[Federal Register: November 3, 1999 (Volume 64, Number 212)] [Rules and Regulations] [Page 59887-59915] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr03no99-32] [[Page 59887]] _______________________________________________________________________ Part III Federal Trade Commission _______________________________________________________________________ 16 CFR Part 312 Children's Online Privacy Protection Rule; Final Rule [[Page 59888]] FEDERAL TRADE COMMISSION 16 CFR Part 312 RIN 3084-AA84 Children's Online Privacy Protection Rule AGENCY: Federal Trade Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Trade Commission issues its final Rule pursuant to the Children's Online Privacy Protection Act of 1998 (``COPPA'' or ``the Act''). Section 6502 of the Act requires the Commission to enact rules governing the online collection of personal information from children under 13 within one year of the date of the enactment of the COPPA, October 21, 1998. DATES: The rule will become effective on April 21, 2000. ADDRESSES: Requests for copies of the Rule and the Statement of Basis and Purpose should be sent to Public Reference Branch, Room 130, Federal Trade Commission, 6th Street and Pennsylvania Avenue, N.W., Washington, D.C. 20580. Copies of these documents are also available at the Commission's website, <www.ftc.gov>. FOR FURTHER INFORMATION CONTACT: Division of Advertising Practices: Toby Milgrom Levin (202) 326-3156, Loren G. Thompson (202) 326-2049, or Abbe Goldstein (202) 326-3423, Federal Trade Commission, 6th Street and Pennsylvania Avenue, N.W., Washington, D.C. 20580. SUPPLEMENTARY INFORMATION: The Rule implements the requirements of the COPPA by requiring operators of websites or online services directed to children and operators of websites or online services who have actual knowledge that the person from whom they seek information is a child (1) to post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children; (2) with certain exceptions, to notify parents that they wish to collect information from their children and obtain parental consent prior to collecting, using, and/or disclosing such information; (3) not to condition a child's participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity; (4) to allow parents the opportunity to review and/or have their children's information deleted from the operator's database and to prohibit further collection from the child; and (5) to establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children. As directed by the COPPA, the Rule also provides a safe harbor for operators following Commission-approved self-regulatory guidelines. Statement of Basis and Purpose I. Introduction Congress enacted the COPPA to prohibit unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet.\1\ --------------------------------------------------------------------------- \1\ 15 U.S.C. 6501-6505. --------------------------------------------------------------------------- Section 6502(b)(1) of the Act sets forth a series of general privacy protections to prevent unfair or deceptive online information collection from or about children, and directs the Commission to adopt regulations to implement those protections. The Act requires operators of websites directed to children and operators who knowingly collect personal information from children to: (1) Provide parents notice of their information practices; (2) obtain prior verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions for the collection of ``online contact information,'' e.g., an e-mail address); (3) provide a parent, upon request, with the means to review the personal information collected from his/her child; (4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child; (5) limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and (6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.\2\ --------------------------------------------------------------------------- \2\ 15 U.S.C. 6502(b)(1). --------------------------------------------------------------------------- The COPPA authorizes the Commission to bring enforcement actions for violations of the Rule in the same manner as for other rules defining unfair or deceptive acts or practices under section 5 of the Federal Trade Commission Act.\3\ In addition, section 6504 of the COPPA authorizes state attorneys general to enforce compliance with the final Rule by filing actions in federal court after serving prior written notice upon the Commission when feasible.\4\ --------------------------------------------------------------------------- \3\ Section 6502(c) of the Act provides that the Rule shall be treated as a rule issued under Sec. 18(a)(1)(B) of the FTC Act (15 U.S.C. 57a (a)(1)(B)). \4\ 15 U.S.C. 6504. --------------------------------------------------------------------------- The Commission published a Notice of Proposed Rulemaking and Request for Public Comment (``NPR'') in the Federal Register on April 27, 1999,\5\ and the 45-day comment period closed on June 11, 1999. The Commission received 132 comments from a wide array of interested parties, all of which were extremely informative and which the Commission has considered in crafting the final Rule. The commenters included private individuals; companies operating Internet sites or businesses; public interest organizations; marketing and advertising trade groups; library, school, and other educational organizations; Federal government entities; State Attorneys General; publishers and publishing trade groups; Internet service providers; and organizations sponsoring Internet privacy seal programs. --------------------------------------------------------------------------- \5\ 64 FR 22750 (Apr. 27, 1999) (to be codified at 16 CFR pt. 312). --------------------------------------------------------------------------- Because of particular interest among commenters in the issue of how to obtain verifiable parental consent under the Rule, Commission staff conducted a public workshop on that issue on July 20, 1999, to obtain additional information and learn more about the views expressed.\6\ The 32 panelists at the workshop included representatives from industry (including website operators and technology companies), as well as privacy advocates, consumer groups, and representatives of other government agencies. Approximately 100 other parties also attended the workshop. Panelists discussed methods of obtaining verifiable parental consent that are currently in use; whether and how e-mail could be used to obtain verifiable parental consent; and technologies or methods that are under development that could be used in the future to obtain verifiable parental consent. Workshop attendees were invited to comment during question and answer sessions. The proceeding was transcribed, and the transcript was placed on the public record.\7\ In addition, the Commission accepted further public comment on issues raised at the workshop. The workshop [[Page 59889]] comment period, which ended on July 30, 1999, yielded 14 comments.\8\ --------------------------------------------------------------------------- \6\ 64 FR 34595 (June 28, 1999) (announcement of the public workshop). \7\ The transcript and all of the comments received in the course of this proceeding appear on the FTC's website at <www.ftc.gov>. References to the workshop transcript are cited as ``Speaker/affiliation (Workshop Tr. at ____)'' followed by the appropriate page designation. Initial references to the comments are cited as ``Name of commenter (Comment or Workshop comment number) at (page number).'' \8\ On July 27, 1999, the Commission also issued an Initial Regulatory Flexibility Analysis (``IRFA'') under the Regulatory Flexibility Act, 64 FR 40525. The IRFA focused on the impact of the proposed Rule on small businesses and sought additional public comment on that issue. This final comment period closed on August 6, 1999. Five comments were received. These comments are cited as ``Name of commenter (IRFA comment number) at (page number).'' --------------------------------------------------------------------------- In drafting this final Rule, the Commission has taken very seriously the concerns expressed about maintaining children's access to the Internet, preserving the interactivity of the medium, and minimizing the potential burdens of compliance on companies, parents, and children. The Commission believes that the final Rule strikes the appropriate balance between these concerns and the Act's goals of protecting children's information in the online environment. It looks forward to continuing to work with industry, consumer groups, and parents to ensure widespread compliance in as efficient a manner as possible, to educate the public about online privacy protections, and to assess the Rule's effectiveness on a periodic basis.\9\ --------------------------------------------------------------------------- \9\ Shortly after issuing this final Rule, the Commission plans to develop and distribute educational materials to assist businesses in complying with the Rule and to inform parents of the protections provided by the COPPA. --------------------------------------------------------------------------- II. The Rule As noted above, the Commission published the proposed Rule and accompanying analysis in the Federal Register in April 1999. Unless specifically modified herein, all of the analysis accompanying the proposed Rule in the NPR is adopted and incorporated into this Statement of Basis and Purpose for the final Rule. A. Section 312.2: Definitions Section 312.2 of the proposed Rule included definitions of a number of key terms.\10\ The Commission sought comment as to whether these definitions were clear, comprehensive, flexible, and appropriate.\11\ In the Rule, the Commission has modified the definitions of four of these terms: ``collects or collection,'' ``disclosure,'' ``personal information,'' and ``third party.'' All other definitions have been adopted without change. --------------------------------------------------------------------------- \10\ 64 FR at 22751-53, 22763-64. \11\ 64 FR at 22761. --------------------------------------------------------------------------- 1. Definition of ``Child'' In the proposed Rule, the Commission adopted the statutory definition of ``child'' as ``an individual under the age of 13.'' \12\ The Commission received only one comment on this issue, which supported the definition.\13\ Thus, the final Rule retains the statutory definition. --------------------------------------------------------------------------- \12\ COPPA, 15 U.S.C. 6501(1). See 64 FR at 22751, 22763. \13\ American Psychological Association (``APA'') (Comment 106) at 1. --------------------------------------------------------------------------- 2. Definition of ``Collects or Collection'' The proposed Rule defined ``collects or collection'' to include ``the direct or passive gathering of any personal information from a child by any means, including but not limited to: (a) [a]ny online request for personal information by the operator regardless of how that personal information is transmitted to the operator; (b) [c]ollection using a chat room, message board, or other public posting of such information on a website or online service; or (c) [p]assive tracking or use of any identifying code linked to an individual, such as a cookie.'' \14\ The term was meant to encompass the many ways that website operators could gather information from children. --------------------------------------------------------------------------- \14\ 64 FR at 22751, 22763. --------------------------------------------------------------------------- Responsive comments contended that subparagraph (a) swept within the proposed Rule information requested online but submitted offline that was clearly meant to be excluded under the COPPA.\15\ These comments also noted that it would be burdensome to require a business that solicits the same information from children in a number of ways, including through the Internet, to determine the source of the request in order to provide the required parental notice and seek consent for information submitted online. --------------------------------------------------------------------------- \15\ See generally, Direct Marketing Ass'n (``DMA'') (Comment 89) at 31-32; Kraft Foods, Inc. (``Kraft'') (Comment 67) at 2-3; Council of Better Business Bureaus, Inc. (``CBBB'') (Comment 91) at 4; Viacom, Inc. (``Viacom'') (Comment 79) at 4-5; Time Warner, Inc. (``Time Warner'') (Comment 78) at 6-7; Magazine Publishers of America (``MPA'') (Comment 113) at 2. These comments pointed out that the COPPA covers the collection of personal information, which is defined in the statute as ``individually identifiable information about an individual collected online. * * *'' 15 U.S.C. 6501(8). Commenters also noted that the Floor Statement accompanying the Act states ``[t]his is an online children's privacy bill, and its reach is limited to information collected online from a child.'' 144 Cong. Rec. S11657 (daily ed. Oct. 7, 1998) (Statement of Sen. Bryan). --------------------------------------------------------------------------- The Commission is persuaded that the Congress intended the COPPA to apply only to information collected online by an operator. Therefore, based on the written comments, subparagraph (a) of the definition of collects or collection has been modified to cover any request by the operator that children submit information online.