service.^[195] Under the proposed language, operators required to obtain separate verifiable parental consent for disclosures may not condition access to the website or online service on such consent.

In the preamble of the 1999 initial COPPA Rule, the Commission noted that “disclosures to third parties are among the most sensitive and potentially risky uses of children's personal information. This is especially true in light of the fact that children lose even the protections of [COPPA] once their information is disclosed to third parties.” ^[196] The Commission remains concerned about the disclosure of personal information collected from children. Indeed, one commenter noted that “[c]hildren today face surveillance unlike any other generation—their every movement online and off can be tracked by potentially dozens of different companies and organizations.” ^[197]

The Commission believes that information sharing is a pervasive practice. Therefore, the Commission finds it appropriate to provide parents with greater control over the disclosure of their children's information by clarifying that § 312.5(a)(2) requires operators to obtain separate verifiable parental consent for disclosures. This includes disclosure of persistent identifiers for targeted advertising purposes, as well as disclosure of other personal information for marketing or other purposes. The Commission did not seek comment on this particular aspect of the Rule's verifiable parental consent requirements in the 2019 Rule Review Initiation and welcomes comment on this proposed modification.

2. Methods for Verifiable Parental Consent (Paragraph (b))

The Commission received numerous comments related to the methods by which operators can obtain parental consent. Many commenters criticized particular approved parental consent methods. Some characterized the methods as outdated or counterintuitive.^[198] Others complained that the methods failed to serve unbanked or low-income families who may lack access to the means to provide consent, such as a credit card.^[199] Some commenters suggested that the use of credit card data and government-issued IDs are too privacy-invasive,^[200] while one advocate claimed that the current methods are better indicators of adulthood than parenthood.^[201]

Commenters also expressed concern that the current methods include too much friction, resulting in significant drop-off during the consent process. Commenters noted that this friction discourages operators from creating services that target children or creates an incentive to limit their collection of personal information to avoid triggering COPPA.^[202] Consistent with this view, the Network Advertising Initiative stated that “[r]ecognizing that verifiable parental consent mechanisms are challenging and expensive to implement, and result in considerable drop-off, the practical reality is that most ad-tech companies simply seek to avoid advertising to children altogether.” ^[203] Other commenters warned that cumbersome consent methods can drive children to general audience sites, which may have fewer digital safety and privacy protections in place.^[204]

Some commenters suggested modifying existing consent methods or adding new ones. For example, several recommended that the Commission eliminate the need for a monetary transaction when an operator obtains consent through a credit or debit card or an online payment system where the system provides notification of transactions that do not involve a charge.^[205] Some recommended Start Printed Page 2052 modifying the Rule to allow for the use of text messages to obtain consent. Those commenters noted that text messages are a common alternative to email for verification purposes and argued that text message-based consent is no weaker than consent initiated through the collection of an email address.^[206]

Other commenters called for the Commission to add to the list of approved consent methods. They recommended allowing the use of fingerprint or facial recognition technologies that already exist in parents' mobile devices,^[207] voice recognition technology currently used in the online banking context,^[208] and a variety of other technologies and tools.^[209]

Several commenters recommended that the Commission encourage platforms to participate in the parental consent process.^[210] One suggested that platforms could provide notifications to the consenting parent about the intended collection, use, or disclosure of the child's personal information.^[211] Another suggested that parents would be more likely to engage with platforms than to provide consent on a service-by-service basis.^[212]

Commenters also recommended different procedural steps the Commission could undertake. These include such things as the Commission using its authority to conduct studies on the costs and benefits of different consent methods,^[213] streamlining the Rule's current 120-day comment period on applications for new parental consent methods,^[214] and convening stakeholder meetings to explore effective solutions.^[215]

After reviewing these comments, the Commission continues to believe that the Rule's current approach to verifiable parental consent is appropriate and sound. With respect to the more general concerns that COPPA's consent methods create “friction,” the Commission stresses that COPPA requires a balance between facilitating consent mechanisms that are not prohibitively difficult for operators or parents, while also ensuring that it is a parent granting informed consent, rather than a child circumventing the process. In response to commenters indicating that this friction has discouraged operators from creating services or caused operators to change their practices, the Commission welcomes the development of methods that prove less cumbersome for operators while still meeting COPPA's statutory requirements.

As to the more specific criticisms of the approved consent mechanisms set forth in the Rule, the Commission notes that operators are not obligated to use any of those methods.^[216] Rather, operators are free to develop and use any method that meets the standard contained in § 312.5(b)(1) and to tailor their approach to their own individual situation.

While it is possible that some of the suggested methods could meet the § 312.5(b)(1) requirement, the Commission does not believe the comments contain sufficient detail or context for it to propose adding these additional consent methods at this time. The Commission welcomes further explanation detailing the necessity and practicality of any recommended new consent method, including how it would satisfy the Rule's requirements. This could come in the form of additional comments or through the voluntary approval process provided in § 312.12(a) of the Rule.

At the same time, the Commission agrees that platforms could play an important role in the consent process, and the Commission has long recognized the potential of a platform-based common consent mechanism.^[217] The Commission would also welcome further information on the role that platforms could play in facilitating the obtaining of parental consent. In particular, the Commission would be interested in any potential benefits platform-based consent mechanisms would create for operators and parents and what specific steps the Commission could take to encourage development of such mechanisms.

The Commission also agrees with the recommendation that it modify the Rule to eliminate the monetary transaction requirement when an operator obtains consent through a parent's use of a credit card, debit card, or an online payment system. As one commenter noted, many of these payment mechanisms provide a means for the account holder to receive notification of every transaction, even those that cost no money, such as a free mobile app download.^[218] In addition, many operators offer their apps or other online services at no charge. Requiring such operators to charge the parent a fee when seeking consent undercuts their ability to offer the service at no cost. Further, the Commission understands that some consumers might be hesitant to complete consent processes when they will incur even a nominal monetary charge.

In proposing this modification, the Commission notes that it had previously determined that a monetary transaction was necessary for this form of consent.^[219] At that time, the Commission reasoned that requiring a monetary transaction would increase the method's reliability because the parent would receive a record of the transaction. This would provide the parent notice of purported consent, which, if improperly given, the parent could then withdraw. Because § 312.5(b)(2)(ii), as proposed to be modified, would still require notice of a discrete transaction, even where there is no monetary charge, the Commission believes this indicia of reliability is preserved. Where a payment system cannot provide notice absent a monetary charge, an operator will not be able to obtain consent through this method.

The Commission also agrees with the recommendation to modify the Rule to allow the use of text messages to obtain consent. As discussed in Part IV.A.1., the Commission believes this is achieved through its proposed modification to the “online contact information” definition.^[220] Therefore, the Commission does not propose Start Printed Page 2053 modifying § 312.5(b)(2)(ii) to address this recommendation.

In addition to the modification to § 312.5(b)(2)(ii), the Commission also proposes adding two parental consent methods to § 312.5(b). These methods are knowledge-based authentication and the use of facial recognition technology. The Commission approved both methods pursuant to the § 312.12(a) process created from the 2013 Amendments.^[221]

3. Exceptions to Prior Parental Consent (Paragraph (c))

The Commission also received numerous comments regarding possible additional exceptions to the Rule's parental consent requirement. The majority of the commenters addressing this issue focused on whether the Commission should allow schools to authorize data collection, use, and disclosure in certain circumstances rather than requiring ed tech operators to obtain parental consent. A smaller number of commenters addressed whether the Commission should codify in the Rule its existing enforcement policy statement regarding the collection of audio files. In addition, several commenters recommended that the Commission expand the Rule's current one-time use exception.

The Commission proposes creating exceptions for where an operator relies on school authorization and for the collection of audio files that contain a child's voice. The Commission also proposes a modification to § 312.5(c)(7), which relates to the support for the internal operations exception, to align with proposed new requirements.^[222] Additionally, Commission proposes a modification to § 312.5(c)(4) to exclude from this exception the use of push notifications to encourage or prompt use of a website or online service. Finally, the Commission proposes technical modifications to § 312.5(c)(6). At this time, the Commission does not propose expanding the Rule's current one-time use exception.

a. School Authorization Exception

In response to the Commission's initial proposed COPPA Rule in 1999, stakeholders expressed concern about how the Rule would apply to the use of websites and online services in schools. Some of these commenters claimed that requiring parental consent to collect students' information could interfere with classroom activities.^[223] In response, the Commission noted in the final Rule's preamble “that the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents' agent in the process.” ^[224] It further stated, “where an operator is authorized by a school to collect personal information from children, after providing notice to the school of the operator's collection, use, and disclosure practices, the operator can presume that the school's authorization is based on the school's having obtained the parent's consent.” ^[225] Since that time, Commission staff has provided additional guidance on this issue through its “Complying with COPPA: Frequently Asked Questions” document (“COPPA FAQs”), which specifies that an operator may rely on school consent when it collects a child's personal information provided the operator uses the information for an educational purpose and for “no other commercial purpose.” ^[226] The Commission has since issued a policy statement on COPPA's application to ed tech providers, similarly noting that operators of ed tech that collect personal information pursuant to school authorization are prohibited from using such information for any commercial purpose, including marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service.^[227]

In recent years there has been a significant expansion of ed tech used in both classrooms and in the home.^[228] This expansion, in the form of students' increased access to school-issued computers and online learning curricula, raised questions about ed tech providers' compliance with the Rule as well as calls for additional guidance on how COPPA applies in the school context. Stakeholders also questioned how COPPA obligations relate to those operators subject to FERPA, the federal law that protects the privacy of “education records,” and its implementing regulations.^[229]

In 2017, the FTC and the Department of Education hosted a workshop on student privacy and ed tech to explore these questions.^[230] Through the discussions at the workshop, the Commission gathered information that helped inform the questions posed in the 2019 Rule Review Initiation regarding the application of the COPPA Rule to the education context. The Commission asked whether it should modify the Rule to add an exception to the parental consent requirement where the school provides authorization and, if so, whether the exception should mirror the requirements of FERPA's “school official exception.” ^[231] The Commission also asked for comment on various aspects of a school authorization exception, including how student data could be used, who at the school should be able to provide consent, and notice to parents.^[232]

i. Whether To Include a School Authorization Exception in the Rule

Numerous commenters representing industry and schools, along with some consumer groups, expressed support for codifying a school authorization exception in the Rule so long as such exception is consistent with FERPA and its implementing regulations. That is, where there is a legitimate educational interest to collect the child's data, the school maintains direct control of the data, and the operator uses the data only as permitted by the school and complies with disclosure limits.^[233]

In supporting such an exception, several of these commenters raised concerns that requiring schools to obtain consent from parents would be burdensome and costly for schools.^[234] These commenters claimed that the burden would include obtaining parental consent as well as providing curriculum to students whose parents did not consent to the use of the ed tech program.^[235]

Commenters also raised concerns about requiring ed tech providers to obtain verifiable parental consent from parents. For example, commenters expressed concern that requiring operators to obtain parental consent would require operators to collect additional personal information from parents, much of which is not necessary to provide the educational service, which contradicts data minimization principles.^[236] One commenter argued that requiring parents to consent would lead to “consent fatigue,” ^[237] while another commenter explained that operators often do not have a direct touchpoint with parents that could facilitate the consent process.^[238]

The Illinois Council of School Attorneys argued that schools are often in a better position than parents to evaluate ed tech products.^[239] They also pointed to privacy protections in the FERPA school official exception including the requirement that the school maintain direct control of the data and the operator use the data for only limited, authorized purposes.^[240] Finally, in supporting a school authorization exception, some commenters stated that numerous operators have built up their consent process in reliance on the Commission's existing guidance indicating that COPPA permits schools to provide consent for educational purposes.^[241]

However, not all commenters supported a school authorization exception, with several consumer groups, parent organizations, and government representatives raising various concerns.^[242] For example, a coalition of consumer groups argued that a COPPA exception aligned with FERPA would not adequately protect children because FERPA fails to provide a clear standard for when a party has a “legitimate educational interest” as required by the school official exception. The coalition also claimed that schools fail to adequately inform parents about the use of FERPA's school official exception and that most schools are ill-equipped to properly vet the privacy and security practices of ed tech services.^[243] Another advocacy organization cited statistics purportedly showing that schools do not comply with the school official exception.^[244]

A number of individual parents also opposed the exception. These individuals emphasized that parents should retain the ability afforded to them under COPPA to provide consent to collect, use, and share their children's data.^[245] One parent noted that over 400 ed tech providers had access to her Start Printed Page 2055 child's data, and that she is unable to understand what information was shared with each provider.^[246] These parents noted that school districts should not be able to provide consent to ed tech providers on their behalf,^[247] and further noted that including such an exception would weaken COPPA rather than strengthen it.^[248]

Another concern raised was that such an exception could ultimately swallow the Rule.^[249] For instance, in a joint comment of multiple State Attorneys General, the Attorneys General cited the incredible growth in ed tech and noted the technologies are not cabined to the classroom but are often encouraged to be used by students at home, and sometimes for non-educational purposes. The Attorneys General argued that, because the use of ed tech is often mandatory for students, an exception to COPPA's parental consent requirement would force parents to choose between education and their children's online privacy.^[250]

While opposing a school authorization exception, the Parent Coalition for Student Privacy argued that if the Commission decides to create one, its applicability should be limited in scope. Specifically, the Coalition argued that schools should not be able to consent to the collection of particularly sensitive data, such as medical or geolocation information.^[251]

After careful consideration of the comments, the Commission proposes codifying in the Rule its long-standing guidance that schools, State educational agencies, and local educational agencies may authorize the collection of personal information from students younger than 13 in very limited circumstances; specifically, where the data is used for a school-authorized education purpose and no other commercial purpose.^[252]

When a child goes to school, schools have the ability to act in loco parentis under certain circumstances. This is particularly the case when schools are selecting the means through which the schools and school districts can achieve their educational purposes, such as when deciding which educational technologies to use in their classrooms. The Commission finds compelling the concern that requiring parental consent in the educational context would impose an undue burden on ed tech providers and educators alike. As an initial matter, many ed tech providers have relied upon and structured their consent mechanisms based on the Commission's existing guidance. Requiring providers to reconfigure their systems to obtain parental consent directly from parents would undoubtedly create logistical problems that could increase costs and potentially dissuade some ed tech providers from offering their services to schools.^[253]

The need for parental consent is also likely to interfere with educators' curriculum decisions. As a practical matter, obtaining consent from the parents of every student in a class often will be challenging, in many cases for reasons unrelated to privacy concerns. In situations where some number of parents in a class decline to consent to their children's use of ed tech, schools would face the prospect of foregoing particular services for the entire class or developing a separate mechanism for those students whose parents do not consent. Because the proposed school authorization exception restricts an operator's use of children's data to a school-authorized education purpose and precludes use for commercial purposes such as targeted advertising, it may ultimately be more privacy-protective than requiring ed tech providers to obtain consent from parents.

Finally, the proposed school authorization exception requires that the ed tech provider and the school have in place a written agreement setting forth the exception's requirements.^[254] This includes identifying who from the school may provide consent and attesting that such individual has the authority to provide consent; the limitations on the use and disclosure of student data; the school's control over the use, disclosure, and maintenance of the data; and the operator's data retention policy. Accordingly, the proposed exception incorporates the privacy protections contained in the FERPA school official exception. This exception also builds on FERPA's protections by incorporating the Commission's existing prohibition on the use of student data for non-educational commercial purposes.

ii. Permitted Use of Data Collected Through the School Authorization Exception

Existing staff guidance indicates that, where the school authorizes data collection, an operator may only use children's data for an educational purpose and for no other commercial purpose.^[255] However, there has been confusion around the parameters of what constitutes an “educational purpose” as opposed to a “commercial purpose.” ^[256] Many of the commenters that support a school authorization exception to parental consent called on the Commission to clarify the permissible uses of data collected under such an exception.^[257] In an effort to seek further clarity, commenters suggested specific uses that the Commission should explicitly allow or exclude under the exception.^[258]

Among these commenters, there was general agreement that the exception should not permit ed tech providers to use student data for marketing purposes, such as serving personalized advertisements.^[259] The comments Start Printed Page 2056 reflected less consensus on the question of whether to allow operators to engage in product improvement or development. Some commenters favored allowing product improvement or development under limited circumstances. For example, Lego recommended that the exception allow operators to use aggregated or anonymized data to improve existing products or develop new products that would benefit students.^[260] The 5Rights Foundation similarly noted that, if the Commission were to allow operators to use student data to improve products, the student information must be “de-identified and de-identifiable,” cannot be shared with third parties, and must be limited to use for improving educational products only.^[261]

In contrast, some commenters strongly opposed allowing product improvement absent verifiable parental consent. For example, EPIC argued that product improvement would allow ed tech vendors “to create virtual laboratories in schools to study child behavior and further develop commercial products for profit, unbeknownst to parents.” ^[262] Others raised similar objections,^[263] including parents who stated that the Commission should prohibit the use of student data to improve or develop new products or services.^[264]

In discussing the appropriate use of student data, several commenters suggested that the Commission adopt an approach similar to the treatment of activities that fall under the COPPA Rule's definition of “support for the internal operations of the website or online service.” This approach would allow ed tech providers to use student data for “analytics, content personalization, and product development, maintenance, and improvement uses that benefit students and schools” but not for activities such as personalized marketing.^[265]

The Commission believes that it should tailor the proposed school exception narrowly while ensuring its practicality for schools and operators. The Commission agrees with the commenters asserting that the use or disclosure of student data for marketing purposes should fall outside the school authorization exception. Indeed, this view is consistent with staff's guidance that schools can consent to the collection of student data for educational purposes but not for other commercial purposes, such as marketing and advertising.^[266]

The Commission also agrees with those commenters recommending that the school authorization exception should allow operators to engage in limited product improvement and development, provided certain safeguards are in place. The Commission believes that allowing providers to make ongoing improvements to the educational services the school has authorized benefits students and educators, and that user data may be necessary to identify and remedy a problem or “bug” in a product or service. Therefore, in contrast to general marketing, product improvement and development can be viewed as part of providing an educational purpose rather than engaging in an unrelated commercial practice.

That said, the Commission is mindful of the concerns that allowing such uses, particularly product development, could open the door to ed tech providers exploiting the exception. To address these concerns, the Commission proposes that the Rule's definition of a “school-authorized education purpose” include product improvement and development (as well as other uses related to the operation of the product, including maintaining, supporting, or diagnosing the service), provided the use is directly related to the service the school authorized. This would permit operators to improve the service, for example by fixing bugs or adding new features, or develop a new version of the service. An operator may not use the information it collected from one educational service to develop or improve a different service.

The Commission believes that limiting product improvement and development in this way will allow ed tech providers to provide better services while helping to safeguard against the use of student data for non-educational purposes. We also believe that this proposed approach is consistent with the requirement under FERPA's school official exception that a school have a “legitimate educational interest” to share personal information without parental consent.

The Commission does not agree with the commenters that recommended aligning the permissible uses of data collected under the school authorization exception with the Rule's support for the internal operations exception. The two exceptions serve different purposes, and the activities within the support for the internal operations definition are generally unnecessary for and unrelated to the provision of an educational purpose.^[267]

As an additional protection, the proposed school authorization exception would require operators to Start Printed Page 2057 have a written agreement with the school setting forth the exception's requirements. This written agreement must specify that the ed tech provider's use and disclosure of the data collected under the exception is limited to a school-authorized education purpose as defined in the Rule and for no other purpose. As an extra safeguard to help ensure that ed tech providers are using student data appropriately and to align the exception with FERPA, the required written agreement must specify that the school will have direct control over the provider's use, disclosure, and maintenance of the personal information under the exception. The agreement must also include the operator's data retention policy with respect to personal information collected from children under the school authorization exception.

iii. Who at the school should provide authorization?