\16\ --------------------------------------------------------------------------- \16\ If, however, an operator combines in one database information collected offline with information collected online such that the operator cannot determine the source of the information, the operator will be required to disclose all of that data in response to a parent's request under section 312.6 of the Rule. See Section II.E, infra. --------------------------------------------------------------------------- Other commenters were concerned that including public postings in the definition of ``collects or collection'' would confer liability on operators of general audience (i.e., non-child-directed) chat sites for unsolicited postings by children.\17\ The Commission believes that these concerns are legitimate, and therefore the Rule now provides that such sites would only be liable if they (1) have actual knowledge that postings are being made by a child under 13, and (2) when they have such knowledge, fail to delete any personal information before it is made public, and also to delete it from their records. --------------------------------------------------------------------------- \17\ ZapMe! Corp. (``ZapMe!'') (Comment 76) at 7; Talk City, Inc. (``Talk City'') (Comment 110) at 2. See also Promotion Marketing Ass'n. (``PMA'') (Comment 107) at 3. --------------------------------------------------------------------------- For general audience sites, the Act explicitly covers operators who have actual knowledge that they are collecting personal information from children.\18\ Therefore, the operator of a general audience chat site who has actual knowledge that a child is posting personal information on the site must provide notice and obtain verifiable parental consent if the child is to continue to post such information in that site's chat room.\19\ In most cases, if the operator does not monitor the chat room, the operator likely will not have the requisite knowledge under the Act. However, where the operator does monitor the chat room, the Commission has amended the Rule so that, if the operator strips any posting of individually identifiable information before it is made public (and deletes it from the operator's records), that operator will not be deemed to have collected the child's personal information.\20\ --------------------------------------------------------------------------- \18\ 15 U.S.C. 6502(a)(1). See also Rule section 312.3. \19\ Operators of sites directed to children that provide chat rooms and bulletin boards and who do not delete personally identifiable information from postings before they are made public must always provide notice and obtain parental consent as provided by the Rule. \20\ This amendment applies both to operators of websites directed to children and to websites with actual knowledge that information is being collected from a child. Because an operator who deletes such information will not be deemed to have ``collected'' it, that operator also will not have ``disclosed'' that information under the Rule. --------------------------------------------------------------------------- One group of commenters stated that requiring operators to get parental consent in order for a child to participate in a chat room would violate the child's First Amendment right to free speech.\21\ These commenters also [[Page 59890]] asserted that the Commission's proposal went beyond what Congress intended with this legislation.\22\ Congress, however, specifically included such postings in the COPPA on the grounds that children could be placed at risk in such fora, noting that one of the Act's goals was ``to enhance parental involvement to help protect the safety of children in online fora such as chatrooms, home pages, and pen-pal services in which children may make public postings of identifying information.'' \23\ As noted in the Commission's June 1998 report to Congress, children's use of chat rooms and bulletin boards that are accessible to all online users present the most serious safety risks, because it enables them to communicate freely with strangers.\24\ Indeed, an investigation conducted by the FBI and the Justice Department revealed that these services are quickly becoming the most common resources used by predators for identifying and contacting children.\25\ Commenters also generally acknowledged that these are among the most sensitive online activities.\26\ --------------------------------------------------------------------------- \21\ Center for Democracy and Technology, American Civil Liberties Union, American Library Association (``CDT, et al.'') (Workshop comment 11) at 2-4. \22\ Id. \23\ 144 Cong. Rec. S11657 (Statement of Sen. Bryan). \24\ Privacy Online: A Report to Congress at 5 (June 1998). \25\ Id. The concern may be heightened where such services are directed to children because potential predators know that the majority of the participants are likely to be underage. \26\ Center for Media Education, Consumer Federation of America, Am. Academy of Child and Adolescent Psychiatry, Am. Academy of Pediatrics, Junkbusters Corp., Nat'l Alliance for Non-Violent Programming, Nat'l Ass'n of Elementary School Principals, Nat'l Consumers League, Nat'l Education Ass'n, Privacy Times and Public Advocacy for Kids (``CME/CFA et al.'') (Comment 80) at 30; Viacom (Comment 79) at 13-14; DMA (Workshop comment 02) at 1-2; Bagwell/MTV Networks Online (Workshop Tr. 32-33); Kraft (Comment 67) at 4-5; Children's Advertising Review Unit of the Council of Better Business Bureaus (``CARU'') (Workshop comment 08) at 2; Cartoon Network, et al. (Comment 77) at 18; Nikolai.com, Inc. (Comment 129) at 2; and Consumers Union (Comment 116) at 3. --------------------------------------------------------------------------- Several commenters expressed concerns that the proposed Rule would similarly require operators to give notice and obtain parental consent in order to give a child an e-mail account.\27\ The Commission notes that, to the extent that operators who provide e-mail accounts keep records of the e-mail addresses they have assigned, along with any associated information, those operators can be considered to have ``collected'' those e-mail addresses under the Act. Operators of sites directed to children are therefore required to comply with the Act when giving children e-mail accounts. For operators of general audience sites, the Rule requires actual knowledge that information is being collected from a child. Such operators would only be required to provide notice and obtain parental consent if registration or other information reveals that the person seeking the e-mail account is a child. --------------------------------------------------------------------------- \27\ See, e.g., Commercial Internet eXchange Ass'n and PSINet Inc. (``CIX et al.'') (Comment 83) at 8; Zeeks.com (Comment 98) at 1; CDT et al. (Workshop comment 11) at 3 (noting same First Amendment concerns as for chat rooms). Similar concerns were expressed in connection with the proposed Rule's definition of ``disclosure,'' which included ``any other means that would enable a child to reveal personal information to others online.'' See Section II.A.3, infra. --------------------------------------------------------------------------- A number of commenters noted that operators might be responsible for complying with all of the requirements of the Rule after receiving an unsolicited e-mail from a child.\28\ If an operator of a site directed to children receives such an e-mail, that contact is covered under the Act's (and the Rule's) one-time e-mail exception.\29\ Under that exception, an operator may collect a child's name and online contact information for the purpose of responding one time in response to a direct request from a child. This exception would allow an operator to receive an e-mail from a child and provide a response without providing parental notice and obtaining consent, as long as the name and online contact information collected from the child are deleted and not used for any other purpose.\30\ And again, in the case of a general audience site, these requirements apply only if the site receiving the e-mail has actual knowledge that it was sent by a child. --------------------------------------------------------------------------- \28\ See, e.g., ZapMe! (Comment 76) at 7-8. See also Highlights for Children, Inc. (``Highlights'') (Comment 124) at 2. \29\ 15 U.S.C. 6502(b)(2)(A); section 312.5(c)(2) of the Rule. See Section II.D.3, infra. \30\ Moreover, this exception would accommodate sites that automate their responses to incoming e-mails, as long as the child's name and online contact information are deleted and not used for any other purpose. MLG Internet (Comment 119) at 2 (asking about automated e-mail responses). --------------------------------------------------------------------------- One commenter noted that a site could collect non-personally identifiable information about a child without parental notice or consent as long as that information was only tied to a screen name.\31\ An operator who has solicited such information could obtain the child's name through a subsequent solicitation, and would thus have evaded the Act's requirement of prior parental consent.\32\ This is a valid concern, but the Commission believes that the Rule does in fact address the issue. Indeed, under the Rule, once such information is linked to an identifier (the name), it becomes ``personal information'' and the Rule requires the operator to provide notice and obtain consent for the collection, use, and/or disclosure of all of the information.\33\ --------------------------------------------------------------------------- \31\ CDT (Comment 81) at 18. \32\ Id. \33\ See Section II.A.8, infra. Moreover, under section 312.6 of the Rule, the operator must disclose that information to the parent upon request and the parent may request that the operator delete that information. See Section II.E, infra. --------------------------------------------------------------------------- 3. Definition of ``Disclosure'' The definition of ``disclosure'' in the proposed Rule covered: (1) The release of personal information collected from a child in identifiable form by an operator for any purpose, except where the operator provides the information to a person who provides support for the internal operations of the website and who does not use that information for any other purpose; \34\ and (2) making personal information collected from a child publicly available in identifiable form, including through public postings, posting of personal home pages, messages boards, and chat rooms, or any other means that would enable a child to reveal personal information to others online.\35\ --------------------------------------------------------------------------- \34\ The ``release of personal information'' is defined in the Rule to mean the ``sharing, selling, renting, or any other means of providing personal information to any third party.'' See section 312.2 of the Rule. For additional guidance as to whether an entity is a ``third party'' under the Rule, see discussion, infra, regarding definitions of ``operator'' and ``third party.'' \35\ 64 FR 22752, 22764. --------------------------------------------------------------------------- In the NPR, the Commission sought to clarify that entities that provide fulfillment services or technical support would be considered ``support for the internal operations of the website or online service,'' and thus disclosures to such entities need not be disclosed in the site's notices.\36\ The Commission also noted that such services as merely providing the server for the website, or providing chat or e- mail service would also be considered ``support for the internal operations of the website.'' \37\ The Commission cautioned, however, that because operators are also required by the Act to establish reasonable procedures to maintain the confidentiality, security, and integrity of personal information collected from children,\38\ they should take appropriate measures to safeguard such information in the possession of those who provide support for the internal operations of their websites.\39\ --------------------------------------------------------------------------- \36\ 64 FR at 22752. \37\ Id. \38\ 15 U.S.C. 6502(b)(1)(D). \39\ 64 FR at 22752. Some commenters objected to the notion of holding operators liable for the action of contractors because operators have no way of ensuring that contractors will follow the Rule. See, e.g., DMA (Comment 89) at 35. The Act and the Rule require operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. 15 U.S.C. 6502(b)(1)(D); section 312.8 of the Rule. As long as the operator follows reasonable procedures to ensure that such contractors protect the information (for example, contractual provisions that limit the contractors' ability to use the information), operators should not be liable for the actions of contractors. --------------------------------------------------------------------------- [[Page 59891]] Two commenters expressed a concern that the last clause of the proposed definition, which covered ``any other means that would enable a child to reveal personal information to others online,'' would include an Internet Service Provider (``ISP'') or cable company that simply provides Internet access without offering any content or actively collecting any information from children.