In response to the question of who should be able to provide authorization for data collection under the school authorization exception, a wide variety of commenters, including industry, FTC-approved COPPA Safe Harbor programs, school personnel, and the Oregon Attorney General, called for flexibility.^[268] For example, while the Illinois Council of School Attorneys recommended against specifying who can provide authorization, it stated that if the Commission decides to do so, it should use general, flexible terminology such as “employees designated by the school's administration or governing board” to describe individuals who may provide authorization.^[269] The Oregon Attorney General called for flexibility and urged the Commission to be mindful that schools and districts obtain and implement ed tech in different ways.^[270] Another commenter, kidSAFE, recommended the Commission permit consent from an adult outside the school environment, including coaches or tutors.^[271]

Other commenters supported a more prescriptive approach,^[272] with some recommending that the Rule not allow teachers to provide consent.^[273] One commenter stated that few teachers are in a position to evaluate which ed tech services are trustworthy, adding that allowing individual teachers to make these decisions prevents school administrators from knowing what products are being used in the classroom.^[274] Another recommended requiring that, if schools are allowed to provide consent on behalf of parents, the school or district must have clear and uniform policies for adopting ed tech led by a team of qualified education research, curriculum, and privacy, and technology experts.^[275] Similarly, Lego recommended that only duly authorized individuals, such as IT administrators, data protection officers, or chief IT officers, provide consent through a contract with the ed tech provider.^[276]

Because the Commission believes it is important to accommodate the different ways schools obtain and implement ed tech, the Commission agrees with the commenters that called for flexibility rather than a “one size fits all” approach. At the same time, the Commission recognizes the need for measures to prevent the situation in which a school is unaware of the ed tech services their teachers have consented to on an ad hoc basis. Indeed, staff guidance has previously recommended that consent for ed tech to collect personal information comes from the schools or school districts rather than from individual teachers.^[277] To balance the need for flexibility with the need for oversight and accountability, the Commission proposes that the written agreement between the ed tech provider and the school, which the new § 312.5(c)(10) exception would require, identify the name and title of the person providing consent and specify that the school has authorized the person to provide such consent.

iv. Notice to Parents

Many of the commenters supporting a school consent exception recommended that parents receive notice of the ed tech providers the school authorized to collect children's data.^[278] Some commenters suggested that the notice to parents come from schools, recommending that the notice be similar to the FERPA annual notification requirement ^[279] or that schools make information about ed tech providers' information practices available to parents in a public place such as the school district's website.^[280]

Other commenters raised concerns about the Commission imposing obligations on schools through the Rule. For example, the Oregon Attorney General expressed concern that allowing an operator to shift notice obligations to schools would potentially shield operators from liability.^[281] Instead, the Oregon Attorney General recommended that the Commission require the operator to “provide notice of its information practices in a manner that is easily accessible to all parents . . . and to inform the school on where parents may find such notice of information practices.” ^[282] Similarly, the Parent Coalition for Student Privacy recommended that, if the Commission creates an exception for school authorization, it require ed tech providers to dedicate space on their website for notices about the exception and explain how the data will be strictly used for educational purposes and state which third parties can access the data.^[283]

The Commission agrees that notice is an important aspect of the proposed school authorization exception. At the same time the Commission agrees with commenters who raised concerns about imposing burdens on schools that may not have sufficient resources to undertake an additional administrative responsibility.^[284] To promote transparency without burdening schools, the Commission proposes requiring operators to provide notice. Namely, the Commission's proposed addition of § 312.4(e), discussed earlier in Part IV.B.4., would require an operator that collects personal information from a child under the school authorization exception to include an additional notice on its website or online service noting that: (1) the operator has obtained authorization from a school to collect a child's personal information; (2) that the Start Printed Page 2058 operator will use and disclose the information for a school-authorized education purpose and no other purpose; and (3) that the school may review information collected from a child and request deletion of such information.^[285]

b. Audio File Exception

In 2013, the Commission expanded the Rule's definition of “personal information” to include “[a] photograph, video, or audio file where such file contains a child's image or voice.” ^[286] Since that time there has been a dramatic increase in the popularity of internet-connected “home assistants” and other devices that are voice activated and controlled. This led to inquiries from stakeholders about the Rule's applicability to the collection of audio files containing a child's voice where an operator converts the audio to text and then deletes the audio file. While the Commission determined that the Rule applies to such collection, it recognized the value of using verbal commands to perform search and other functions on internet-connected devices, especially for children who have not yet learned to write or those with disabilities. Accordingly, in 2017, the Commission issued an enforcement policy statement indicating that it would not take action against an operator who, without obtaining parental consent, collects a child's voice recording, provided the operator only uses the audio file as a replacement for written words, such as to effectuate an instruction or request, and the operator retains the recording only for a brief period.^[287]

In the 2019 Rule Review Initiation, the Commission asked whether it should modify the Rule to include a parental consent exception based on the enforcement policy statement. The Commission also asked whether such an exception should allow an operator to use de-identified audio files for product improvement and, if so, how long an operator could retain such data. Additionally, the Commission asked whether de-identification of audio files is effective at preventing re-identification.

The vast majority of commenters that addressed the issue recommended the Commission modify the Rule to include a parental consent exception for audio files based on the existing enforcement policy statement.^[288] Some of these commenters supported the narrow confines of the current enforcement statement, which requires the collected audio file to serve solely as a replacement for written words and be maintained only until completion of that purpose.^[289] A number of other commenters, however, recommended that the Commission adopt a more expansive audio exception. For example, Google noted that many voice actions for internet-connected devices are not a replacement for written words. Because of this, Google recommended that the Commission include an expanded exception that “covers voice data used to perform a task or engage with a device, as well as to replace written words.” ^[290] Others made similar recommendations.^[291]

Several commenters argued that where an operator de-identifies the audio file, the exception should allow it to engage in product improvement as well as internal operations such as improving functionality and personalization.^[292] Only a few of these commenters discussed the means by which an operator could effectively de-identify audio files. One suggested using the approach set forth in a White House draft privacy law, which would require the operator to alter the data to prevent it from being linked to a specific individual, to commit not to re-identify the data, and to require third-party recipients to similarly commit not to re-identify the data.^[293] Another commenter suggested the operator could de-link the audio file from a user's account or device identifier.^[294]

The Commission received a small number of comments that opposed adding a consent exception for audio files to the Rule. Arguing against an exception, a group of State Attorneys General characterized recordings of children's voices as biometric data and stated that, as such, they are “individually-identifying and immutable.” ^[295] These commenters also questioned whether operators could effectively and consistently de-identify audio files, pointing to numerous instances in which anonymized data had been re-identified.^[296] A coalition of consumer groups argued that the Commission's existing enforcement statement, as structured, effectively protects children's privacy and there is no need to amend the Rule to add an exception.^[297] The commenters also stated that if the Commission does add an exception to the Rule, the exception should not permit operators to retain or use collected audio files for product improvement even if the files are de-identified.^[298]

Based on the comments overall, the Commission proposes codifying the audio file enforcement statement as an exception to the Rule's parental consent requirement, with one modification. The Commission believes the calls to expand the exception to also include audio files used to perform a task or to Start Printed Page 2059 engage with a device have merit. Limiting the proposed exception to circumstances in which the voice data replaces written words would be overly restrictive and unnecessarily prevent its application to a variety of internet-connected services that do not involve written commands. Further, because the proposed exception requires the operator to delete the collected audio file as soon as the command or engagement is completed, this expansion will not create additional risk to children's privacy. Additionally, to the extent an operator collects personal information beyond the audio file—such as a transcript of the audio file in combination with other personal information—the operator could not utilize the audio file exception and would have to afford COPPA's protections to that information.

The Commission, however, does not agree that the exception should allow operators to retain the audio files or to use them for other purposes such as product improvement and internal operations, even if the operator has taken steps to de-identify the data. The Commission agrees that a recording of a child's voice is particularly sensitive given that, like other biometric data, it is personal and unique. Consequently, the privacy risk created by such data potentially falling into the wrong hands and being re-identified exceeds the benefit of allowing broader use. This is especially the case where parents are not provided direct notice or provided the opportunity to consent to such practices.

c. Other Exceptions

The Commission also proposes adding language to the support for the internal operations exception, § 312.5(c)(7), to address the new online notice requirement the Commission proposes.^[299] This proposal indicates that an operator that collects information under the support for the internal operations exception must provide information in its online notice regarding its use of the exception. The Commission also proposes technical fixes to § 312.5(c)(6) for clarity purposes. Namely, the Commission proposes changing § 312.5(c)(6)(i) from “protect the security or integrity of its website or online service” to “protect the security or integrity of the website or online service” (emphasis added). The Commission also proposes removing “be” in § 312.5(c)(6)(iv) to fix a typographical issue.

In addition, the Commission proposes to modify § 312.5(c)(4) to prohibit operators from utilizing this exception to encourage or prompt use of a website or online service. This proposed addition prohibits operators from using online contact information to optimize user attention or maximize user engagement with the website or online service, including by sending push notifications, without first obtaining verifiable parental consent.^[300]

Additionally, several commenters recommended that the Commission expand the Rule's current one-time use exception, § 312.5(c)(3).^[301] Specifically, multiple commenters noted that the Commission should expand the types of information collected under this exception to include telephone numbers.^[302] A commenter also requested the Commission expand this exception to permit multiple contacts with a child without providing notice and an opportunity to opt out, as required by the multiple contact exception.^[303]

As explained earlier in the discussion regarding the definition of “online contact information,” the Commission proposes modifying this definition to include a mobile telephone number, provided the operator uses it only to send a text message and not for voice communication, unless and until the operator has obtained the parent's verifiable parental consent.^[304] The Commission believes that the proposed revision to the definition of “online contact information” addresses commenters' recommendations to permit the use of mobile telephone numbers to contact children under the one-time use exception. However, the Commission stresses that under the proposed definition of “online contact information,” operators using a child's mobile telephone number under this exception may only text the child and may not call the child.

Further, the Commission is not persuaded by commenters suggesting that it should expand this exception to permit multiple contacts with a child without offering parents notice and the opportunity to opt out. The COPPA statute envisioned the scenario in which an operator would have to contact a child more than once to respond to a specific request, and Congress included notice and opt-out requirements in association with such scenario.^[305] This scenario was codified in the COPPA Rule under the multiple contact exception, § 312.5(c)(4). Commenters' recommendation essentially asks the Commission to remove the multiple contact exception's notice and consent requirements. However, the Commission believes these elements are required by the COPPA statute, and therefore it does not propose such modifications.

D. Right To Review Personal Information Provided by a Child (16 CFR 312.6)

The Commission proposes a new paragraph related to the Commission's proposed school authorization exception.^[306] Specifically, the Commission proposes requiring operators utilizing such exception to provide schools with the rights operators currently provide parents under § 312.6(a), namely the right to review personal information collected from a child, refuse to permit operators' further use or future online collection of personal information, and to direct operators to delete such information. Under this proposal, operators utilizing the school authorization exception would not be required to provide such rights to parents for information collected under the exception.

Requiring operators to fulfill requests, such as deletion requests, from each parent could result in schools having to provide different services to different children or forego particular services for the entire class based on the request of an individual parent. To reduce this burden, the Commission proposes this modification. The Commission also proposes deleting the reference to “parent” in the § 312.6 heading to account for this modification.

E. Prohibition Against Conditioning a Child's Participation on Collection of Personal Information (16 CFR 312.7)

Section 312.7 of the Rule provides that an operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more Start Printed Page 2060 personal information than is reasonably necessary to participate in such activity.

The Commission notes that this provision serves as an outright prohibition on collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. Therefore, operators may not collect more information than is reasonably necessary for such participation, even if the operator obtains consent for the collection of information that goes beyond what is reasonably necessary.

With respect to the scope of § 312.7, the Commission is considering adding new language to address the meaning of “activity,” as that term is used in § 312.7. Specifically, the Commission is considering including language in § 312.7 to provide that an “activity” means “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service.” It welcomes comment on whether this language is consistent with the COPPA statute's text and purpose, and it also welcomes comment on whether this change is necessary given the breadth of the plain meaning of the term “activity.”

F. Confidentiality, Security, and Integrity of Personal Information Collected From Children (16 CFR 312.8)

Section 312.8 of the Rule provides:

The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information from children. The operator must also take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

In the 2019 Rule Review Initiation, the Commission asked whether operators have implemented sufficient safeguards to protect the personal information they collect from children. The Commission also asked whether the requirements of § 312.8 are adequate and whether the Rule should include more specific data security requirements.

Many commenters asked the Commission to clarify or strengthen operators' obligations under this section. For example, a coalition of consumer groups criticized the Commission for not promulgating clear data security regulations as directed by the COPPA statute.^[307] These commenters recommended that the Commission elaborate on the meaning of “reasonable procedures to protect the confidentiality, security, and integrity” of children's information.^[308] Similarly, an FTC-approved COPPA Safe Harbor program recommended that the Commission provide detailed guidance about minimum standards for what constitutes “reasonable procedures,” to help guide operators and FTC-approved COPPA Safe Harbor programs tasked with ensuring that companies are compliant with the Rule.^[309]

Some commenters argued that recent data breaches in all industries demonstrate the need for stricter data security requirements for children's personal information.^[310] Other commenters expressed a more narrow concern that the evolving online landscape in schools, combined with an increase in data breaches and ransomware attacks, suggests the need for stricter data security requirements for children's personal information generally.^[311] In contrast, a small number of commenters opined that operators are adequately protecting children's personal information. For example, the Internet Association stated that the increase in well-publicized breaches has heightened operators' awareness of their obligations and encouraged them to safeguard personal data.^[312]

Commenters on both sides—those who believe operators are adequately protecting children's personal information and those who believe operators need to do more—recommended against adding prescriptive data security requirements or risk management controls in the Rule. These commenters expressed concern that such measures could become quickly outdated. For example, the Internet Association and The Toy Association expressed concerns that specific, detailed security requirements and risk management controls might prevent operators from keeping pace with evolving technology and security threats.^[313] The internet Association opined that the Rule's flexibility permits operators to develop privacy and security risk management frameworks that are tailored to their activities and users, and that also keep pace with technology, evolving security threats, and varying security risks.^[314] FTC-approved COPPA Safe Harbor program kidSAFE and a technology trade association recommended that the Commission keep the “broad and flexible” standard in § 312.8 for similar reasons.^[315] A group of State Attorneys General also supported a flexible approach.^[316] These commenters urged the Commission to proceed cautiously and make clear that any additional data security requirements within the Rule are simply illustrative examples of what constitutes “reasonable procedures” rather than an exhaustive list.^[317] Such an approach, they argued, would encourage operators to consistently monitor and update security protocols that evolve with “rapid advances in technology and the enterprising nature of cybercriminals.” ^[318]

kidSAFE also encouraged the Commission to consider the varying Start Printed Page 2061 levels of resources and bargaining power that different operators hold. kidSAFE claimed that smaller companies often lack the resources to invest in their own data security measures or the bargaining power to obtain security assurances from the third-party service providers they use.^[319] An individual commenter expressed similar concerns that additional data security requirements might further burden small businesses, which already may not be in a position to determine whether service providers are capable of the Rule's existing security requirements.^[320]

In enacting COPPA, Congress recognized the need for heightened protections for children's personal information, and the Commission has long recognized a similar need.^[321] The Commission agrees that the proliferation of data breaches in all industries, including schools, supports strong and effective data security requirements, especially for particularly sensitive information like children's data. The Commission also agrees that operators would benefit from additional clarity and detail regarding the Rule's security requirements set forth in § 312.8.

For these reasons, the Commission proposes modifications to the Rule's security requirements. Specifically, the Commission proposes to split the operator's requirements in § 312.8 into discrete paragraphs and provide further guidance as to steps operators can take to comply with each requirement. The second paragraph will provide more guidance on the “reasonable procedures” that an operator must establish and maintain under newly-numbered § 312.8(a) to protect the confidentiality, security, and integrity of personal information from children. The third paragraph will address the “reasonable steps” an operator should take to release children's personal information only to those capable of protecting such and who provide written assurances to protect the information.

First, the Commission proposes modifying § 312.8 to specify that operators must, at minimum, establish, implement, and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children's information and to the operator's size, complexity, and nature and scope of activities. This requirement is modeled on the Commission's original Safeguards Rule implemented under the Gramm-Leach-Bliley Act (“GLBA”), which provides heightened protections for financial institutions' customer data.^[322]

To provide additional guidance, the proposed § 312.8 security program must contain a number of specific elements including designating an employee to coordinate the information security program; identifying and, at least annually, performing additional assessments to identify risks to the confidentiality, security, and integrity of personal information collected from children; designing, implementing, and maintaining safeguards to control any identified risks, as well as testing and monitoring the effectiveness of such safeguards; and, at least annually, evaluating and modifying the information security program.

The Commission believes that these modifications are appropriate for several reasons. First, this approach provides additional guidance to operators and FTC-approved COPPA Safe Harbor programs, while also maintaining the Rule's flexibility by allowing for technological advancements and taking into account an operator's size, complexity, and the nature and scope of its activities. It is also consistent with prior Commission COPPA and data security decisions and guidance.^[323]

In addition to the proposed written data security program, the Commission also proposes adding language to § 312.8 to clarify that operators that release personal information to third parties or other operators must obtain written assurances that the recipients will employ reasonable measures to maintain the confidentiality, security, and integrity of the information. In 2013, when the Commission amended § 312.8 to require operators to “take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner,” the Commission envisioned that operators would obtain assurances “by contract or otherwise.” ^[324] The Commission based this requirement on a similar obligation of financial institutions under the GLBA, which requires entities to “requir[e] your service providers by contract to implement and maintain such safeguards” (emphasis added).^[325] While the Commission expanded on the GLBA's provision to allow operators to obtain assurances by contract “or otherwise,” the Commission did not intend to allow operators to rely on verbal assurances alone. Rather, the Commission envisioned other written assurances for which there is tangible evidence, such as a written email or a service provider's written terms and conditions.

Accordingly, the Commission proposes inserting “written” to clarify that the assurances operators must obtain from other operators, service providers, and third parties to whom the operator releases children's personal information, or who collect such on the operator's behalf, must be in writing. As similarly noted in the Rule review that led to the 2013 Amendments,^[326] this provision is intended to address security issues surrounding business-to-business releases of data. The Commission did not seek specific comment on this aspect of the Rule's security requirements and therefore welcomes comment on this proposed modification.

G. Data Retention and Deletion Requirements (16 CFR 312.10)

Section 312.10 of the Rule currently states that “an operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably Start Printed Page 2062 necessary to fulfill the purpose for which the information was collected.” This section further states that “the operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”

In 2013, the Commission amended the Rule to add the data retention and deletion requirements of § 312.10 pursuant to its 15 U.S.C. 6502(b)(1)(D) authority to establish regulations requiring operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. At that time, the Commission explained that timely deletion of data is an integral part of a reasonable data security strategy, referencing the Institute for Public Representation's comment that without such “operators have no incentive to eliminate children's personal information and may retain it indefinitely.” ^[327] The Commission, however, rejected requests to specify a finite timeframe in which companies must delete data, instead deciding to choose “the phrases `for only as long as is reasonably necessary' and `reasonable measures' to avoid the very rigidity about which commenters opposing this provision complain.” ^[328]

Although the Commission did not specifically seek comment on data deletion in its 2019 Rule Review Initiation, many of the commenters that recommended the Commission provide more guidance on the § 312.8 requirements also suggested that the Commission clarify operators' obligations under § 312.10. These commenters expressed concern that, without specific time limits on data retention, operators could read the Rule to allow indefinite retention of children's personal information. For example, a group of State Attorneys General asked the Commission to modify the Rule to require operators or others maintaining children's data to serve contextual ads to delete such information immediately at the end of a user's session.^[329] Many consumer groups and individual commenters also opined that an increase in school data breaches and ransomware attacks indicates a need for stronger data deletion requirements within the Rule generally.^[330] A few commenters asked specifically for data retention limits for personal information stored within the education system or by ed tech providers.^[331] Similarly, a non-profit privacy organization requested that the Commission make it clear that operators cannot retain student data indefinitely.^[332]

Section 312.10 prohibits operators from retaining children's personal information indefinitely. The Commission framed the prohibition on data retention to permit enough flexibility to allow operators to retain data only for specified, necessary business needs.

Given the misunderstanding identified by the consumer groups, the Commission now proposes to modify this section to state more explicitly operators' duties with regard to the retention of personal information collected from children. Specifically, the Commission proposes clarifying that operators may retain personal information for only as long as is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose. For example, if an operator collects an email address from a child for account creation purposes, the operator could not then use that email address for marketing purposes without first obtaining verifiable parental consent to use that information for that specific purpose. Additionally, the operator must delete the information when such information is no longer reasonably necessary for the purpose for which it was collected.^[333] In any event, personal information collected from a child may not be retained indefinitely.

The Commission also proposes requiring an operator to, at least, establish and maintain a written data retention policy specifying its business need for retaining children's personal information and its timeframe for deleting it, precluding indefinite retention.

These proposed modifications are intended to reinforce section 312.7's data minimization requirements, which prohibit an operator from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.^[334] Namely, these proposed modifications require that an operator must have a specific business need for retaining information collected from children, and may retain such information for only so long as is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose. The modifications also preclude operators from retaining such information indefinitely. The Commission welcomes comment on its proposed modification to this section.

H. Safe Harbor (16 CFR 312.11)

The 2019 Rule Review Initiation posed a number of questions related to the Rule's safe harbor program provision, including: whether it has been effective in enhancing compliance with the Rule; whether the Commission should modify the criteria currently enumerated in § 312.11(b) for approval of FTC-approved COPPA Safe Harbor programs; whether the Commission should clarify or modify § 312.11(g) with respect to the Commission's discretion to initiate an investigation or bring an enforcement action against an operator participating in an FTC-approved COPPA Safe Harbor program; whether the Commission should consider changes to the safe harbor monitoring process, including to promote greater transparency; and whether the Rule should include factors for the Commission to consider in revoking approval for an FTC-approved COPPA Safe Harbor program.