\40\ Although the Commission notes that this language was not meant to reach such entities,\41\ it has decided to eliminate this language as confusing and unnecessary.\42\ --------------------------------------------------------------------------- \40\ See CIX, et al. (Comment 83) at 8-9; National Cable Television Association (``NCTA'') (Comment 71) at 6-8. \41\ See 64 FR at 22752. To the extent that ISPs do not operate websites or online services that are directed to children, or knowingly collect information from children, they are not subject to the COPPA. \42\ One commenter also asked whether the term ``disclosure'' covered the inclusion of a child's name on a list of contest winners, which is often required under state laws. See PMA (Comment 107) at 4. If the operator collects only name and online contact information, then the exception under section 312.5(c)(5)(iv) would apply. However, if the operator collects additional information online, then the release of that information would be considered a disclosure under the Rule. --------------------------------------------------------------------------- 4. Definition of ``Internet'' The proposed Rule's definition of ``Internet'' made clear that it applied to the Internet in its current form and to any conceivable successor.\43\ Given that the technology used to provide access to the Internet will evolve over time, it is imperative that the Rule not limit itself to current access mechanisms. The Commission received three comments regarding this definition.\44\ One commenter suggested that the Commission clarify that the definition ``clearly includes networks parallel to or supplementary to the Internet such as those maintained by the broadband providers * * * [and] intranets maintained by online services which are either accessible via the Internet or have gateways to the Internet.'' \45\ The Commission believes that the proposed definition of ``Internet'' was sufficiently broad to encompass such services and adopts that definition in the final Rule. --------------------------------------------------------------------------- \43\ 64 FR at 22752, 22764. \44\ CME/CFA et al. (Comment 80) at 18; E.A. Bonnett (Comment 126) at 1; CDT (Comment 81) at 10-11. Two of the comments praised the proposed definition as comprehensive. E.A. Bonnett (Comment 126) at 1; CDT (Comment 81) at 10-11. \45\ CME/CFA et al. (Comment 80) at 18. --------------------------------------------------------------------------- 5. Definition of ``Online Contact Information'' The Commission received several comments \46\ regarding the definition of ``online contact information.'' \47\ One commenter suggested that the Commission include in the definition such identifiers as instant messaging user identifiers, which are increasingly being used for communicating online.\48\ The Commission believes that these identifiers already fall within the proposed definition, which includes ``any other substantially similar identifier that permits direct contact with a person online.'' \49\ After reviewing the comments, the Commission has determined that no changes to this definition are necessary. --------------------------------------------------------------------------- \46\ CyberAngels (Comment 120) at 1; CME/CFA et al. (Comment 80) at 6-7; Aftab & Savitt (Comment 118) at 3-4; CDT (Comment 81) at 16- 18. \47\ The definition in the proposed Rule was identical to the one contained in the Act. See 15 U.S.C. 6501(12); 64 FR at 22752, 22764. \48\ CyberAngels (Comment 120) at 1. \49\ Another example of ``online contact information'' could be a screen name that also serves as an e-mail address. See Section II.A.8, infra. --------------------------------------------------------------------------- 6. Definition of ``Operator'' The definition of ``operator'' is of central importance because it determines who is covered by the Act and the Rule. Consistent with the Act, the proposed Rule defined operator (with some limitations) as ``any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users or visitors * * * or on whose behalf such information is collected or maintained * * *'' \50\ In the NPR, the Commission clarified the scope of the definition by listing a number of factors to consider, including who owns and/or controls the information, who pays for its collection and maintenance, the pre- existing contractual relationships regarding collection and maintenance of the information, and the role of the website or online service in collecting and/or maintaining the information (i.e., whether the site participates in collection or is merely a conduit through which the information flows to another entity).\51\ The Commission also clarified that entities that merely provide access to the Internet, without providing content or collecting information from children, would not be considered operators.\52\ In the NPR, the Commission asked about the impact of the proposed definition, and whether it was sufficiently clear to provide notice as to who is covered by the Rule.\53\ After carefully reviewing the comments received, the Commission has determined that no changes to the proposed definition are necessary. --------------------------------------------------------------------------- \50\ 15 U.S.C. 6501(2); 64 FR at 22752, 22764. \51\ 64 FR at 22752. \52\ Thus, ISPs and cable operators that merely offer Internet access would not be considered operators under the Rule. \53\ 64 FR at 22761. --------------------------------------------------------------------------- A number of commenters proposed various tests to determine how corporate affiliates should be treated under the Rule.\54\ The Commission believes that an entity's status as an operator or third party under the Rule should be determined not by its characterization as a corporate affiliate, but by its relationship to the information collected under the factors described in the NPR. Not all affiliates play a role in collecting or maintaining the information from children, and making an entity an operator subject to the Act simply because one of its affiliates collects or maintains information from children online would not serve the goals of the COPPA. If, however, the entity has an interest in the data collected under the factors listed in the NPR, then it, too, will be covered by the Rule.\55\ --------------------------------------------------------------------------- \54\ See, e.g., Council of Better Business Bureaus, Inc. (``CBBB'') (Comment 91) at 6-7; Attorneys General of the States of New York, Alabama, California, Florida, Georgia, Hawaii, Illinois, Indiana, Maryland, Nevada, Ohio, Oklahoma, Tennessee, Vermont, and Washington (``Attorneys General'') (Comment 114) at 6; PMA (Comment 107) at 4-5; Am. Ass'n of Advertising Agencies (``AAAA'') (Comment 134) at 3; Ass'n of Nat'l Advertisers (``ANA'') (Comment 93) at 6-7. Some commenters argued in support of automatically including all corporate affiliates as operators. Others thought that all affiliates with identical privacy policies should be considered operators, or, alternatively, that operators should be required to disclose that an affiliate has a different privacy policy and describe how it differs from the primary operator's. As noted in Section II.C.3.c, infra, the notice is required to describe the privacy policies of the various operators. One commenter suggested a consumer perception standard: that an affiliate would be considered an operator if a consumer would reasonably expect that the affiliated entities are part of one organization that shares information within itself. PMA (Comment 107) at 5. The Commission believes that the proposed standard, which places responsibility for compliance on the entities that control the information, is the most workable test for who is an operator. \55\ In the NPR, the Commission stated that operators are jointly responsible for implementing the requirements of the Rule. 64 FR at 22752. In an investigation into a potential Rule violation, the Commission will examine all the facts and circumstances in determining the appropriate party or parties to pursue. The Commission likely will not pursue an entity that is an ``operator,'' but has not facilitated or participated in, and has no reason to know of, any Rule violations. --------------------------------------------------------------------------- One commenter sought clarification of the status of network advertising companies, or companies that provide banner ads on websites or online [[Page 59892]] services.\56\ If such companies collect personal information directly from children who click on ads placed on websites or online services directed to children, then they will be considered operators who must comply with the Act, unless one of the exceptions applies.\57\ Moreover, if such companies collect personal information from visitors who click on their ads at general audience sites, and that information reveals that the visitor is a child, then they will be subject to the Act. In addition, if they do not collect information from children directly, but have ownership or control over information collected at a host children's site, they will be considered operators. If, however, no personal information is collected or maintained by such companies, either directly or through the host website, then they will not be deemed to be operators. --------------------------------------------------------------------------- \56\ Media Inc., AdForce, Inc., DoubleClick, Inc., Engage Technologies, Inc., Flycast Communications Corp., and Real Media, Inc. (Comment 92) at 4-8. \57\ It may be appropriate for such companies to provide a joint notice with the operator of the host website. --------------------------------------------------------------------------- Some commenters sought greater clarity regarding the meaning of ``actual knowledge'' that a particular visitor is a child and inquired whether an operator of a general audience site has any duty to investigate the age of its visitors.\58\ Actual knowledge will be present, for example, where an operator learns of a child's age or grade from the child's registration at the site or from a concerned parent who has learned that his child is participating at the site. In addition, although the COPPA does not require operators of general audience sites to investigate the ages of their site's visitors, the Commission notes that it will examine closely sites that do not directly ask age or grade, but instead ask ``age identifying'' questions, such as ``what type of school do you go to: (a) elementary; (b) middle); (c) high school; (d) college.'' Through such questions, operators may acquire actual knowledge that they are dealing with children under 13. --------------------------------------------------------------------------- \58\ See PMA (Comment 107) at 6; Attorneys General (Comment 114) at 7. See also MLG Internet (Comment 119) at 1-2. --------------------------------------------------------------------------- Finally, one commenter sought assurance that an operator would not be liable if his site contained a link to another site that was violating the Rule.\59\ If the operator of the linking site is not an operator with respect to the second site (that is, if there is no ownership or control of the information collected at the second site according to the factors laid out in the NPR), then the operator will not be liable for the violations occurring at the second site. --------------------------------------------------------------------------- \59\ MaMaMedia, Inc. (``MaMaMedia'') (Comment 85) at 7. --------------------------------------------------------------------------- 7. Definition of ``Parent'' The Act and the proposed Rule defined ``parent'' as ``includ[ing] a legal guardian.'' \60\ The Commission received two comments regarding this definition, both of which sought additional guidance concerning the Rule's application in non-traditional family situations.\61\ The Commission believes that the proposed definition is sufficiently flexible to account for a variety of family structures and situations, including situations where a child is being raised by grandparents, foster parents, or other adults who have legal custody. Therefore, the Commission retains the definition of parent contained in the proposed Rule. --------------------------------------------------------------------------- \60\ 15 U.S.C. 6501(7); 64 FR at 22752, 22764. \61\ Ass'n of Educational Publishers (``EdPress'') (Comment 130) at 2; Highlights (Comment 124) at 1. --------------------------------------------------------------------------- 8. Definition of ``Personal Information'' The definition of ``personal information'' is another critical part of the Rule because it specifies the type of information covered by the Rule. The proposed definition included a number of different types of individually identifiable information, including name, address, and phone number; e-mail address; and other types of information that could be used to locate an individual either online or offline.