A number of commenters expressed support for the Rule's safe harbor program.^[335] At the same time, however, Start Printed Page 2063 multiple commenters recommended that the Commission enhance oversight of, and transparency regarding, the safe harbor program by modifying the criteria for the Commission's approval of FTC-approved COPPA Safe Harbor programs' guidelines and the Rule's requirements for FTC-approved COPPA Safe Harbor programs to submit reports to the Commission and retain records.^[336] While the Commission continues to believe that FTC-approved COPPA Safe Harbor programs serve an important function in helping companies comply with COPPA, it finds merit in the recommendations for enhanced oversight and transparency. Accordingly, the Commission proposes revisions to § 312.11 of the Rule as set forth in this part of the preamble, which it believes will further strengthen the COPPA Rule's safe harbor program.

1. Criteria for Approval of Self-Regulatory Program Guidelines (§ 312.11(b))

Paragraph 312.11(b) of the Rule requires that FTC-approved COPPA Safe Harbor programs demonstrate that they meet certain performance standards, specifically: (1) requirements to ensure operators subject to the self-regulatory program guidelines (“subject operators”) provide substantially the same or greater protections for children as those contained in §§ 312.2 through 312.8 and 312.10; (2) an effective, mandatory mechanism for the independent assessment of subject operators' compliance with the FTC-approved COPPA Safe Harbor program's guidelines; and (3) disciplinary actions for subject operators' non-compliance with self-regulatory program guidelines.

Several commenters recommended that the Commission provide additional clarity regarding the criteria the Commission applies when determining whether to approve an FTC-approved COPPA Safe Harbor program's self-regulatory guidelines. One FTC-approved COPPA Safe Harbor program suggested that the Commission consider publishing a standard set of program requirements, assessment questionnaires, and technical tests for all FTC-approved COPPA Safe Harbor programs to utilize with their subject operators.^[337] Another recommended that the FTC consider enumerating minimum operating standards for FTC-approved COPPA Safe Harbor programs, including how often they monitor subject operators' sites and communicate with subject operators.^[338] Another commenter recommended that the Commission should require FTC-approved COPPA Safe Harbor programs to apply a duty of care to promote principles behind COPPA when they conduct safe harbor program audits and certifications.^[339]

The Commission finds merit in the overall call for additional clarity regarding its criteria for approving FTC-approved COPPA Safe Harbor programs' self-regulatory guidelines. As discussed previously, the Commission proposes changes to the Rule's security requirements.^[340] These proposed modifications provide additional guidance on the “reasonable procedures” that an operator must establish and maintain to protect the confidentiality, security, and integrity of personal information from children. FTC-approved COPPA Safe Harbor programs can utilize that guidance in determining whether subject operators meet the Rule's § 312.8 requirements.

Further, in parallel with the proposed changes to § 312.8 discussed in Part IV.F., the Commission proposes to revise § 312.11(b)(2) to state explicitly that an FTC-approved COPPA Safe Harbor program's assessments of subject operators must include comprehensive reviews of both the subject operators' privacy and security policies, practices, and representations. The Commission does not propose any revisions to § 312.11(b)(1).

2. Reporting and Recordkeeping Requirements (§ 312.11(d) and § 312.11(f))

Section 312.11(d) of the Rule sets forth requirements for FTC-approved COPPA Safe Harbor programs to, among other things, submit annual reports to the Commission and maintain for not less than three years, and make available to the Commission upon request, consumer complaints alleging that subject operators violated an FTC-approved COPPA Safe Harbor program's guidelines, records of disciplinary actions taken against subject operators, and results of the FTC-approved COPPA Safe Harbor program's § 312.11(b)(2) assessments.

Several commenters recommended that the Commission modify the reporting and recordkeeping requirements in order to strengthen the Commission's oversight of FTC-approved COPPA Safe Harbor programs and to make that oversight more transparent. One commenter recommended that the Commission require FTC-approved COPPA Safe Harbor programs to submit more detailed and frequent reports.^[341] Another suggested that the Rule should require such programs to demonstrate on a periodic basis that they are regularly assessing and updating their programs to comply with COPPA.^[342]

The Commission agrees with commenters' general recommendation to enhance FTC-approved COPPA Safe Harbor programs' reporting requirements in order to strengthen oversight. Accordingly, the Commission proposes revising § 312.11(d)(1) to require the following additions to the FTC-approved COPPA Safe Harbor programs' annual reports.

First, the Commission proposes requiring FTC-approved COPPA Safe Harbor programs to identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program.^[343] The proposed revision further requires an FTC-approved COPPA Safe Harbor program to provide: a narrative description of the program's business model, including whether it provides additional services to subject operators, such as training; copies of each consumer complaint related to each subject operator's violation of an FTC-approved COPPA Safe Harbor program's guidelines; and a description of the process for determining whether a subject operator is subject to discipline (in addition to the existing requirement to describe any disciplinary action that the FTC-approved COPPA Safe Harbor program took against any Start Printed Page 2064 subject operator). These proposed changes will enhance the Commission's ability to oversee FTC-approved COPPA Safe Harbor programs.

Additionally, one FTC-approved COPPA Safe Harbor program recommended that the Commission consider conducting audits of each FTC-approved COPPA Safe Harbor program and publishing an audit checklist after completing each audit.^[344] Relatedly, another commenter suggested that the Rule should require FTC-approved COPPA Safe Harbor programs to demonstrate on a periodic basis that they are regularly assessing and updating their programs to comply with COPPA.^[345]

The Commission agrees that, in addition to its current oversight of FTC-approved COPPA Safe Harbor programs, including review of the FTC-approved COPPA Safe Harbor programs' annual reports discussed in this part of the preamble, regular audits of FTC-approved COPPA Safe Harbor programs' technological capabilities and mechanisms for assessing subject operators' fitness for maintaining membership could further strengthen oversight. To that end, the Commission proposes to add a new § 312.11(f) requiring FTC-approved COPPA Safe Harbor programs to submit triennial reports that provide details about those issues.^[346]

In terms of transparency, several commenters recommended that the Commission require programs to publish lists of their certified members.^[347] One FTC-approved COPPA Safe Harbor program, however, posited that public disclosure of membership lists would lead to the “poaching” of safe harbor members and recommended that the Rule require safe harbors instead to provide service-level certification information to the FTC confidentially.^[348] Another disagreed that public disclosure of membership lists would lead to the stealing of members, stating that it has always publicly disclosed the products it has certified.^[349] A coalition of consumer groups supported greater transparency and argued that FTC-approved COPPA Safe Harbor programs' current practices with respect to whether and where subject operators display membership seals makes it difficult for parents and others to determine whether websites or online services are participants of an FTC-approved COPPA Safe Harbor program.^[350]

The Commission proposes requiring that FTC-approved COPPA Safe Harbor programs publish lists of their subject operators. While the Commission understands certain commenters' concerns that the publication of such a list could result in the loss of subject operators to other FTC-approved COPPA Safe Harbor programs, the Commission believes that such concerns are outweighed by the benefits created by increasing transparency around FTC-approved COPPA Safe Harbor programs. Therefore, the Commission proposes adding this requirement as new paragraph § 312.11(d)(4).

3. Revocation of Approval of Self-Regulatory Program Guidelines (Current § 312.11(f), Proposed To Be Renumbered as § 312.11(g))

Current § 312.11(f), which the Commission proposes to renumber as § 312.11(g) in light of the new proposed § 312.11(f), reserves the Commission's right to revoke the approval of any FTC-approved COPPA Safe Harbor program whose guidelines or implementation of guidelines do not meet the requirements set forth in the Rule. In addition, current § 312.11(f) requires FTC-approved COPPA Safe Harbor programs that the Commission had approved before the Commission amended the Rule in 2013 to submit by March 1, 2013 proposed modifications to bring their guidelines into compliance with the 2013 Rule amendments.

Because the March 1, 2013 deadline has passed and is no longer relevant, the Commission proposes to strike from renumbered § 312.11(g) the requirement that FTC-approved COPPA Safe Harbor programs submit proposed modifications to their guidelines. If the Commission proceeds to modify the Rule as discussed in this notice, the Commission will provide an appropriate deadline for safe harbor programs to submit proposed modifications to bring their guidelines into compliance with such amendments.

I. Voluntary Commission Approval Processes (16 CFR 312.12)

The Commission also proposes making a few technical edits in § 312.12(b) to ensure that each reference to the support for the internal operations of the website or online service is consistent with the COPPA statute's use of the phrase “support for the internal operations of the [website] or online service.” ^[351]

V. Request for Comment

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 11, 2024. Write “COPPA Rule Review, Project No. P195404” on your comment. Your comment—including your name and your State—will be placed on the public record of this proceeding, including the https://www.regulations.gov website.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://www.regulations.gov, by following the instructions on the web-based form.

If you file your comment on paper, write “COPPA Rule Review, Project No. P195404” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex E), Washington, DC 20580. If possible, please submit your paper comment to the Commission by overnight service.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other State identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, Start Printed Page 2065 sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at https://www.regulations.gov —as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.

Visit the FTC website to read this publication and the news release describing it, and visit https://www.regulations.gov/​docket/​FTC-2023-0076 to read a plain-language summary of the proposed Rule. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before March 11, 2024. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

VI. Paperwork Reduction Act

The Paperwork Reduction Act (“PRA”), 44 U.S.C. chapter 35, requires federal agencies to seek and obtain approval from the Office of Management and Budget (“OMB”) before undertaking a collection of information directed to ten or more persons.^[352] Under the PRA, a rule creates a “collection of information” when ten or more persons are asked to report, provide, disclose, or record information in response to “identical questions.” ^[353] The existing COPPA Rule contains recordkeeping, disclosure, and reporting requirements that constitute “information collection requirements” as defined by 5 CFR 1320.3(c) under the OMB regulations that implement the PRA. OMB has approved the Rule's existing information collection requirements through March 31, 2025 (OMB Control No. 3084–0117).

The proposed amendments to the COPPA Rule would amend the definition of “website or online service directed to children,” potentially increasing the number of operators subject to the Rule, albeit likely not to a significant degree. The proposed Rule would also increase disclosure obligations for operators and FTC-approved COPPA Safe Harbor programs, and FTC-approved COPPA Safe Harbor programs would also face additional reporting obligations under the proposed Rule. Commission staff does not believe that the proposed Rule would increase operators' recordkeeping obligations.

The Commission invites comments on: (1) whether the proposed collection of information is necessary for the proper performance of the functions of the FTC, including whether the information will have practical utility; (2) the accuracy of the FTC's estimate of the burden of the proposed collection of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of collecting information on those who respond. Written comments and recommendations for the proposed information collection should also be sent within 30 days of publication of this document to https://www.reginfo.gov/​public/​do/​PRAMain. Find this particular information collection by selecting “Currently under Review—Open for Public Comments” or by using the search function. The reginfo.gov web link is a United States Government website produced by OMB and the General Services Administration. Under PRA requirements, OMB's Office of Information and Regulatory Affairs reviews federal information collections.

Estimated Additional Annual Hours Burden

A. Number of Respondents

As noted in the Regulatory Flexibility section of this NPRM, Commission staff estimates that there are currently approximately 5,710 operators subject to the Rule. Commission staff believes that the changes that are most likely to affect the number of operators subject to the Rule are the Commission's proposed changes to the Rule's definition of “website or online service directed to children.” Of most relevance to this discussion, the Commission proposes to modify paragraph 2 of this definition to account for third parties with actual knowledge that they collect children's information from users of a child-directed site or service, even if such third parties do not collect the information directly from such users. While Commission staff contemplates that this modification could increase the number of operators subject to the Rule's requirements, staff does not have sufficient evidence to estimate the amount of increase, and therefore the Commission welcomes comment on this issue. Commission staff does not expect that the other proposed modifications to this definition, such as the additional exemplar factors the Commission will consider in determining whether a site or service is child-directed, will alter the number of operators subject to the Rule.

Commission staff does not believe that other proposed modifications to the Rule's definitions will affect the number of operators subject to the Rule. For example, Commission staff does not expect that the Commission's proposed addition of “biometric identifiers” to the Rule's definition of “personal information” will significantly alter the number of operators subject to the Rule. Commission staff believes that all or nearly all operators of websites or online services that collect “biometric identifiers” from children are already subject to the Rule.

In total, to the extent that any of the Commission's proposed revisions to the Rule's definitions might result in minor additional numbers of operators being subject to the Rule, Commission staff believes that any such increase will be offset by other operators of websites or online services adjusting their information collection practices so that they will not be subject to the Rule.

For this burden analysis, Commission staff retains its recently published estimate of 280 new operators per year.^[354] Commission staff also retains its estimate that no more than one additional FTC-approved COPPA Safe Harbor program applicant is likely to submit a request within the next three years of PRA clearance.

B. Recordkeeping Hours

While the proposed Rule requires operators to establish, implement, and maintain a written comprehensive security program and data retention policy, such requirements do not constitute a “collection of information” under the PRA. Namely, under the proposed Rule, each operator's security Start Printed Page 2066 program and the safeguards instituted under such program will vary according to the operator's size and complexity, the nature and scope of its activities, and the sensitivity of the information involved. Similarly, the instituted data retention policy will differ depending on the operator's business practices. Thus, although each operator must summarize its compliance efforts in one or more written documents, the discretionary balancing of factors and circumstances that the proposed Rule allows does not require entities to answer “identical questions” and therefore does not trigger the PRA's requirements.

Separately, the proposed Rule imposes minimal recordkeeping requirements for FTC-approved COPPA Safe Harbor programs. However, FTC staff understands that most of the records listed in the COPPA Rule's safe harbor recordkeeping provisions consist of documentation that covered entities retain in the ordinary course of business irrespective of the COPPA Rule. OMB excludes from the definition of PRA burden, among other things, recordkeeping requirements that customarily would be undertaken independently in the normal course of business.^[355] In staff's view, any incremental burden posed by the proposed Rule—such as that to include additional content in annual reports, submit a report to the Commission every three years detailing technological capabilities and mechanisms, and publicly post membership lists—would be marginal.

C. Disclosure Hours

1. New Operators' Disclosure Burden

FTC staff estimates that the Rule affects approximately 280 new operators per year.^[356] Staff maintains its longstanding estimate that new operators of websites and online services will require, on average, approximately 60 hours to draft a privacy policy, design mechanisms to provide the required online privacy notice and, where applicable, the direct notice to parents.^[357] In addition, the proposed Rule includes a new requirement that operators establish, implement, maintain, and disclose a data retention policy. Staff estimates it will require, on average, approximately 10 hours to meet the data retention policy requirement. In combining these figures, Commission staff estimates that these disclosure requirements will require 70 hours of burden per operator. This yields an estimated annual hours burden of 19,600 hours (280 respondents × 70 hours).

2. Existing Operators' Disclosure Burden

The proposed Rule imposes various new disclosure requirements on operators. Specifically, the proposed amendments require operators to update existing disclosures, namely to update the direct and online notices with additional information about the operators' information practices. Additionally, some operators may have to provide disclosures that were not previously required under the Rule. For operators utilizing the support for the internal operations exception, 16 CFR 312.5(c)(7), the proposed Rule will now require such operators to provide an online notice. Similarly, the proposed Rule will require operators utilizing the proposed school authorization exception, which is newly numbered as 16 CFR 312.5(c)(10), to provide an online notice, a direct notice to the school, and enter into a written agreement with the school. Additionally, the proposed Rule requires operators to disclose a data retention policy.

Commission staff believes that an existing operator's time to make these changes to its online and direct notices would be no more than that estimated for a new entrant to craft an online notice and direct notice for the first time, i.e., 60 hours. Regarding the written agreement, FTC staff understands that many ed tech operators enter into standard contracts with schools, school districts, and other education organizations across the country, and this requirement is not intended to interfere with such contractual arrangements. Therefore, this agreement likely consists of documentation that covered entities retain in the ordinary course of business irrespective of the COPPA Rule. As noted above, OMB excludes from the definition of PRA burden, among other things, recordkeeping requirements that customarily would be undertaken independently in the normal course of business.^[358] Additionally, as discussed previously, Commission staff believes the time necessary to develop, draft, and publish a data retention policy is approximately 10 hours. Therefore, these disclosure requirements will amount to approximately 70 hours of burden. Annualized over three years of PRA clearance, this amounts to approximately 23 hours (70 hours ÷ 3 years) per operator each year. Aggregated for the 5,710 existing operators, the annualized disclosure burden for these requirements would be approximately 131,330 hours per year (5,710 respondents × 23 hours).

The proposed Rule will also require each FTC-approved COPPA Safe Harbor program to provide a list of all current subject operators on each of the FTC-approved COPPA Safe Harbor program's websites and online services, and the proposed Rule further requires that such list be updated every six months thereafter. Because FTC-approved COPPA Safe Harbor programs likely already keep up-to-date lists of their subject operators, Commission staff does not anticipate this requirement will significantly burden FTC-approved COPPA Safe Harbor programs. To account for time necessary to prepare the list for publication and to ensure that the list is updated every 6 months, Commission staff estimates 10 hours per year. Aggregated for one new FTC-approved COPPA Safe Harbor program and six existing FTC-approved COPPA Safe Harbor programs, this amounts to an estimated cumulative disclosure burden of 70 hours per year (7 respondents × 10 hours).

D. Reporting Hours

The proposed amendments will require FTC-approved COPPA Safe Harbor programs to include additional content in their annual reports. The proposed amendments will also require each FTC-approved COPPA Safe Harbor program to submit a report to the Commission every three years detailing the program's technological capabilities and mechanisms for assessing subject operators' fitness for membership in the program.

The burden of conducting subject operator audits and preparing the annual reports likely varies by FTC-approved COPPA Safe Harbor program, depending on the number of subject operators. Commission staff estimates that the additional reporting requirements for the annual report will require approximately 50 hours per program per year. Aggregated for one new FTC-approved COPPA Safe Harbor program (50 hours) and six existing (300 hours) FTC-approved COPPA Safe Harbor programs, this amounts to an estimated cumulative reporting burden of 350 hours per year (7 respondents × 50 hours).

Regarding the reports that the proposed Rule will require FTC-approved Safe Harbor programs to Start Printed Page 2067 submit to the Commission every three years, § 312.11(c)(1) of the Rule already requires FTC-approved COPPA Safe Harbor programs to include similar information in their initial application to the Commission. Specifically, § 312.11(c)(1) requires that the application address FTC-approved COPPA Safe Harbor programs' business models and the technological capabilities and mechanisms they will use for initial and continuing assessment of operators' fitness for membership in their programs. Consequently, the three-year reports should merely require reviewing and potentially updating an already-existing report. Staff estimates that reviewing and updating existing information to comply with proposed § 312.11(f) will require approximately 10 hours per FTC-approved COPPA Safe Harbor program. Divided over the three-year period, FTC staff estimates that annualized burden attributable to this requirement would be approximately 3.33 hours per year (10 hours ÷ 3 years) per FTC-approved COPPA Safe Harbor program, which staff will round up to 4 hours per year per FTC-approved COPPA Safe Harbor program. Given that several FTC-approved COPPA Safe Harbor programs are already available to website and online service operators, FTC staff anticipates that no more than one additional FTC-approved COPPA Safe Harbor program applicant is likely to submit a request within the next three years of PRA clearance. Aggregated for one new FTC-approved COPPA Safe Harbor program and six existing FTC-approved COPPA Safe Harbor programs, this amounts to an estimated cumulative reporting burden of 28 hours per year (7 respondents × 4 hours).

E. Labor Costs

1. Disclosure

a. New Operators

As previously noted, Commission staff estimates a total annual burden of 19,600 hours (280 respondents × 70 hours). Consistent with its past estimates and based on its 2013 rulemaking record,^[359] FTC staff estimates that the time spent on compliance for new operators covered by the COPPA Rule would be apportioned five to one between legal (outside counsel lawyers or similar professionals) and technical ( e.g., computer programmers, software developers, and information security analysts) personnel. Therefore, Commission staff estimates that approximately 16,333 of the estimated 19,600 hours required will be completed by legal staff.

Regarding legal personnel, Commission staff anticipates that the workload among law firm partners and associates for assisting with COPPA compliance would be distributed among attorneys at varying levels of seniority. Assuming two-thirds of such work is done by junior associates at a rate of approximately $300 per hour, and one-third by senior partners at approximately $600 per hour, the weighted average of outside counsel costs would be approximately $400 per hour.^[360]

FTC staff anticipates that computer programmers responsible for posting privacy policies and implementing direct notices and parental consent mechanisms would account for the remaining approximately 3,267 hours. FTC staff estimates an hourly wage of $57 (rounded to the nearest dollar) for technical assistance, based on Bureau of Labor Statistics (“BLS”) data.^[361] Accordingly, associated annual labor costs would be $6,719,419 [(16,333 hours × $400/hour) + (3,267 hours × $57/hour)] for the estimated 280 new operators.

b. Existing Operators

As previously discussed, Commission staff estimates that the annualized disclosure burden for these requirements for the 5,710 existing operators would be 131,330 hours per year. Thus, apportioned five to one, this amounts to 109,442 hours of legal and 21,888 hours of technical assistance. Applying hourly rates of $400 and $57, respectively, for these personnel categories, associated labor costs would total approximately $45,024,416 ($43,776,800 + $1,247,616).