\62\ The proposed definition also covered non-individually identifiable information (e.g., information about a child's hobbies or toys) that is associated with an identifier.\63\ --------------------------------------------------------------------------- \62\ 64 FR at 22752-22753, 22764. \63\ Id. --------------------------------------------------------------------------- One commenter asked the Commission to clarify that operators are not required to provide parental notice or seek parental consent for collection of non-individually identifiable information that is not and will not be associated with an identifier.\64\ The Commission believes that this is clear in both the Act and the Rule. --------------------------------------------------------------------------- \64\ See National Retail Federation (``NRF'') (Comment 95) at 2. --------------------------------------------------------------------------- Several commenters sought further guidance on whether the use of screen names would trigger the Act's requirements.\65\ If a screen name is not associated with any individually identifiable information, it is not considered ``personal information'' under this Rule.\66\ --------------------------------------------------------------------------- \65\ ZapMe! (Comment 76) at 8-9; KidsOnLine.com (Comment 108) at 1-2; TRUSTe (Comment 97) at 3. \66\ One commenter also asked whether operators would be required to ensure that a screen name chosen by a child did not contain individually identifiable information. TRUSTe (Comment 97) at 3. Operators do not have a specific duty to investigate whether a screen name contains such information. However, an operator could give children warnings about including such information in screen names, especially those that will be disclosed in a public forum such as a chat room. --------------------------------------------------------------------------- Another commenter criticized the proposed Rule on the grounds that it encourages operators to set up sites using screen names.\67\ This commenter argued that it is important to have accountability online-- i.e., that it is important for operators to be able to identify and take action against visitors who post inappropriate information or harass other online visitors. The Commission agrees that these are important considerations, but notes that the Rule does not foreclose operators from taking such precautions. Operators are free to request parental consent to collect such information. Moreover, the exception to the requirement of prior parental consent under section 312.5(c)(5)(i) of the Rule allows operators to collect the child's online contact information for this very purpose.\68\ --------------------------------------------------------------------------- \67\ KidsOnLine.com (Comment 108) at 1-2. \68\ See also 15 U.S.C. 6502(b)(2)(E)(i). As noted above, an operator who wishes to collect name and online contact information under this exception may not use or disclose that information for any other purpose. An operator, however, who collects other personal information and links it with online contact information collected under this exception would be in violation of the Rule unless the operator provided parental notice and obtained verifiable parental consent for the collection of all of that information. --------------------------------------------------------------------------- One commenter noted that there are some persistent identifiers that are automatically collected by websites and can be considered individually identifying information, such as a static IP address or processor serial number.\69\ If this type of information were considered ``personal information,'' the commenter noted, then nearly every child-oriented website would automatically be required to comply with the Rule, even if no other personal information were being collected. The Commission believes that unless such identifiers are associated with other individually identifiable personal information, they would not fall within the Rule's definition of ``personal information.'' --------------------------------------------------------------------------- \69\ CDT (Comment 81) at 16. See also E.A. Bonnett (Comment 126) at 2-3. --------------------------------------------------------------------------- Several commenters asked whether information stored in cookies falls within the definition of personal information.\70\ If the operator either collects individually identifiable information using the cookie or collects non-individually identifiable information using the cookie that is [[Page 59893]] combined with an identifier, then the information constitutes ``personal information'' under the Rule, regardless of where it is stored. --------------------------------------------------------------------------- \70\ See, e.g., Consumers Union (Comment 116) at 4. --------------------------------------------------------------------------- After reviewing the comments, the Commission has decided to retain the definition of ``personal information'' with slight modifications. In response to the suggestion of one commenter, one item was added to subparagraph (f) of the definition: a photograph of the individual, when associated with other information collected online that would enable the physical or online contacting of the individual.\71\ The Commission is also making slight modifications to ensure consistency within the definition. --------------------------------------------------------------------------- \71\ Aftab & Savitt (Comment 118) at 4. This commenter also asked the Commission to remove the phrase ``collected online'' from this definition in order to cover information that is submitted to an operator offline, then posted online by the operator. While we are cognizant of the risks posed by such practices, the Commission believes that the COPPA does not apply to information submitted to an operator offline. See Section II.A.2, supra, concerning the definition of ``collection.'' --------------------------------------------------------------------------- 9. Definition of ``Third Party'' The proposed Rule defined the term ``third party'' as ``any person who is neither an operator with respect to the collection of personal information * * * nor a person who provides support for the internal operations of the website or online service.'' \72\ Under the Rule, an operator is required to provide notice of its practices with respect to the disclosure of information to third parties and to allow parents to choose whether the operator may disclose their children's information to third parties.\73\ Because third parties are not operators, they are not responsible for carrying out the provisions of the Rule. --------------------------------------------------------------------------- \72\ 64 FR at 22753, 22764. \73\ See Sections II.C.3.d, and II.D.1, infra. --------------------------------------------------------------------------- Comments regarding this definition raised issues similar to those raised in response to the proposed definition of ``operator''-- specifically, when and whether corporate affiliates would be considered ``operators'' or ``third parties.'' As noted above, the Commission believes that the most appropriate test for determining an entity's status as an operator or third party is to look at the entity's relationship to the data collected, using the factors listed in the NPR.\74\ If an entity does not meet the test for operator, that entity will be considered a third party. --------------------------------------------------------------------------- \74\ See Section II.A.6, supra; 64 FR at 22752. --------------------------------------------------------------------------- One commenter asked that the Commission require third parties to comply with the Rule.\75\ However, the statute applies only to the practices of the operator, and the Commission does not have the authority to extend liability to third parties. --------------------------------------------------------------------------- \75\ CME/CFA et al. (Comment 80) at 6, 11. --------------------------------------------------------------------------- After reviewing the comments, the Commission has made minor revisions to the definition of ``third party'' to maintain consistency across the Rule. These revisions consist of adding the words ``and maintenance`` following ``collection,'' and clarifying that, in order to be excluded from the definition, a person who provides internal support for the website may not disclose or use information protected under this Rule for any other purpose. 10. The Definition of ``Obtaining Verifiable Parental Consent'' The proposed Rule included a definition of ``obtaining verifiable parental consent'' that was substantially similar to the definition contained in the COPPA.\76\ The term was defined to mean ``making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child'' receives notice of the operator's information practices and consents to those practices. The Commission received no comments suggesting modification to this definition, and therefore retains the proposed definition. --------------------------------------------------------------------------- \76\ See 64 FR 22753, 22764; 15 U.S.C. 6501(9). --------------------------------------------------------------------------- 11. Definition of ``Website or Online Service Directed to Children'' In the proposed Rule, the Commission listed a number of factors that the Commission would consider in determining whether a site would be ``directed to children,'' including, among other things, the site's ``subject matter, visual or audio content, age of models, language or other characteristics of the website or online service. * * *''\77\ The Commission also stated in the proposed Rule that it would consider competent and reliable empirical evidence regarding audience composition as well as evidence regarding the intended audience of the site.\78\ In addition, under the proposed Rule, a general audience website would not be deemed to be directed to children simply because it referred or linked to another website or online service that is directed to children.\79\ Finally, if a general audience site has a distinct children's ``portion'' or ``area,'' then the operator would be required to provide the protections of the Rule for visitors to that portion of the site.\80\ --------------------------------------------------------------------------- \77\ 64 FR 22753, 22764. \78\ Id. \79\ Id. \80\ Id. --------------------------------------------------------------------------- Several commenters asked for more guidance about the factor analysis laid out in this definition.\81\ One commenter asked that the Commission clarify that the presence of only one of the listed factors would not cause a site to be classified as ``directed to children''; rather that all of the factors would be taken into account.\82\ In response, the Commission notes that the proposed definition makes it clear that the Commission will look at the overall character of the site--and not just the presence or absence of one or more factors--in determining whether a website is directed to children. --------------------------------------------------------------------------- \81\ JuniorNet Corp. (``JuniorNet'') (Comment 100) at 2; Int'l Digital Software Ass'n (``IDSA'') (Comment 103) at 2; CDT (Comment 81) at 20-21; MLG Internet (Comment 119) at 2; Time Warner (Comment 78) at 4, 5. \82\ JuniorNet (Comment 100) at 2. --------------------------------------------------------------------------- Another commenter noted that operators should not be able to construct a ``veil of ignorance'' where the operator can determine through questions whether a visitor is a child without specifically asking for the visitor's age.\83\ As discussed above in Section II.A.6 concerning the definition of ``operator,'' the Commission will closely examine such sites to determine whether they have actual knowledge that they are collecting information from children. A similar concern was raised with respect to sites that ask for age ranges that include both children and teens (e.g., a ``15 and under'' category).\84\ Because it is simple for operators to craft a ``12 and under'' age range, the Commission will look closely at sites that do not offer such a range if it appears that their operators are trying to avoid compliance with the Rule. --------------------------------------------------------------------------- \83\ Consumers Union (Comment 116) at 4-5. \84\ CME/CFA et al. (Comment 80) at 7; Attorneys General (Comment 114) at 7. See also TRUSTe (Comment 97) at 2. --------------------------------------------------------------------------- B. Section 312.3: Regulation of Unfair or Deceptive Acts or Practices in Connection With the Collection, Use, and/or Disclosure of Personal Information From and About Children on the Internet Section 312.3 of the proposed Rule set out the Rule's general requirements, which were detailed in the later provisions.\85\ The Commission received no comments that directly pertained to section 312.3 of the proposed Rule, which was a restatement of the requirements laid out in the Act,\86\ and therefore retains it without change. Comments regarding the sections [[Page 59894]] implementing its requirements are discussed in the relevant sections below. --------------------------------------------------------------------------- \85\ 64 FR at 22753, 22764. \86\ 15 U.S.C. 6502(b)(1). --------------------------------------------------------------------------- C. Section 312.4: Notice 1. Section 312.4(a): General Principles of Notice The COPPA mandates that an operator provide notice on its website and to parents of ``what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices regarding such information.'' \87\ The proposed Rule set out general principles of notice, followed by a specific set of guidelines for the online placement and content of those notices, to ensure that parents receive all the information that they would find material when reviewing a site.\88\ As noted in the NPR, the operator's notice will form the basis for a parent's decision whether to give the operator consent to collect, use, and/or disclose personal information from his or her child.\89\ In order to provide informed consent, a parent must have a clear idea of what the operator intends to do.\90\ Therefore, the proposed Rule required an operator's notice to ``be clearly and understandably written,'' \91\ be complete, and * * * contain no unrelated, confusing, or contradictory materials.'' \92\ The Commission believes that these are the core principles underlying a consent-based system and, therefore, retains this section in the final Rule.\93\ --------------------------------------------------------------------------- \87\ 15 U.S.C. 6502(b)(1)(A)(i). One commenter stated that Congress included these general guidelines in the Act as a performance standard, rather than intending them to be a source of detailed regulations. Yahoo! Inc, theglobe.com, inc., DoubleClick, Inc. (``Yahoo et al.'') (Comment 73) at 2. Congress, however, specifically delegated to the Commission the authority to issue regulations to implement the Act. \88\ Sections 312.4(a), (b); 64 FR at 22753-56, 22764-65. \89\ 64 FR at 22754-55. \90\ The Commission notes that it has authority under this section, as well as under Section 5 of the Federal Trade Commission Act, to take action against operators whose notices are deceptive or misleading. \91\ CME/CFA et al. (Comment 80) at 9; The McGraw-Hill Companies (``McGraw-Hill'') (Comment 104) at 6. One commenter asked whether the Commission would apply a particular standard in evaluating how a notice is written. Jeff Sovern, St. John's University School of Law (``Sovern'') (Comment 33) at 3-4. Traditionally, the Commission has applied a ``reasonable consumer'' standard in evaluating whether a notice is clearly and understandably written. Because the notices required by the Act are intended for parents, the Commission will look at whether they are written such that a reasonable parent can read and comprehend them. \92\ 64 FR at 22754. \93\ Two commenters voiced support for these general principles. See Attorneys General (Comment 114) at 7; Kraft (Comment 67) at 1. --------------------------------------------------------------------------- 2. Section 312.4(b)(1): Notice on the Website or Online Service-- Placement of the Notice Section 312.4(b)(1) of the proposed Rule set forth the requirements for online placement of the notice of the operator's information practices. It required operators to place a link to the notice on the home page of the website or online service such that a typical visitor would see the link without having to scroll down from the initial viewing screen.\94\ In addition, the proposed Rule required operators to post a link to that notice in a similar manner at each place on the website or online service where information is collected from children.\95\ --------------------------------------------------------------------------- \94\ 64 FR at 22754. \95\ Id. Several commenters supported the use of other mechanisms for providing notice, such as pop-up or interstitial pages, which typically appear temporarily when visitors move from one part of the site to another. America Online, Inc. (``AOL'') (Comment 72) at 11; NRF (Comment 95) at 3; iCanBuy.com (Comment 101) at 2. The Commission notes that pop-up or interstitial pages will only satisfy the notice requirements of the Rule if they are clear, prominent, and easily accessible to users, i.e., they do not disappear after the initial viewing or users can re-access them through a clear and prominent link on the home page. --------------------------------------------------------------------------- A large number of commenters noted that with the multitude of Web browsers available and the advent of ever-smaller machines that can access the Internet, it may not be technically feasible to ensure that the link to the notice can be seen without scrolling down from the initial viewing screen.\96\ The Commission acknowledges that the proposed Rule's requirement regarding the placement of the online notices may not be a workable standard. Therefore, the Commission has modified section 312.4(b)(1)(ii) to require that a link to the notice be placed ``in a clear and prominent place and manner on the home page of the website or online service.'' ``Clear and prominent'' means that the link must stand out and be noticeable to the site's visitors through use, for example, of a larger font size in a different color on a contrasting background. The Commission does not consider ``clear and prominent'' a link that is in small print at the bottom of the home page, or a link that is indistinguishable from a number of other, adjacent links. --------------------------------------------------------------------------- \96\ See, e.g., Am. Advertising Fed. (``AAF'') (Comment 87) at 2; ANA (Comment 93) at 5; Dell Computer Corp. (``Dell'') (Comment 102) at 3-4; McGraw-Hill (Comment 104) at 7; Time Warner (Comment 78) at 9; Viacom (Comment 79) at 6-7. --------------------------------------------------------------------------- Some commenters noted that general audience sites with distinct children's areas should be allowed to post the link to the children's privacy policy at the home page of the children's area, rather than the home page of the overall site.\97\ The Commission believes that this is a sensible approach to providing notice. Parents who are reviewing the operator's practices with respect to children would likely go directly to the children's area; therefore, operators of sites with distinct children's areas must post a prominent link at the home page of that area.\98\ --------------------------------------------------------------------------- \97\ ANA (Comment 93) at 5; MPA (Comment 113) at 3-4; DMA (Comment 89) at 22-23; McGraw-Hill (Comment 104) at 7. \98\ One comment argued that the notice requirements would require operators of general audience sites to have two physically separate privacy policies--one for adults and one for children. Kraft (Comment 67) at 4. Operators are free to combine the privacy policies into one document, as long as the link for the children's policy takes visitors directly to the point in the document where the operator's policies with respect to children are discussed, or it is clearly disclosed at the top of the notice that there is a specific section discussing the operator's information practices with regard to children. --------------------------------------------------------------------------- Further, in response to comment, section 312.4(b)(1)(iii) has been modified to require that a link to the notice be placed ``at each area on the website or online service where children directly provide, or are asked to provide, personal information and in close proximity to the requests for information in each such area.'' The comment noted-- and the Commission agrees--that it makes sense to require that the link be in close proximity to the initial request for information in an area so that visitors do not have to scroll up or down the page to find the link.\99\ In response to comments, the Commission also changed the requirement of notice at each ``place'' where children provide information to notice at each such ``area'' in order to make clear that there does not need to be a link accompanying each question, but simply at each separate area where such information is collected.\100\ --------------------------------------------------------------------------- \99\ Mars, Inc. (``Mars'') (Comment 86) at 10. \100\ See, e.g., AOL (Comment 72) at 8-11. --------------------------------------------------------------------------- 3. Section 312.4 (b)(2) and (c)(1)(i)(B): Content of the Notice Section 312.4(b)(2) of the proposed Rule details the information that operators must include in their notice on the site. That information was also required to be included in the notice to the parent under Section 312.4(c)(1)(i)(B).\101\ Under the proposed Rule, operators were required to include in their notices, among other things: (1) names and contact information for all operators; (2) the types of personal information collected through the site and how such information is collected; (3) how the personal information would be used; (4) whether the personal [[Page 59895]] information would be disclosed to third parties, the types of businesses in which those third parties are engaged, whether the third parties have agreed to take steps to protect the information, and a statement that parents have the right to refuse to consent to the disclosure of their child's personal information to third parties; (5) that the operator may not condition a child's participation in an activity on the provision of more personal information than is necessary to participate in the activity; and (6) that the parent may review, make changes to, or have deleted the child's personal information.\102\ Many of the comments addressing these sections expressed concern that they required the inclusion of too much information in the notices. As discussed below, the Commission believes that most of the information required in the proposed Rule would be material to parents in deciding whether to consent to their child's participation in a site. However, in order to reduce the length of the notice, the Commission has eliminated certain information that it has determined would be of limited benefit to parents. --------------------------------------------------------------------------- \101\ 64 FR at 22754-56, 22765. \102\ Id. --------------------------------------------------------------------------- a. Section 312.4(b)(2)(i). This section of the proposed Rule required operators to include in the notice the name, address, phone number, and e-mail address of all operators collecting or maintaining personal information from children through the website or online service.<SUP>103</SUP> Some commenters objected to including this information in the notice because it would make the notice unwieldy. Operators can minimize the length of the notice by designating a single entity as a central contact point for any inquiries regarding the information practices of the site's operators. The Commission, however, believes that it is essential that all operators be identified in the notice, even if full contact information is not provided, so that parents know who will see and use their children's personal information. Therefore, the Commission has modified this provision accordingly. Operators who do not wish to designate a single contact may still minimize the length of the notice by including in the notice on the site a hyperlink to a separate page listing the information.<SUP>104</SUP> --------------------------------------------------------------------------- \103\ 64 FR at 22754, 22765. \104\ In response to two comments, the Commission notes that simply providing a hyperlink to the home pages of the other operators, however, would not provide adequate notice for parents. DMA (Comment 89) at 23-24; AOL (Comment 72) at 12. It would not only be burdensome for parents, but some entities that would be categorized as ``operators'' (i.e., those ``on whose behalf'' personal information was collected) may not even have websites. --------------------------------------------------------------------------- Several comments also noted that data-sharing relationships in the online world change quickly, sometimes on a weekly basis,<SUP>105</SUP> and that it would be burdensome for operators to revise their notices with each change, as the proposed Rule required, particularly in the case of the notice to the parent.<SUP>106</SUP> While the Commission believes that it is reasonable to expect operators to keep the notice on the site current, it agrees that it would be burdensome for operators to send numerous updated notices to parents. Therefore, as discussed in Section II.C.4, below, it has modified the Rule to require a new notice to the parent only where there will be a material change in the collection, use, and/or disclosure of personal information from the child. Thus, for example, if the operator plans to disclose the child's personal information to a new operator with different information practices than those disclosed in the original notice, then a new consent would be required.