As noted, Commission staff estimates a cumulative disclosure burden of 10 hours per year for FTC-approved COPPA Safe Harbor programs. Aggregated for one new FTC-approved COPPA Safe Harbor program and six existing FTC-approved COPPA Safe Harbor programs, this amounts to an estimated cumulative reporting burden of 70 hours per year (7 respondents × 10 hours).

Industry sources have advised that the labor to comply with requirements from FTC-approved COPPA Safe Harbor programs would be attributable to the efforts of in-house lawyers. To determine in-house legal costs, FTC staff applied an approximate average between the BLS reported mean hourly wage for lawyers ($78.74),^[362] and estimated in-house hourly attorney rates ($300) that are likely to reflect the costs associated with the proposed Rule's safe harbor requirements. This yields an approximate hourly rate of $190. Applying this hourly labor cost estimate to the hours burden associated with the cumulative disclosure burden for FTC-approved COPPA Safe Harbor programs yields an estimated annual burden of $13,300 (70 hours × $190).

2. Reporting

As previously noted, Commission staff estimates an estimated cumulative reporting burden of 378 hours per year for FTC-approved COPPA Safe Harbor programs. The approximate hourly rate for labor to comply with requirements from FTC-approved COPPA Safe Harbor programs is $190, as previously calculated. Applying this hourly labor cost estimate to the hours burden associated with the cumulative reporting burden for FTC-approved COPPA Safe Harbor programs yields an estimated annual labor cost burden of $71,820 (378 hours × $190).

F. Non-Labor/Capital Costs

Because both operators and FTC-approved COPPA Safe Harbor programs will already be equipped with the computer equipment and software necessary to comply with the Rule's notice requirements, the proposed Rule should not impose any additional capital or other non-labor costs.

VII. Regulatory Flexibility Act

The Regulatory Flexibility Act (“RFA”), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Start Printed Page 2068 Flexibility Analysis (“IRFA”) with a proposed rule, or certify that the proposed Rule will not have a significant impact on a substantial number of small entities.^[363]

The Commission does not expect that the proposed Rule, if adopted, would have a significant impact on a substantial number of small entities. Among other things, as discussed further below, many of the proposed amendments reflect modest changes to the Rule, including to clarify definitions, increase content requirements for existing notices, increase specificity for existing security requirements, increase clarity on existing retention and deletion requirements, and increase specificity on certain reporting requirements. While the proposed amendments may require some entities to implement notices they were not required to provide before, obtain consent they previously were not required to obtain, and implement new retention policies, the Commission does not anticipate this will require significant additional costs to entities covered by the Rule. Instead, some of the proposed amendments, such as amendments to create exceptions for the Rule's verifiable parental consent requirements, may even reduce costs for many entities covered by the Rule.

Although the Commission certifies under the RFA that the proposed rule will not have a significant impact on a substantial number of small entities, and hereby provides notice of that certification to the Small Business Administration, the Commission has determined that it is appropriate to publish an IRFA in order to inquire into the impact of the proposed Rule on small entities. The Commission invites comment on the burden on any small entities that would be covered and has prepared the following analysis.

A. Reasons for the Proposed Rule

As discussed in Part I, the Commission commenced a review of the COPPA Rule on July 25, 2019, noting that questions had arisen about the Rule's application to the ed tech sector, voice-enabled connected devices, and general audience platforms that host third-party child-directed content. After review of the comments received, the Commission concludes that there is a need to update certain Rule provisions to account for changes in technology and online practices, and where appropriate, to clarify and streamline the Rule. Accordingly, the Commission proposes modifications to the Rule in the following areas: Scope of Regulations; Definitions; Notice; Parental Consent; Parental Right to Review; Confidentiality and Security of Children's Personal Information; Data Retention and Deletion; Safe Harbor Programs; and Voluntary Commission Approval Processes.

B. Statement of Objectives and Legal Basis

The objectives of the Proposed Rule are to update the Rule to ensure that children's online privacy continues to be protected, as directed by Congress, even as new online technologies emerge and existing online technologies evolve, and to clarify existing obligations for operators under the Rule. The legal basis for the proposed Rule is the Children's Online Privacy Protection Act, 15 U.S.C. 6501 et seq.

C. Description and Estimated Number of Small Entities to Which the Rule Will Apply

The COPPA Rule applies to operators of commercial websites or online services directed to children that collect personal information through such websites or online services, and operators of any commercial website or online service with actual knowledge that it is collecting personal information from children. The Rule also applies to operators of websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

The Commission staff is unaware of any empirical evidence concerning the number of operators subject to the Rule. However, based on the previous estimates ^[364] and the Commission's compliance monitoring efforts in the areas of children's privacy, Commission staff estimates that approximately 5,710 operators may be subject to the Rule's requirements, with approximately 280 new operators per year.

Under the Small Business Size Standards issued by the Small Business Administration, “web search portals and all other information services” qualify as small businesses if they have 1,000 or fewer employees.^[365] Commission staff estimates that approximately 80% of operators potentially subject to the Rule qualify as small entities. The Commission staff bases this estimate on its experience in this area, which includes its law enforcement activities, oversight of FTC-approved COPPA Safe Harbor programs, conducting relevant workshops, and discussions with industry and privacy professionals. The Commission seeks comment and information with regard to the estimated number or nature of small business entities on which the proposed Rule would have a significant economic impact.

D. Projected Reporting, Recordkeeping, and Other Compliance Requirements

The proposed amended Rule would impose reporting, recordkeeping, and other compliance requirements within the meaning of the PRA, as set forth in Part VI of this NPRM. Therefore, the Commission is submitting the proposed requirements to OMB for review before issuing a final rule.

For example, while not constituting a “collection of information” under the PRA, the proposed Rule would require operators to establish, implement, and maintain a written comprehensive security program. The proposed Rule would also likely increase the disclosure requirements for covered operators, and it would likely increase the disclosure and reporting requirements for FTC-approved COPPA Safe Harbor programs. Specifically, the proposed amendments require operators to update existing disclosures with additional content requirements, namely to update the direct and online notices with additional information about the operators' information practices. Some operators may have to provide disclosures that were not previously required under the Rule. Additionally, the proposed Rule requires operators to disclose a data retention policy.

The proposed Rule will also require each FTC-approved COPPA Safe Harbor program to provide a list of all current subject operators on each of the FTC-approved COPPA Safe Harbor program's websites and online services, and the proposed Rule further requires that such list be updated every six months thereafter. The proposed amendments will also require FTC-approved COPPA Safe Harbor programs to include additional content in their annual reports, and submit a new report to the Commission every three years detailing the program's technological capabilities and mechanisms for assessing subject operators' fitness for membership in the program.

The estimated burden imposed by these proposed amendments is discussed in the PRA section of this document, and there should be no Start Printed Page 2069 difference in that burden as applied to small businesses. While the Rule's compliance obligations apply equally to all entities subject to the Rule, it is unclear whether the economic burden on small entities will be the same as or greater than the burden on other entities. That determination would depend upon a particular entity's compliance costs, some of which may be largely fixed for all entities ( e.g., website programming) and others variable ( e.g., participation in an FTC-approved COPPA Safe Harbor program), and the entity's income or profit from operation of the website or online service itself ( e.g., membership fees) or related sources. As explained in the PRA section, in order to comply with the proposed Rule's requirements, website or online service operators will require the professional skills of legal (lawyers or similar professionals) and technical ( e.g., computer programmers, software developers, and information security analysts) personnel.

As explained in the PRA section, Commission staff estimates that there are approximately 5,710 websites or online services that qualify as operators under the proposed Rule, and that approximately 80% of such operators qualify as small entities under the SBA's Small Business Size standards. The Commission invites comment and information on these issues.

E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules

The Commission has not identified any other federal statutes, rules, or policies that would duplicate, overlap, or conflict with the proposed Rule. While the proposed Rule includes amendments related to schools, the Commission believes it has drafted the proposed Rule to ensure it does not duplicate, overlap, or conflict with the Family Educational Rights and Privacy Act. The Commission invites comment and information on this issue.

F. Discussion of Significant Alternatives

In drafting the proposed Rule, the Commission has made every effort to avoid unduly burdensome requirements for entities. The Commission believes that the proposed amendments are necessary to continue to protect children's online privacy in accordance with the purposes of COPPA. For each of the proposed amendments, the Commission has attempted to tailor the provision to any concerns evidenced by the record to date. On balance, the Commission believes that the benefits to children and their parents outweigh any potential increased costs of implementation to industry.

For example, some commenters called for the Commission to implement specific time limits on data retention, noting that operators could read the Rule as currently written to allow indefinite retention of personal information. Rather than impose specific limitations that would apply to operators that collect different types of personal information for varying types of activities, the Commission alternatively proposes to require operators to establish a written data retention policy that sets forth a timeframe for deletion and explicitly prohibits indefinite retention.

Additionally, the Commission has taken care in developing the proposed amendments to set performance standards that will establish the objective results that must be achieved by regulated entities, but do not mandate a particular technology that must be employed in achieving these objectives. For example, the proposed Rule does not mandate the technology that must be used to establish, implement, and maintain the children's written information security program and related safeguards required under newly-numbered § 312.8(b).

The Commission seeks comments on ways in which the proposed Rule could be modified to reduce any costs or benefits for small entities.

VIII. Communications by Outside Parties to the Commissioners or Their Advisors

Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding, from any outside party to any Commissioner or Commissioner's advisor, will be placed on the public record. See16 CFR 1.26(b)(5).

IX. Questions for the Proposed Revisions to the Rule

The Commission is seeking comment on various aspects of the proposed Rule and is particularly interested in receiving comment on the questions that follow. These questions are designed to assist the public and should not be construed as a limitation on the issues on which public comment may be submitted. Responses to these questions should cite the numbers and subsections of the questions being answered. For all comments submitted, please submit any relevant data, statistics, or any other evidence, upon which those comments are based.

General Question

1. Please provide comment on any or all of the provisions in the proposed Rule. For each provision commented on, please describe: (1) the impact of the provision(s) (including any benefits and costs), if any; and (2) what alternatives, if any, the Commission should consider, as well as the costs and benefits of those alternatives.

Definitions

2. As part of the Rule review that led to the 2013 Amendments, the Commission determined that an operator will not be deemed to have “collected” (as that term is defined in the Rule) personal information from a child when it employs technologies reasonably designed to delete all or virtually all personal information input by children before making information publicly available.^[366] The Commission is concerned that, if automatic moderation or filtering technologies can be circumvented, reliance on such technologies may not be appropriate in a context where a child is communicating one to one with another person privately, as opposed to posting information online publicly. Should the Commission retain its position that an operator will not be deemed to have “collected” personal information, and therefore does not have to comply with the Rule's requirements, if it employs automated means to delete all or virtually all personal information from one-to-one communications?