<SUP>107</SUP> --------------------------------------------------------------------------- \105\ PMA (Comment 107) at 7-8; DMA (Comment 89) at 23-24. See also McGraw-Hill (Comment 104) at 7. \106\ 64 FR at 22755. In the NPR, the Commission stated that additional notices to the parent would be required if the operator wished to disclose the child's personal information to parties not covered by the original consent, including parties created by a merger or other change in corporate structure. \107\ Marketing diet pills, for example, would be a materially different line of business than marketing stuffed animals. --------------------------------------------------------------------------- b. Section 312.4(b)(2)(ii). Under this section of the proposed Rule, operators were required to disclose the types of personal information collected from children and whether that information is collected directly or passively.<SUP>108</SUP> In the NPR, the Commission clarified that this section did not require operators to disclose to parents every specific piece of information collected from children, but rather the types or categories of personal information collected, like name, address, telephone number, social security number, hobbies, and investment information.<SUP>109</SUP> The Commission cautioned operators to use categories that were descriptive enough that parents could make an informed decision about whether to consent to the operator's collection and use of the information.<SUP>110</SUP> --------------------------------------------------------------------------- \108\ 64 FR at 22754, 22765. \109\ 64 FR at 22754. 110 Id. For example, stating ``We collect your child's name, e- mail address, information concerning his favorite sports, hobbies, and books'' would be sufficient under the Rule. It would not be necessary for the operator to state ``We ask for your child's name and e-mail address, and whether he likes to play baseball, soccer, football, or badminton. * * *'' --------------------------------------------------------------------------- Some commenters noted that the proposed Rule required operators to provide too much detail in the notice concerning the types of information collected from children.<SUP>111</SUP> These commenters felt that a more general notice would give the operator more flexibility to change its activities without having to return to the parent for additional consent.<SUP>112</SUP> The Commission believes that a more general notice may not reveal to parents that the operator collects information that the parent does not want discussed or divulged, like personal financial information. Therefore, the Commission is retaining this portion of the Rule. However, as noted above, these concerns should be alleviated by the Commission's amendment to the Rule regarding ``material changes.'' <SUP>113</SUP> --------------------------------------------------------------------------- \111\ McGraw-Hill (Comment 104) at 6-7; AAF (Comment 87) at 2. \112\ Id. \113\ See Section II.C.4, infra. In addition, as noted in note 9, supra, the Commission plans to develop educational materials to assist operators in complying with the Rule. --------------------------------------------------------------------------- c. Section 312.4(b)(2)(iii). Section 312.4(b)(2)(iii) of the proposed Rule required operators to notify parents about how their child's personal information ``is or may be used by the operator, including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means.'' <SUP>114</SUP> In the NPR, the Commission noted that operators must provide enough information for parents to make informed decisions, without listing every specific or possible use of the information.<SUP>115</SUP> Many commenters expressed the view that the proposed Rule would require an operator to provide such detail that they would inevitably have to send new notices and obtain new consents for every minor change in the operator's practices.<SUP>116</SUP> Again, these concerns should be alleviated by the Rule amendment regarding ``material changes.'' See Section II.C.4, infra. --------------------------------------------------------------------------- \114\ 64 FR at 22754-55, 22765. \115\ 64 FR at 22754. \116\ See supra note 106 and accompanying text. --------------------------------------------------------------------------- Because this section of the proposed Rule referred only to ``the operator,'' one commenter asked how websites should address situations in which there are multiple operators collecting information through the site but who use children's personal information in different ways.<SUP>117</SUP> Specifically, the commenter asked whether each operator was required to post a separate notice, or whether a single notice could be used. Where there are multiple operators with different information [[Page 59896]] practices, there should be one notice summarizing all of the information practices that will govern the collection, use, and/or disclosure of children's personal information through the site. Thus, the Commission has modified the Rule to clarify that a discussion of all policies governing the use of children's information collected through the site should be included in the notice. --------------------------------------------------------------------------- \117\ Attorneys General (Comment 114) at 8. --------------------------------------------------------------------------- d. Section 312.4(b)(2)(iv). Under this provision of the proposed Rule, an operator was required to disclose whether children's personal information was disclosed to third parties, and if so, the types of business in which those third parties were engaged, as well as whether those third parties had agreed to maintain the confidentiality, security, and integrity of the personal information obtained from the operator.<SUP>118</SUP> In addition, the operator was required to notify the parent that he or she had the option of consenting to the operator's collection and use of the child's information without consenting to the disclosure of that information to third parties.<SUP>119</SUP> After reviewing all the relevant comments, the Commission has determined that no changes to this section are necessary. --------------------------------------------------------------------------- \118\ 64 FR at 22755. \119 \Id. For a more detailed discussion of withholding consent to the disclosure of personal information to third parties, see Section II.D.1, infra. --------------------------------------------------------------------------- One commenter noted that the COPPA ``requires only that an operator describe its own practices. * * *'' <SUP>120</SUP> The Commission believes that the information required in this section of the proposed Rule falls within the rubric of ``the operator's disclosure practices for such information.'' <SUP>121</SUP> Parents need to know the steps an operator has taken to ensure that third parties will protect their children's data in order to provide meaningful consent. --------------------------------------------------------------------------- \120\ DMA (Comment 89) at 24, citing 15 U.S.C. 6502(b)(1)(A)(i). \121\ 15 U.S.C. 6502(b)(1)(A)(i). --------------------------------------------------------------------------- Some commenters felt that providing information concerning the businesses engaged in by third parties would be overly burdensome.<SUP>122</SUP> Under this section, however, operators are not required to provide detailed information concerning third party businesses, but only to describe the ``types of business'' in which third parties who will receive children's information are engaged--for example, list brokering, advertising, magazine publishing, or retailing.<SUP>123</SUP> The Commission believes that it is not unduly burdensome to determine the general line of business of the companies with whom one does business. Moreover, this information will enable parents to provide meaningful consent to third party disclosures. --------------------------------------------------------------------------- \122\ See e.g., AAF (Comment 87) at 3; CBBB (Comment 91) at 11; PMA (Comment 107) at 8; TRUSTe (Comment 97) at 1. \123\ 64 FR at 22755. --------------------------------------------------------------------------- Commenters again pointed out that relationships between companies in the online environment change rapidly, which would make notices difficult to compose and keep current.<SUP>124</SUP> Changes in the identities of third parties would necessitate repeated notices to parents, burdening both the operator and the parent.<SUP>125</SUP> Another commenter suggested that rather than give notice of third parties' information practices, operators should be allowed simply to provide a warning to parents to review those practices.<SUP>126</SUP> Once again, these concerns should be alleviated by the fact that the disclosure is only of the types of businesses engaged in by third parties, and new notice and consent are required only if there has been a material change in the way that the operator collects, uses, and/or discloses personal information. See Section II.C.4, below. --------------------------------------------------------------------------- \124\ TRUSTe (Comment 97) at 1-2; McGraw-Hill (Comment 104) at 7; AAF (Comment 87) at 3; PMA (Comment 107) at 8. \125 \Id. \126\ CBBB (Comment 91) at 11. The Commission believes that requiring parents to search out this information, which may not even be available or accessible, would be unduly burdensome. --------------------------------------------------------------------------- Still other commenters stated that the Commission should require operators to disclose more detailed information regarding third parties' information practices than the proposed Rule required, including whether a third party has weaker standards than the operator.<SUP>127</SUP> The Commission believes that the proposed requirement--that operators state whether or not the third parties have agreed to maintain the confidentiality,<SUP>128</SUP> security, and integrity of children's data B strikes the appropriate balance between a parent's need for information and an operator's need for an efficient means of complying with the Rule. --------------------------------------------------------------------------- \127\ CME/CFA et al. (Comment 80) at 23-24; Electronic Privacy Information Center (``EPIC'') (Comment 115) at 8-9; Attorneys General (Comment 114) at 8. \128\ The Commission expects that third parties who have agreed to maintain the confidentiality of information received from operators will not disclose that information further. --------------------------------------------------------------------------- Alternatively, one of these commenters requested that operators be prohibited from disclosing children's personal information to any third party unless that party not only complies with the Act, but also has the same privacy policy as the operator.<SUP>129</SUP> The Act explicitly applies to ``any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child.'' <SUP>130</SUP> Therefore, the Commission cannot extend liability to third parties. --------------------------------------------------------------------------- \129\ CME/CFA et al. (Comment 80) at 23. See also CDT (Comment 81) at 23. \130\ 15 U.S.C. 6502(b)(1)(A). --------------------------------------------------------------------------- e. Section 312.4(b)(2)(v). Under Section 312.4(b)(2)(v) of the proposed Rule, operators were required to state in their notices that the Act prohibits them from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in that activity.<SUP>131</SUP> One commenter objected to including such a statement in the notice, on the grounds that it does not provide parents with helpful information.<SUP>132</SUP> The Commission believes that this information is material to parents and will assist them in evaluating the reasonableness of an operator's requests for information. Therefore, the Commission has decided to retain this provision. --------------------------------------------------------------------------- \131\ 15 U.S.C. 6502(b)(1)(C); 64 FR at 22755, 22765, citing 15 U.S.C. 6502(b)(1)(C). See also 64 FR at 22758, 22766. \132\ Mars (Comment 86) at 4. --------------------------------------------------------------------------- f. Section 312.4(b)(2)(vi). This section of the proposed Rule required operators to describe in the notice on the site parents' right to review personal information provided by their children.<SUP>133</SUP> It generally tracked the requirements in section 312.6 of the proposed Rule <SUP>134</SUP> by requiring notice of a parent's ability to review, make changes to, or have deleted the child's personal information. In the NPR, the Commission sought public comment on whether this information was needed in the notice on the site, or only in the notice to the parent.<SUP>135</SUP> --------------------------------------------------------------------------- \133\ 64 FR at 22755, 22765. \134\ 64 FR at 22757-58, 22766. For a detailed discussion of section 312.6, see Section II.E, infra. \135\ See 64 FR at 22762. --------------------------------------------------------------------------- Some commenters believed that it was only necessary to include this information in the notice to the parent, because it is only relevant once parents have consented to the collection of their children's information.<SUP>136</SUP> Other commenters, however, felt notice of parents' right to review children's information should be included in the notice on the site so that parents can evaluate a site while surfing with their children.<SUP>137</SUP> The Commission also notes [[Page 59897]] that if the parent accidentally deletes or misplaces the notice received from the operator, he or she would likely turn to the notice on the site for information on reviewing the child's information. If that information were not in the notice on the site, the parent may be foreclosed from exercising the right to review the child's information. Therefore, the Commission has retained this provision. --------------------------------------------------------------------------- \136\ DMA (Comment 89) at 19-20; PMA (Comment 107) at 8-9 (operator should be able to choose whether to include this information in the notice). \137\ Attorneys General (Comment 114) at 8-9; E.A. Bonnett (Comment 126) at 4; CBBB (Comment 91) at 12; CME/CFA et al. (Comment 80) at 24; TRUSTe (Comment 97) at 1-2. --------------------------------------------------------------------------- 4. Section 312.4(c): Notice to a Parent This provision of the proposed Rule required operators to ``make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of an operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including any collection, use, and/or disclosure to which the parent has not previously consented.'' <SUP>138</SUP> After reviewing the relevant comments, the Commission has amended this provision to require new notice to the parent only when there is a material change in the way the operator collects, uses, and/or discloses personal information from the child. --------------------------------------------------------------------------- \138\ 64 FR at 22755, 22765. --------------------------------------------------------------------------- In the NPR, the Commission noted that ``reasonable efforts'' to provide a parent with notice under this section could include sending the notice to the parent by postal mail or e-mail, or having the child print out a form to give to the parent. These methods were intended to be non-exclusive examples.<SUP>139</SUP> The Commission also noted that operators must send the parent an updated notice and request for consent ``for any collection, use, or disclosure of his or her child's personal information not covered by a previous consent.'' <SUP>140</SUP> Examples of situations where new notice and request for consent would be needed included if the operator wished to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent, including parties created by a merger or other corporate combination.<SUP>141</SUP> --------------------------------------------------------------------------- \139\ Id. One commenter requested that we include this information in the text of the Rule. DMA (Comment 89) at 27. The Commission believes that the performance standard enunciated in this provision is appropriate in light of the operator's need for flexibility and the additional protections that are provided by the parental consent requirement. As discussed below, the Rule provides more specific guidance as to the appropriate mechanisms for obtaining parental consent See Section II.D.2, infra. \140\ 64 FR at 22755, 22765 \141\ Id. --------------------------------------------------------------------------- Many commenters argued that the Commission's interpretation concerning when a new notice and request for consent would be required was burdensome and unnecessary.<SUP>142</SUP> Given the high rate of merger activity in this industry, the commenters asserted, operators would be required to send many additional notices to parents.<SUP>143</SUP> Moreover, commenters noted that many mergers do not change the nature of the business the operator engages in or how the operator uses personal information collected from children. Therefore, many additional notices to parents under the proposed interpretation of this provision would not provide parents with meaningful information. --------------------------------------------------------------------------- \142\ See, e.g., AOL (Comment 72) at 14-15; DMA (Comment 89) at 26; Kraft (Comment 67) at 2, 5-6. See also CBBB (Comment 91) at 13- 14. \143\ Id. --------------------------------------------------------------------------- The Commission agrees with these comments. In order to balance an operator's need for efficiency and parents' need for relevant information, the Commission has amended the Rule to require new notice and consent only when there is a material change in how the operator collects, uses, or discloses personal information from children. For example, if the operator obtained consent from the parent for the child to participate in games which required the submission of limited personal information but now wishes to offer chat rooms to the child, new notice and consent will be required. In addition, if an operator (e.g., a toy company) merged with another entity (e.g., a pharmaceutical company) and wished to use a child's personal information to market materially different products or services than those described in the original notice (e.g., diet pills rather than stuffed animals), new notice and consent would be required. Likewise, new notice and consent would be required to disclose the information to third parties engaged in materially different lines of business than those disclosed in the original notice (e.g., marketers of diet pills rather than marketers of stuffed animals). On the other hand, if the operator had parental consent to disclose the child's personal information to marketers of stuffed animals, it does not need to obtain a new consent to disclose that information to other marketers of stuffed animals. One commenter suggested that the Rule also requires the operator to obtain parental confirmation that the notice was received, either through a return e-mail or a business reply postcard.\144\ The Commission believes that this proposal would burden parents and operators without adding significantly to the protection of children online. In most cases, the operator's receipt of parental consent will serve as confirmation that the parent received the notice.\145\ Likewise, in most instances, if the parent does not receive the notice, then the operator simply will not receive consent. --------------------------------------------------------------------------- \144\ CME/CFA et al. (Comment 80) at 24-25. Similarly, one commenter noted that many parents share an e-mail account with their children. A & E Television Networks (``AETN'') (Comment 90) at 17- 18. In these situations, the commenter argued, it would be impossible for the operator to determine whether the notice has been received by the parent. Id. In many cases, however, the children will have the incentive to give the notice to the parent in order to obtain parental consent. Further, as noted above, in most cases, the operator's receipt of parental consent will confirm that the parent has received the notice. \145\ See Section II.D.2 infra, for a detailed discussion of the requirements for obtaining verifiable parental consent under Section 312.5 of the Rule. --------------------------------------------------------------------------- One commenter suggested that the Commission permit the notice to the parent to take the form of an e-mail with an embedded hyperlink to the notice on the site.\146\ In response, the Commission notes that the notice to the parent must contain additional information that is not required in the notice on the site.\147\ However, as long as the additional, required information is clearly communicated to parents in the e-mail, and the hyperlink to the notice on the site is clear and prominent, operators may include the hyperlink to the notice on the site in an e-mail to parents. --------------------------------------------------------------------------- \146\ Mars (Comment 86) at 12. \147\ For example, the notice to the parent must contain information concerning how to provide parental consent (section 312.4(c)(1)(ii)). --------------------------------------------------------------------------- a. Section 312.4(c)(1) (i) and (ii): information in the notice to a parent. The proposed Rule required an operator's notice to a parent to include all the information included in the notice on the site (section 312.4(c)(1)(i)(B)), as well as additional information. In cases that do not implicate one of the exceptions to prior parental consent under section 312.5(c), an operator must tell the parent that he or she wishes to collect personal information from the child (section 312.4(c)(1)(i)(A)) and may not do so unless and until the parent consents, and the operator must describe the means by which the parent can provide that consent (section 312.4(c)(1)(ii)).\148\ --------------------------------------------------------------------------- \148\ 64 FR at 22755, 22765. One commenter thought that the notice should also inform parents that they have the option of denying consent. CME/CFA et al. (Comment 80) at 12. The Commission believes that a right of refusal is implied in a request for consent, and therefore is not modifying this provision. --------------------------------------------------------------------------- In the NPR, the Commission requested public comment on whether there was additional information that [[Page 59898]] should be included in the notice.\149\ One commenter suggested that the notice include a statement recommending that parents warn their children not to post personal information in chat rooms or other public venues.\150\ While the Commission does not believe this information should be required in the notice under the COPPA, it strongly encourages parents, operators, and educators to teach children about the dangers of posting personal information in public fora. After reviewing the comments concerning these provisions, the Commission believes that no changes are necessary. --------------------------------------------------------------------------- \149\ 64 FR at 22762. \150\ CBBB (Comment 91) at 13. --------------------------------------------------------------------------- b. Section 312.4(c)(1)(iii) and (iv): Notices under the multiple- contact exception, section 312.5(c)(3), and the child safety exception, section 312.5(c)(4). In cases where an operator wishes to collect a child's name and online contact information for purposes of responding more than once to a specific request of the child under Section 312.5(c)(3), or for the purpose of protecting the safety of a child participating on the website or online service under Section 312.5(c)(4), the operator was required to provide notice to the parent, with an opportunity to opt out of future use or maintenance of the child's personal information. Section 312.4(c)(1) (iii) and (iv) required the operator to notify the parent of the operator's intended use of the information, the parent's right to refuse to permit further contact with the child, or further use or maintenance of the information, and that ``if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.'' \151\ The Commission received only one comment regarding this provision \152\ and has determined that no changes are necessary. --------------------------------------------------------------------------- \151\ 64 FR at 22756, 22765. \152\ CME/CFA et al. (Comment 80) at 12 (generally requesting more information in the notices). --------------------------------------------------------------------------- Because the types of contact with children covered under section 312.5(c) (3) and (4) do not require a parent's affirmative consent, the operator must clearly notify the parent that, in these instances, if the parent fails to respond to the notice, the operator may use the information for the purpose stated in the notice.\153\ The Commission expects operators to process in a timely manner responses from parents prohibiting the use of their children's information. --------------------------------------------------------------------------- \153\ 64 FR at 22757, 22765-66. --------------------------------------------------------------------------- D. Section 312.5: Verifiable Parental Consent 1. Section 312.5(a): General Requirements Section 312.5(a) of the proposed Rule set forth two requirements: (1) That operators obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including any collection, use and/or disclosure to which the parent had not previously consented; and (2) that the operator give the parent the option to consent to collection and use of the child's personal information without consenting to its disclosure to third parties.\154\ In the NPR, the Commission also stated that, because the Act required parental consent prior to any collection, use, and/or disclosure, the parental consent requirement applied to the subsequent use or disclosure of information already in possession of an operator as of the effective date of the proposed Rule.