3. The Commission proposes to include mobile telephone numbers within the definition of “online contact information” so long as such information is used only to send text messages. This proposed modification would permit operators to send text messages to parents to initiate obtaining verifiable parental consent. Does allowing operators to contact parents through a text message to obtain verifiable parental consent present security risks to the recipient of the text message, particularly if the parent would need to click on a link provided in the text message?

4. In conjunction with the 2013 Amendments, the Commission acknowledged that screen and user names have increasingly become portable across multiple websites or online services, and that such identifiers permit the direct contact of a specific individual online.^[367] Through the 2013 Amendments, the Commission defined personal information to include screen or user names only to the extent these Start Printed Page 2070 identifiers function in the same way as “online contact information” as the Rule defines that term. Since 2013, the use of screen and user names has proliferated across websites and online services, including on online gaming platforms that allow users to directly engage with each other. The Commission is concerned that children may use the same screen or user name on different sites and services, potentially allowing other users to contact and engage in direct communications with children on another online service.

a. Should screen or user names be treated as online contact information, even if the screen or user name does not allow one user to contact another user through the operator's website or online service, when the screen or user name could enable one user to contact another by assuming that the user to be contacted is using the same screen or user name on another website or online service that does allow such contact?

b. Are there measures an operator can take to ensure that a screen or user name cannot be used to permit the direct contact of a person online?

5. The Commission proposes adding biometric identifiers such as fingerprints, retina and iris patterns, a DNA sequence, and data derived from voice data, gait data, or facial data to the definition of “personal information.” Should the Commission consider including any additional biometric identifier examples to this definition? Are there exceptions to the Rule's requirements that the Commission should consider applying to biometric data, such as exceptions for biometric data that has been promptly deleted?

6. The use of avatars generated from a child's image has become popular in online services, such as video games. Should an avatar generated from a child's image constitute “personal information” under the COPPA Rule even if the photograph of the child is not itself uploaded to the site or service and no other personal information is collected from the child? If so, are these avatars sufficiently covered under the current COPPA Rule, or are further modifications to the definition required to cover avatars generated from a child's image?

7. The definition of “personal information” includes a Social Security number. Should the Commission revise this definition to list other government-issued identifiers specifically? If so, what type of identifiers should be included?

8. The definition of “personal information” includes “information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in [the Rule's definition of `personal information'].” Does the phrase “concerning the child or parents of that child” require further clarification?

9. Certain commenters recommended modifications to the “support for the internal operations of the website or online service” definition, including to limit personalization to “user-driven” actions and to exclude methods designed to maximize user engagement. Under what circumstances would personalization be considered “user-driven” versus personalization driven by an operator? How do operators use persistent identifiers, as defined by the COPPA Rule, to maximize user engagement with a website or online service?

10. Operators can collect persistent identifiers for contextual advertising purposes without parental consent so long as they do not also collect other personal information. Given the sophistication of contextual advertising today, including that personal information collected from users may be used to enable companies to target even contextual advertising to some extent, should the Commission consider changes to the Rule's treatment of contextual advertising?

11. With regard to the definition of “website or online service directed to children,” the Commission would like to obtain additional comment on whether it should provide an exemption for operators from being deemed a child-directed website or online service if such operators undertake an analysis of their audience composition and determine no more than a specific percentage of its users are likely to be children under 13.

a. Should the COPPA Rule offer an exemption or other incentive to encourage operators to conduct an analysis of their user bases?

b. If the COPPA Rule should include such an exemption or other incentive, what are the reliable means by which operators can determine the likely ages of their sites' or services' users?

c. As part of this exemption or incentive, should the COPPA Rule identify which means operators must utilize to determine the likely ages of their users? If so, how should the COPPA Rule identify such means?

d. If the COPPA Rule should include such an exemption or other incentive, what should be the appropriate percentage of users to qualify for this exemption or incentive?

e. Would such an exemption be inconsistent with the COPPA Rule's multi-factor test for determining whether a website or online service, or a portion thereof, is directed to children?

Notice

12. The Commission proposes requiring operators that share personal information with third parties to identify those third parties or specific categories of those third parties in the direct notice to the parent. Is this information better positioned in the direct notice required under § 312.4(c), or should it be placed in the online notice required under § 312.4(d)?

Parental Consent

13. Can platforms play a role in establishing consent mechanisms to enable app developers or other websites or online services to obtain verifiable parental consent? If so, what benefits would a platform-based common consent mechanism offer operators and parents? What steps can the Commission take to encourage the development of platform-based consent mechanisms?

14. To effectuate § 312.5(a)(2), which requires operators to give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of the child's personal information to third parties, the Commission proposes requiring operators to obtain separate verifiable parental consent prior to disclosing a child's personal information, unless such disclosure is integral to the nature of the website or online service. Should the Commission implement such a requirement? Should the consent mechanism for disclosure be offered at a different time and/or place than the mechanism for the underlying collection and use? Is the exception for disclosures that are integral to the nature of the website or online service clear, or should the Commission clarify which disclosures are integral? Should the Rule require operators to state which disclosures are integral to the nature of website or online service?

15. As noted in Part IV.C.3.c., the Commission proposes to modify § 312.5(c)(4) to prohibit operators from utilizing this exception to encourage or prompt use of a website or online service. Are there other engagement techniques the Rule should address? If so, what section of the Rule should address them? What types of personal information do operators use when utilizing engagement techniques? Additionally, should the Rule differentiate between techniques used solely to promote a child's engagement Start Printed Page 2071 with the website or online service and those techniques that provide other functions, such as to personalize the child's experience on the website or online service? If so, how should the Rule differentiate between those techniques?

16. The Commission proposes to include a parental consent exception to permit schools, State educational agencies, and local educational agencies to authorize the collection, use, and disclosure of personal information from students younger than 13 where the data is used for a school-authorized education purpose and no other commercial purpose. What types of services should be covered under a “school-authorized education purpose”? For example, should this include services used to conduct activities not directly related to teaching, such as services used to ensure the safety of students or schools?

Prohibition Against Conditioning a Child's Participation on Collection of Personal Information

17. COPPA and § 312.7 of the Rule prohibit operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in such activity.

a. What efforts are operators taking to comply with § 312.7? Are these efforts taken on a website-wide or online service-wide basis, or are operators imposing efforts on a more granular level?

b. Should the Commission specify whether disclosures for particular purposes are reasonably necessary or not reasonably necessary in a particular context? If so, for which purposes and in which contexts?

c. Given that operators must provide notice and seek verifiable parental consent before collecting personal information, to what extent should the Commission consider the information practices disclosed to the parent in assessing whether information collection is reasonably necessary?

18. The Commission is considering adding new language to address the meaning of “activity,” as that term is used in § 312.7. Specifically, the Commission is considering including language in § 312.7 to provide that an “activity” means “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service.” Should the Commission make this modification to the Rule? Is this modification necessary in light of the breadth of the plain meaning of the term “activity”?

Safe Harbor

19. What types of conflicts would affect an FTC-approved COPPA Safe Harbor program from effectively assessing a subject operator's fitness for membership in the FTC-approved COPPA Safe Harbor program? What policies do FTC-approved COPPA Safe Harbor programs have in place to prevent such conflicts?

Effective Date

20. As part of the issuance of the initial Rule and the 2013 Amendments, the Commission stated that the Rule and amended Rule, respectively, would become effective approximately six months after issuance of the Commission's final rule in the Federal Register . The Commission requests comment on whether such timeframe is appropriate for the modifications set forth during this Rule review that do not specify an effective date.

List of Subjects in 16 CFR Part 312

• Communications
• Computer technology
• Consumer protection
• Infants and children, internet
• Privacy
• Reporting and recordkeeping requirements
• Safety
• Science and technology
• Trade practices
• Youth

Accordingly, the Federal Trade Commission proposes to amend 16 CFR 312 as follows:

PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE

1. The authority for part 312 continues to read:

Authority: 15 U.S.C. 6501 through 6508.

2. Revise § 312.1 to read as follows:

3. In § 312.2:

a. Revise the definition of Disclose or disclosure;

b. Add in alphabetical order a definition for Mixed audience website or online service;

c. Revise the definition of Online contact information;

d. Revise the introductory text and paragraph (2) of the definition of Operator;

e. Republish the introductory text, revise paragraphs (7) and (9), redesignate paragraph (10) as paragraph (11), and add a new paragraph (10) to the definition of Personal information;

f. Add in alphabetical order definitions for School and School-authorized education purpose;

g. Remove the words “Web Site” and add in their place the word “Web site” in the term Support for the internal operations of the website or online service and in the definition, republish paragraph (1) introductory text and revise paragraphs (1)(i), (iii), (iv), (v), and (vii) and (2);

h. Revise the definition of Third party; and

i. Remove the definition of Web site or online service directed to children and add inits place in alphabetical order a definition for Website or online service directed to children.

The additions, republications, and revisions read as follows:

4. Revise § 312.3 introductory text and paragraph (a) to read as follows:

5. In § 312.4:

a. Revise paragraphs (b), (c) introductory text, (c)(1), (c)(2) introductory text, and (c)(2)(i) and (iii);

b. Add paragraph (c)(5);

c. Revise paragraph (d); and

d. Add paragraph (e);

The revisions and additions read as follows:

6. In § 312.5:

a. Revise paragraph (a)(2) and paragraph (b)(2)(ii);

b. Redesignate paragraph (b)(2)(vi) as (b)(2)(viii);

c. Republish newly designated paragraphs (b)(2)(viii);

d. Add new paragraphs (b)(2)(vi) and (vii);

e. Revise paragraphs (c)(2) and (4), (c)(6)(i) and (iv), (c)(7) and (8); and

f. Add paragraphs (c)(9) and (10);

The revisions, republication, and additions read as follows:

7. In § 312.6:

a. Revise the section heading and paragraph (a) introductory text;

b. Redesignate paragraphs (b) and (c) as paragraphs (c) and (d);

c. Add new paragraph (b); and

d. Republish newly redesignated paragraphs (c) and (d).

The revisions, addition, and republications read as follows:

8. Revise § 312.8 to read as follows:

9. Revise § 312.10 to read as follows:

10. In § 312.11:

a. Republish (b) introductory text;

b. Revise paragraphs (b)(2), (d)(1) and (2), and (d)(3)(iii);

c. Add paragraph (d)(4); Start Printed Page 2076

d. Redesignate paragraphs (f) and (g) as paragraphs (g) and (h);

e. Add paragraph (f);

f. Revise newly redesignated paragraph (g); and

g. Republish newly redesignated paragraph (h).

The republications, revisions, and additions read as follows:

11. In § 312.12, revise paragraph (b) to read as follows:

Footnotes