\155\ --------------------------------------------------------------------------- \154\ 64 FR at 22756, 22765. \155\ Id. at 22751. --------------------------------------------------------------------------- Commenters generally supported the principle of prior parental consent.\156\ However, several argued that, by requiring parental consent for future use of information collected before the effective date of the Rule, the Commission was attempting to apply the Act retroactively.\157\ They also stated that it would be extremely costly and burdensome to obtain consent for information collected years ago, especially in instances where they were unaware of a child's past or current age or had no information on how to contact the parents.\158\ The Commission is persuaded that the Act should not be interpreted to cover information collected prior to its effective date. While the Act clearly gives parents control over the use and disclosure of information, and not just its collection,\159\ it also appears to contemplate that such control be exercised only with regard to information ``collected'' under the Act--i.e., collected after the Act's effective date.\160\ Further, the Commission believes that it could be difficult and expensive for operators to provide notice and consent for information collected prior to the Rule's effective date. Therefore, the Commission has eliminated this requirement from the Rule. --------------------------------------------------------------------------- \156\ See, e.g., Gail Robinson (Comment 132); Tessin J. Ray (Comment 131); BAWSELADI (Comment 133); Deb Drellack (Comment 20); Valorie Wood (Comment 36); Deanie Billings (Comment 37); Nancy C. Zink (Comment 38); Susan R. Robinson (Comment 42); Joyce Patterson (Comment 43); Elaine Bumpus (Comment 44); Greg Anderson (Comment 46); Deanna (Comment 47); Mark E. Clark (Comment 48); Sue Bray (Comment 50); Cindy L. Hitchcock (Comment 55); Stephanie Brown (Comment 50); Samantha Hart (Comment 59); Tammy Howell (Comment 59); Jean Hughes (Comment 60); dinky (Comment 61); PrivaSeek (Comment 112) at 2; CDT (Comment 81) at 25; Consumers Union (Comment 116) at 1; EPIC (Comment 115) at 5, 9; FreeZone (IRFA comment 01) at 2; Kidsonline.com (IRFA comment 02) at 1; AAF (Comment 87) at 2; CBBB (Comment 91) at 1-2; CARU (Workshop comment 08) at 3; AAAA (Comment 134) at 2, 5; Mars (Comment 86) at 1; Time Warner (Comment 78) at 10; Viacom (Comment 79) at 9-10; Children's Television Workshop (``CTW'') (Comment 84) at 2, 6. See also 144 Cong. Rec. at S11659 (List of Supporters of Children's Internet Privacy Language). \157\ DMA (citing Landgraf v. U.S. Film Products, 511 U.S. 244 (1994)). See also EdPress (Comment 130) at 2; AAF (Comment 87) at 3- 4; ANA (Comment 93) at 3-4; Grolier Enterprises (Comment 111) at 4; IDSA (Comment 103) at 7-8; McGraw-Hill (Comment 104) at 5; MPA (Comment 113) at 4; NRF (Comment 95) at 1-2; Time Warner Inc. (Comment 78) at 3-4; Walt Disney Company and Infoseek Corp. (``Disney, et al.'') (Comment 82) at 12-13. \158\ IDSA (Comment 103) at 7; TRUSTe (Comment 97) at 2-3. \159\ See, e.g., 15 U.S.C. 6502(b)(1)(B)(ii) (giving parents the opportunity at any time to refuse to permit further use, disclosure, or maintenance of information collected from their children); 15 U.S.C. 6502(b)(1)(A)(ii) (requiring operators to obtain verifiable parental consent for the collection, use, and/or disclosure of personal information from children). \160\ See 144 Cong. Rec. at S11658 (Statement of Sen. Bryan) (stating that parents can opt out of further collection, use, or maintenance of their child's information and that ``[t]he opt out * * * operates as a revocation of consent that the parent has previously given''). --------------------------------------------------------------------------- The Commission notes, however, that notwithstanding any prior relationship that an operator has with the child, any collection of ``personal information'' by the operator after the effective date is covered by the Rule. Thus, for example, if an operator collected a child's name and e-mail address before the effective date, but sought information regarding the child's street address after the effective date, the later collection would trigger the Rule's requirements. Similarly, if after the effective date, an operator continued to offer activities involving the ongoing collection and disclosure of personal information from children (e.g., a chatroom or message board), or began offering such activities for the first time, notice and consent would be required for all participating children regardless of whether they had previously registered or participated at the site. The Commission also notes that, for information collected prior to the effective date of the Rule, it retains the authority to pursue unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act. Thus, the Commission will continue to examine information practices in use before the effective date of the COPPA for deception and unfairness, and will [[Page 59899]] pursue enforcement in appropriate circumstances.\161\ --------------------------------------------------------------------------- \161\ See GeoCities, Docket No. C-3849 (Final Order Feb. 12, 1999); Liberty Financial Cos., Inc., Docket No. C-3891 (Final Order Aug. 12, 1999). See also Staff Opinion Letter, July 17, 1997, issued in response to a petition filed by the Center for Media Education, at <www.ftc.gov/os/1997/9707/cenmed.htm>. --------------------------------------------------------------------------- Many commenters also objected to the requirement that operators obtain a new parental consent for any changes to the collection, use, and/or disclosure practices which were the subject of a previous consent.\162\ As in the notice section of the Rule,\163\ they argued that notification of minor changes would be extremely burdensome, especially in light of constant changes taking place in the online world, and unnecessary to achieve the purposes of the COPPA.\164\ As noted above, the Commission agrees that the proposed requirement is unduly broad and would be overly burdensome, and is therefore amending the Rule to make clear that a new parental consent is required only if there is a material change in the operator's collection, use, and/or disclosure practices. --------------------------------------------------------------------------- \162\ IDSA (Comment 103) at 5-6; CBBB (Comment 91) at 13-14; DMA (Comment 89) at 26; Aftab & Savitt (Comment 118) at 5; ANA (Comment 93) at 6-7. \163\ See Section II.C.4, supra. \164\ One commenter supported this provision on the basis that not requiring it would render parental consent meaningless. Attorneys General (Comment 114) at 10. However, even one commenter who supported the requirement still expressed concern that parents might be ``badgered'' by too many of these requests. CME/CFA et al. (Comment 80) at 13. --------------------------------------------------------------------------- Finally, some commenters objected to the proposed Rule's requirement that parents be given an opportunity to provide consent for the collection and use of information without consenting to its disclosure to third parties.\165\ Commenters argued that this requirement is not included in the COPPA and that it interferes with an operator's right under the COPPA to terminate service to a child whose parent refuses to permit further use, maintenance, or collection of the data.\166\ Other commenters supported this requirement as important to the protection of children's privacy.\167\ --------------------------------------------------------------------------- \165\ Section 312.5(a)(2). See, e.g., DMA (Comment 89) at 25; NRF (Comment 95) at 4; McGraw-Hill (Comment 104) at 7; PMA (Comment 107) at 11. \166\ ANA (Comment 93) at 6; IDSA (Comment 103) at 4-5; DMA (Comment 89) at 25; PMA (Comment 107) at 11 (all referring to section 312.6(c) of the proposed Rule and 15 U.S.C. 6502(b)(3)). The purpose of that provision was to enable operators to offer some online activities that require children to provide personal information, e.g., chat rooms, which may require the operator to collect an e-mail address for security purposes. Under that provision, operators may bar children whose parents have revoked consent for the operator's use of the necessary information from participating in those activities. The Commission does not believe that disclosure to outside parties--other than those, such as fulfillment services, that provide support for the internal operations of the website--is reasonably necessary for an operator to provide online activities. \167\ EPIC (Comment 115) at 9-10; Junkbusters (Comment 66) at 1. See also CDT (Comment 81) at 25; CME/CFA et al. (Comment 80) at 13; Sovern (Comment 33) at 4; Mars (Comment 86) at 12-13; TRUSTe (Comment 97) at 2. --------------------------------------------------------------------------- The Commission believes that giving parents a choice about whether information can be disclosed to third parties implements the clear goals of the COPPA to give parents more control over their children's personal information, limit the unnecessary collection and dissemination of that information, and preserve children's access to the online medium.\168\ The Act requires consent for the collection, use, or disclosure of information,\169\ thus expressing the intent that parents be able to control all of these practices. Although the Act does not explicitly grant parents a separate right to control disclosures to third parties, the Commission believes that this is a reasonable and appropriate construction of the Act, particularly in light of the rulemaking record and other considerations. --------------------------------------------------------------------------- \168\ See, e.g., 144 Cong. Rec. at S11657, S11658 (Statement of Sen. Bryan). \169\ 15 U.S.C. 6502(b)(1)(A)(ii). --------------------------------------------------------------------------- Indeed, the record shows that disclosures to third parties are among the most sensitive and potentially risky uses of children's personal information.\170\ This is especially true in light of the fact that children lose even the protections of the Act once their information is disclosed to third parties.\171\ The Commission believes that these risks warrant providing parents with the ability to prevent disclosures to third parties without foreclosing their children from participating in online activities. In addition, the Act prohibits collecting more information than is reasonably necessary to participate in an activity,\172\ showing Congressional intent to limit information practices (such as disclosures to third parties) that do not facilitate a child's experience at the site. Finally, the Commission believes that allowing parents to limit disclosures to third parties will increase the likelihood that they will grant consent for other activities and therefore preserve children's access to the medium.\173\ --------------------------------------------------------------------------- \170\ See CME/CFA et al. (Comment 80) at 26-27; Mars (Comment 86) at 13; Kraft (Comment 67) at 4-5; Viacom (Comment 79) at 13-14. See also Attorneys General (Comment 114) at 4 (citing 1997 survey showing that 97% of parents whose children use the Internet believe that website operators should not sell or rent children's personal information). \171\ Thus, for example, parents cannot access information in the possession of third parties, or require that it be deleted, as they can for operators subject to the Rule. See 15 U.S.C. 6502(b)(1)(B)(ii),(iii). Nor can they prohibit future use of information in the possession of third parties. Compare 15 U.S.C. 6502(b)(1)(B)(ii). In fact, parents are likely to be unaware of the identities and specific information practices of many of the third parties that obtain their children's information. See Section II.C.3.d, supra (operators need only disclose types of business engaged in by third parties and whether those third parties have agreed to maintain the confidentiality, security, and integrity of personal information received from operator). \172\ 15 U.S.C. 6502(b)(1)(C) (prohibiting an operator from conditioning participation on the disclosure of more information than necessary to participate in an activity). \173\ One study found that 97% of parents online did not want their children's information disclosed to third parties, suggesting that those parents would be more likely to grant consent if they could limit such disclosures. Louis Harris & Associates and Dr. Alan F. Westin, ``Commerce, Communication, and Privacy Online: A National Survey of Computer Users,'' 1997, at 75. --------------------------------------------------------------------------- Thus, the Commission believes that providing parents with a choice about whether their children's information can be disclosed to third parties is within the authority granted by the COPPA, consistent with the rulemaking record, and important to the protection of children's privacy. The Commission is therefore retaining this provision. 2. Section 312.5(b): Mechanisms Section 312.5(b) of the proposed Rule required that operators make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology.\174\ Consistent with the language of the COPPA, the proposed Rule further clarified that the methods used to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.\175\ I